cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6749
Views
0
Helpful
4
Replies

DMVPN over MPLS

We are migrating from Frame Relay to MPLS WAN services, to interconect about 25 remotes sites.

Is it posible to deploy DMVPN to connect the remotes sites using a tunnel?

I have heard about using GET VPN instead of DMVPN over MPLS, whats the difference between them?

thanks in advance

1 Accepted Solution

Accepted Solutions

johnlloyd_13
Level 9
Level 9

hi,

as per my SECURE notes, it looks like GET VPN is ideal for MPLS. and yes, DMVPN is tunnel-based.

kindly see the difference between the two VPN-based technology and summary of each features.

* Cisco Dynamic Multipoint VPN (DMVPN): DMVPN is based on a hub-and-spoke configuration but allows spoke-to-spoke tunnels to be dynamically and automatically provisioned. Configuration scalability is high because only spoket-to-hub peering needs to be configured, and as long as PIKI is used for authentication, authentication scalability is high as well. DMVPN can be used in hub-and-spoke, partial mesh, and full mesh environments. It is also adequate for connections that traverse public networks, such as the Internet, because it supports IP tunnels.

* Cisco GET VPN: Cisco GET VPN uses a mixed encapsulation in which the IP addressing of the packets does not get changed as it is encapsulated. Because of this, it can only be deployed over networks that can route the internal addresses, such as Multiprotocol Label Switching (MPLS) or private WAN circuits. GET VPNs cannot be deployed over the Internet because of this. Cisco GET defaults to a full mesh topology with a small number of policy/authentication hubs called key servers. Because of this, Cisco GET provides high configuration and authentication scalability.

Criterion                  DMVPN                                    GET VPN

Encapsulation        Tunneled IPsec                  Non-tunneled IPsec

Configuration        High for any device             High for any device

scalability                       

Authentication        High with PKI                          High with PSK or PKI

scalability           

Suitable topologies    Hub-and-spoke/Partial Mesh       Full mesh

Suitable transport    Any, including the Internet       Private WAN or MPLS, no Internet

networks           

View solution in original post

4 Replies 4

jawad-mukhtar
Level 4
Level 4

johnlloyd_13
Level 9
Level 9

hi,

as per my SECURE notes, it looks like GET VPN is ideal for MPLS. and yes, DMVPN is tunnel-based.

kindly see the difference between the two VPN-based technology and summary of each features.

* Cisco Dynamic Multipoint VPN (DMVPN): DMVPN is based on a hub-and-spoke configuration but allows spoke-to-spoke tunnels to be dynamically and automatically provisioned. Configuration scalability is high because only spoket-to-hub peering needs to be configured, and as long as PIKI is used for authentication, authentication scalability is high as well. DMVPN can be used in hub-and-spoke, partial mesh, and full mesh environments. It is also adequate for connections that traverse public networks, such as the Internet, because it supports IP tunnels.

* Cisco GET VPN: Cisco GET VPN uses a mixed encapsulation in which the IP addressing of the packets does not get changed as it is encapsulated. Because of this, it can only be deployed over networks that can route the internal addresses, such as Multiprotocol Label Switching (MPLS) or private WAN circuits. GET VPNs cannot be deployed over the Internet because of this. Cisco GET defaults to a full mesh topology with a small number of policy/authentication hubs called key servers. Because of this, Cisco GET provides high configuration and authentication scalability.

Criterion                  DMVPN                                    GET VPN

Encapsulation        Tunneled IPsec                  Non-tunneled IPsec

Configuration        High for any device             High for any device

scalability                       

Authentication        High with PKI                          High with PSK or PKI

scalability           

Suitable topologies    Hub-and-spoke/Partial Mesh       Full mesh

Suitable transport    Any, including the Internet       Private WAN or MPLS, no Internet

networks           

hi John,

I have a customer who wants to deploy a Metro-E among all sites. But, when I see what he wants i saw he wants to deploy DMVPN over that MEtro-E as well. My question is: is this ok? I mean, Metro-E is not secured already? What should he deploy DMVPN ob that metro connection for?

I have read a lot of papers and I saw that DMVPN is good to be deploy to secure connections over internet, as backup or over a MPLS VPN ( aslgo GETVPN) so im confused with this.

Regards

hi,

yes, you can deploy DMVPN over any transport network including Metro E circuits.

event though Metro E is a dedicated point-to-point circuit, it would still traverse the ISP/public network, so yeah you would still want to encrypt your customer's sensitive data.

DMVPN happens to be one of the styles or design approach you could secure your network but there are several out there.

Review Cisco Networking for a $25 gift card