cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
49759
Views
50
Helpful
5
Replies

what is the difference between dmvpn and flexvpn

paul snoep
Level 1
Level 1

Hi,

Full mesh in the network using ISR and DMVPN. Security needs to improve - no firewall between the connections - therefore I feel they need

to move to flexvpn on CE ISR to central ASA from the -X series.

I know migrating from DMVPN to flexvpn should be easy, however I cannot find a trace on the real why we need to go forward with flexvpn.

- Ike v2 for flexvpn vs ike v1 for dmvpn

- ASA as the endpoint for the flexvpn

-...

Pro's/Con's anyone? Caveats?

Thanks

1 Accepted Solution

Accepted Solutions

Nilo Noguera
Level 5
Level 5

FlexVPN is a newer "solution" for deployment of VPNs and for this you must have newer hardware to support the versions of IOS code which offer FlexVPN features. DMVPN is an option on almost every Cisco router, provided you are running a version of code which came out in the last decade. For the platforms supported by Cisco Flex VPN, please check Table 1 on the link below:

http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/data_sheet_c78-704277.html

FlexVPN is based on these same fundamental technologies:

IPsec: Unlike default in DMVPN, IKEv2 is used instead of IKEv1 to negotiate IPsec SAs. IKEv2 offers improvements over IKEv1, starting with resiliency and ending with how many messages are needed to establish a protected data channel.

GRE: Unlike DMVPN, static and dynamic point to point interfaces are used, and not only one static multpoint GRE interface. This configuration allows added flexibility, especially for per-spoke/per-hub behavior.

NHRP: In FlexVPN NHRP is primarily used to establish spoke to spoke communication. Spokes do not register to hub.

Routing: Because spokes do not perform NHRP registration to hub, you need to rely on other mechanisms to make sure hub and spokes can communicate bi-directionally. Simliar to DMVPN, dynamic routing protocols can be used. However, FlexVPN allows you to use IPsec to introduce routing information. The default is to introduce as /32 route for the IP address on the other side of the tunnel, which will allow spoke-to-hub direct communication.

In hard migration from DMVPN to FlexVPN the two framemworks do not work at the same time on  same devices. However, it is recommended to keep them separate.

Separate them on several levels:

* NHRP - Use different NHRP network ID (recommended).

* Routing - Use separate routing processes (recommended).

* VRF - VRF separation can allow added flexibility but will not be discussed here (optional).

Spoke FlexVPN configuration

One of the differences in spoke configuration in FlexVPN as compared to DMVPN, is that you have potentially two interfaces.

There is a necessary tunnel for spoke to hub communication and optional tunnel for spoke to spoke tunnels.

If you choose not to have dynamic spoke to spoke tunneling and would rather that everything goes through hub device, you can remove the virtual-template interface and remove NHRP shortcut switching from the tunnel interface.

You will also notice that the static tunnel interface has an IP address received based on negotiation. This allows the hub to provide tunnel interface IP to spoke dynamically without the need to create static addressing in the FlexVPN cloud.

FlexVPN Hub configuration

Typically a hub will only terminate dynamic spoke-to-hub tunnels. This is why in the hub's configuration you will not find a static tunnel interface for FlexVPN, instead a virtual-template interface is used. This will spawn a virtual-access interface for each connection.

Note that on hub side you need to point out pool addresses to be assigned to spokes.

Addresses from this pool will be added later on in the routing table as /32 routes for each spoke.

Known Caveats

- Spoke to spoke traffic might be affected by Bug code CSCub07382.

CSCub07382 Description:

In a FlexVPN spoke to spoke scenario, the NHRP cache entry for the other spokes get deleted once the NHRP cache time expires eventhough there is continuous traffic flowing through the spoke to spoke tunnel. Then, the traffic starts flowing through the hub, until we clear the NHRP cache.

Tac Repro - Available.

Failed Versions - From 15.2.2.T till the latest weekly release 15.3.0.4.T

Thank you for the opportunity to assist you.

