DMVPN allows data exchanges on a secure network without the use of a headquarter’s VPN server or router. While a VPN acts as a connector between remote sites and HQ, or between different branches, the DMVPN creates a mesh VPN protocol that can be applied selectively to connections being utilized in the business already. Each different site (or spoke) can connect to one another securely. This is done using VPN firewall concentrators and routers, with DMVPN configuration on the routers in place at remote sites to allow the DMVPN mesh to be applied to the connection that it’s making at the time.

DMVPN Phase 1 uses HUB-and-spoke tunnel deployment. The tunnels through which inter-branch connections are made are only built through the central DMVPN hub and the individual spokes, working much like a traditional VPN system.
DMPVN Phase 2 uses spoke-to-spoke tunnel deployment, meaning that data doesn’t have to travel to a central hub first, so long as there are specific routes in place for the spoke subnets.
DMPVN Phase 3 allows for spoke-to-spoke tunnel deployment, but without the specific pre-made routes in place, but rather uses NHRP traffic indication messages from the hub to secure those routes on the fly.
Hub and Spoke Network Architecture
As mentioned, the Hub and Spoke Network Architecture is a way to efficiently manage the endpoints that are being secured. There are three different phases, each of them suitable for different configurations. However, in general, the hub is used to configure the protocols by which the connections are secured, and these protocols are then applied to the spokes (or endpoints) of the network. This system can be centralized to ensure that allow spoke-to-spoke tunnels first go through the hub, or can be decentralized to cut the hub out entirely.
mesh vpn