Tech Blog and Case Studies

How we reduced a customer’s WAN expenses using DMVPN technology

Dynamic Multipoint VPN


This customer has headquarters in the US with 30 branch offices across the United States and other countries.  They have plans to open 10 more offices within the next 5 years.  The customer currently has T1, T3 and various OCx connections between the sites and the headquarters. The remote sites in other countries, such as India, use a static VPN to connect to the headquarters over the internet.

Our Solution:

Based on the customer requirements, VeeMost engineering team proposed a Dynamic Multipoint VPN (DMVPN) solution to the customer.

DMVPN is a Cisco software-based security solution for building scalable enterprise VPNs that support distributed applications such as voice, video and data.  DMVPN is widely used to combine enterprise branch, remote workers and Extranet connectivity.  Its main benefits are:

  • On-demand fully meshed connectivity with simple hub-and-spoke configurations
  • Automatic IP Security (IPsec) triggering for building spoke-to-spoke IPsec tunnels
  • “Zero-touch” deployment for adding remote sites
  • Reduced latency and bandwidth savings

In essence, DMVPN will allow this customer to connect all their remote offices together using any type of connection. This means that we can use internet connections such as cable, DSL, etc, as the WAN medium as opposed to the more expensive options such as T1. 

With DMVPN, the customer can actually save money by canceling all their point-to-point T1s, and frame-relay circuits. Using the internet, the remote sites would establish a DMVPN tunnel to the headquarters, which then allows each remote site to dynamically build a secure VPN tunnel with other remote sites.  We implemented a dual DMVPN hub topology to add redundancy to the design.

Network Hardware

The WAN architecture includes the following:

  • Cisco ISR 4451 routers  as the hub routers.
  • Cisco ISR 4351 or 4331 at the remote sites, with connection to the internet via ADSL, Ethernet, 3G, or other WAN services.  A DMVPN tunnel is established across the Internet, terminating into the head-end VPN routers at the Data Center in the headquarters.
  • We deployed 2 routers at each remote location for redundancy purposes.

VeeMost followed Cisco recommended best practices guidelines

  • Configured Triple DES (3DES) or AES for encryption of transported data
  • Increased performance by using hardware-acceleration to minimize router CPU overhead, latency and jitter.
  • Configured EIGRP routing protocol  with route summarization for dynamic routing.
  • Set up QoS service policies as appropriate on headend and branch router interfaces to help alleviate interface congestion issues and to attempt to keep higher priority traffic from drops.


  • Customer saved over $250,000 in wide area network costs by utilizing the internet as the medium to connect all their sites together.
  • Our solution reduced administrative overhead by making it easy to bring a new site online while standardizing the process of doing so.
  • VeeMost recommended, designed, planned, and implemented the entire solution with very minimal downtime, giving a much needed peace of mind to the customer.
  • We currently manage the customer’s network via our Managed Services Agreement, allowing the customer’s IT department to focus on other issues.

Need help with your DMVPN implementation? Contact us now