Best regards,

"Nilz"

Nilo Noguera

.:|:.:|:. Specialist, Cisco Global Virtual Engineering - Cisco Partner Help

http://www.cisco.com/web/partners/tools/ph.html

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

View solution in original post

5 Replies 5

Nilo Noguera
Level 5
Level 5

FlexVPN is a newer "solution" for deployment of VPNs and for this you must have newer hardware to support the versions of IOS code which offer FlexVPN features. DMVPN is an option on almost every Cisco router, provided you are running a version of code which came out in the last decade. For the platforms supported by Cisco Flex VPN, please check Table 1 on the link below:

http://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/data_sheet_c78-704277.html

FlexVPN is based on these same fundamental technologies:

IPsec: Unlike default in DMVPN, IKEv2 is used instead of IKEv1 to negotiate IPsec SAs. IKEv2 offers improvements over IKEv1, starting with resiliency and ending with how many messages are needed to establish a protected data channel.

GRE: Unlike DMVPN, static and dynamic point to point interfaces are used, and not only one static multpoint GRE interface. This configuration allows added flexibility, especially for per-spoke/per-hub behavior.

NHRP: In FlexVPN NHRP is primarily used to establish spoke to spoke communication. Spokes do not register to hub.

Routing: Because spokes do not perform NHRP registration to hub, you need to rely on other mechanisms to make sure hub and spokes can communicate bi-directionally. Simliar to DMVPN, dynamic routing protocols can be used. However, FlexVPN allows you to use IPsec to introduce routing information. The default is to introduce as /32 route for the IP address on the other side of the tunnel, which will allow spoke-to-hub direct communication.

In hard migration from DMVPN to FlexVPN the two framemworks do not work at the same time on  same devices. However, it is recommended to keep them separate.

Separate them on several levels:

* NHRP - Use different NHRP network ID (recommended).

* Routing - Use separate routing processes (recommended).

* VRF - VRF separation can allow added flexibility but will not be discussed here (optional).

Spoke FlexVPN configuration

One of the differences in spoke configuration in FlexVPN as compared to DMVPN, is that you have potentially two interfaces.

There is a necessary tunnel for spoke to hub communication and optional tunnel for spoke to spoke tunnels.

If you choose not to have dynamic spoke to spoke tunneling and would rather that everything goes through hub device, you can remove the virtual-template interface and remove NHRP shortcut switching from the tunnel interface.

You will also notice that the static tunnel interface has an IP address received based on negotiation. This allows the hub to provide tunnel interface IP to spoke dynamically without the need to create static addressing in the FlexVPN cloud.

FlexVPN Hub configuration

Typically a hub will only terminate dynamic spoke-to-hub tunnels. This is why in the hub's configuration you will not find a static tunnel interface for FlexVPN, instead a virtual-template interface is used. This will spawn a virtual-access interface for each connection.

Note that on hub side you need to point out pool addresses to be assigned to spokes.

Addresses from this pool will be added later on in the routing table as /32 routes for each spoke.

Known Caveats

- Spoke to spoke traffic might be affected by Bug code CSCub07382.

CSCub07382 Description:

In a FlexVPN spoke to spoke scenario, the NHRP cache entry for the other spokes get deleted once the NHRP cache time expires eventhough there is continuous traffic flowing through the spoke to spoke tunnel. Then, the traffic starts flowing through the hub, until we clear the NHRP cache.

Tac Repro - Available.

Failed Versions - From 15.2.2.T till the latest weekly release 15.3.0.4.T

Thank you for the opportunity to assist you.

Best regards,

"Nilz"

Nilo Noguera

.:|:.:|:. Specialist, Cisco Global Virtual Engineering - Cisco Partner Help

http://www.cisco.com/web/partners/tools/ph.html

"niLz" Nilo Noguera Jr. | Specialist, Virtual Engineering - Partner Helpline Organization together we are the human network

Hi,

Great - this helps.

Many thanks

Paul

Can we use Flex VPN as simple overlay without any IPSEC applied to the tunnels. 

Use case here is that , there is no IPSEC is required but simply we need overlay to hide the underlying network as it is done in Cisco IWAN?

Thanks and Regards

Arun

Hi Arun,

the strongest point of justifying the use of flexVPN is increased security way more than NHRP or routing reasons. If you just need an overlay network with no encryption the you should go for other tenchnologies (depending on the topology your are working on). A mGRE would fit just fine but again, you need strong and deep considerations about your design.

As far as i know, FlexVPN is tied to some sort of IPSec tunneling so i guess the answer in short is no.

Hope this helps

A.

Well said Ale
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: