In the context of the Designing Cisco Security Infrastructure (300-745 SDSI) blueprint, Dynamic

Multipoint VPN (DMVPN) is the specialized architectural solution designed for scalable hub-and-

spoke topologies that require the flexibility to evolve into partial or full mesh overlays. DMVPN

leverages a combination of Multipoint GRE (mGRE) tunnels, Next Hop Resolution Protocol (NHRP),

and IPsec encryption to create a dynamic environment.

The primary advantage of DMVPN is its ability to establish "on-demand" tunnels between spoke

sites. In a traditional hub-and-spoke model, traffic between two spokes must transit the hub, which

introduces latency and increases hub resource consumption. With DMVPN, spokes can use NHRP to

discover the public IP addresses of other spokes and build direct tunnels between them

automatically. This allows the pharmaceutical company to maintain a simple hub-and-spoke

management model while benefiting from the performance of a full mesh when traffic patterns

demand it.

While SSL VPNs (Option D) and L2TP (Option B) are excellent for individual remote access, they are

not designed for site-to-site mesh scalability. Crypto maps (Option C) represent the legacy method of

building IPsec tunnels, which requires static, manual configuration of every peer relationship—

making a full mesh practically impossible to manage at scale. DMVPN fulfills the Cisco SDSI objective

of designing highly available and flexible secure infrastructure by automating the complexity of large-

scale tunnel management.