Dynamic Multiple VPN (or DMVPN) is a complex topic, but it’s a security configuration that could allow businesses that use a wide range of remote endpoints (or flexible endpoints that move location often) to make sure they can keep the security of their network in place, which making sure it’s flexible and not prohibitive in costs.
Multiple GRE tunnel interfaces: a single GRE interface that can secure several IPsec tunnels, reducing the overall scope of the DMVPN configuration
IPsec tunnel endpoint discovery: meaning that static crypto maps between individual IPsec tunnel endpoints do not have to be configured
Routing Protocols: which can allow the DMVPN to find routes between different endpoints much more effectively
NHRP: which can deploy spokes with assigned IP addresses that can then be connected to from the central DMVPN hub.
There are three distinct types, or phrases, of DMVPN design, all of which can be found on the Cisco DMVPN design guide. To summarize them briefly, however, they are as follows:
DMVPN Phase 1 uses HUB-and-spoke tunnel deployment. The tunnels through which inter-branch connections are made are only built through the central DMVPN hub and the individual spokes, working much like a traditional VPN system.
DMPVN Phase 2 uses spoke-to-spoke tunnel deployment, meaning that data doesn’t have to travel to a central hub first, so long as there are specific routes in place for the spoke subnets.
DMPVN Phase 3 allows for spoke-to-spoke tunnel deployment, but without the specific pre-made routes in place, but rather uses NHRP traffic indication messages from the hub to secure those routes on the fly.