Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6745
Views
0
Helpful
4
Replies

DMVPN over MPLS

Go to solution
Artemio Magdiel Pantoja Palomares
Level 1
Level 1

‎02-21-2013 05:09 PM - edited ‎03-04-2019 07:06 PM

We are migrating from Frame Relay to MPLS WAN services, to interconect about 25 remotes sites.

Is it posible to deploy DMVPN to connect the remotes sites using a tunnel?

I have heard about using GET VPN instead of DMVPN over MPLS, whats the difference between them?

thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnlloyd_13
Level 9
Level 9

‎02-22-2013 05:43 AM

hi,

as per my SECURE notes, it looks like GET VPN is ideal for MPLS. and yes, DMVPN is tunnel-based.

kindly see the difference between the two VPN-based technology and summary of each features.

* Cisco Dynamic Multipoint VPN (DMVPN): DMVPN is based on a hub-and-spoke configuration but allows spoke-to-spoke tunnels to be dynamically and automatically provisioned. Configuration scalability is high because only spoket-to-hub peering needs to be configured, and as long as PIKI is used for authentication, authentication scalability is high as well. DMVPN can be used in hub-and-spoke, partial mesh, and full mesh environments. It is also adequate for connections that traverse public networks, such as the Internet, because it supports IP tunnels.

* Cisco GET VPN: Cisco GET VPN uses a mixed encapsulation in which the IP addressing of the packets does not get changed as it is encapsulated. Because of this, it can only be deployed over networks that can route the internal addresses, such as Multiprotocol Label Switching (MPLS) or private WAN circuits. GET VPNs cannot be deployed over the Internet because of this. Cisco GET defaults to a full mesh topology with a small number of policy/authentication hubs called key servers. Because of this, Cisco GET provides high configuration and authentication scalability.

Criterion                  DMVPN                                    GET VPN

Encapsulation        Tunneled IPsec                  Non-tunneled IPsec

Configuration        High for any device             High for any device

scalability                       

Authentication        High with PKI                          High with PSK or PKI

scalability           

Suitable topologies    Hub-and-spoke/Partial Mesh       Full mesh

Suitable transport    Any, including the Internet       Private WAN or MPLS, no Internet

networks           

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jawad-mukhtar
Level 4
Level 4

‎02-22-2013 03:32 AM

Please see this post

https://supportforums.cisco.com/thread/262965

Jawad
0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9

‎02-22-2013 05:43 AM

hi,

as per my SECURE notes, it looks like GET VPN is ideal for MPLS. and yes, DMVPN is tunnel-based.

kindly see the difference between the two VPN-based technology and summary of each features.

* Cisco Dynamic Multipoint VPN (DMVPN): DMVPN is based on a hub-and-spoke configuration but allows spoke-to-spoke tunnels to be dynamically and automatically provisioned. Configuration scalability is high because only spoket-to-hub peering needs to be configured, and as long as PIKI is used for authentication, authentication scalability is high as well. DMVPN can be used in hub-and-spoke, partial mesh, and full mesh environments. It is also adequate for connections that traverse public networks, such as the Internet, because it supports IP tunnels.

* Cisco GET VPN: Cisco GET VPN uses a mixed encapsulation in which the IP addressing of the packets does not get changed as it is encapsulated. Because of this, it can only be deployed over networks that can route the internal addresses, such as Multiprotocol Label Switching (MPLS) or private WAN circuits. GET VPNs cannot be deployed over the Internet because of this. Cisco GET defaults to a full mesh topology with a small number of policy/authentication hubs called key servers. Because of this, Cisco GET provides high configuration and authentication scalability.

Criterion                  DMVPN                                    GET VPN

Encapsulation        Tunneled IPsec                  Non-tunneled IPsec

Configuration        High for any device             High for any device

scalability                       

Authentication        High with PKI                          High with PSK or PKI

scalability           

Suitable topologies    Hub-and-spoke/Partial Mesh       Full mesh

Suitable transport    Any, including the Internet       Private WAN or MPLS, no Internet

networks           

0 Helpful

Go to solution
josem_155
Level 1
Level 1
In response to johnlloyd_13

‎09-19-2013 09:04 AM

hi John,

I have a customer who wants to deploy a Metro-E among all sites. But, when I see what he wants i saw he wants to deploy DMVPN over that MEtro-E as well. My question is: is this ok? I mean, Metro-E is not secured already? What should he deploy DMVPN ob that metro connection for?

I have read a lot of papers and I saw that DMVPN is good to be deploy to secure connections over internet, as backup or over a MPLS VPN ( aslgo GETVPN) so im confused with this.

Regards

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to josem_155

‎09-19-2013 06:36 PM

hi,

yes, you can deploy DMVPN over any transport network including Metro E circuits.

event though Metro E is a dedicated point-to-point circuit, it would still traverse the ISP/public network, so yeah you would still want to encrypt your customer's sensitive data.

DMVPN happens to be one of the styles or design approach you could secure your network but there are several out there.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card