11-15-2009 12:41 PM - edited 03-04-2019 06:43 AM
Hi Netpro
Need comparision between DMVPN Vs GRE IPSEC. Looking for Real Life pros&cons between them?
11-15-2009 02:39 PM
Hello Pratik,
DMVPN = point-to-multipoint GRE + IPSec
GRE+ IPSec = point-to-point GRE + IPSec
DMVPN requires to deploy a certification authority server, using a single shared key is not secure enough.
We can say that DMVPN is more hard to deploy but it is far easier to mantain and should be a winning choice if number of remote sites increases over time.
Hub router configuration doesn't need to be changed when a new remote site has to be added this helps also on scalability.
DMVPN disadvantage: it is Cisco proprietary.
point-to-point GRE and IPsec is easier to setup but harder to mantain: adding a new remote site requires configuration on hub and new remote.
Also when doing changes there are some errors that can impact multiple remote sites: if for example in a crypto map block a non-existing ACL is invoked this is seen as a permit ip any any and causes that connectivity to all remote sites configured in following crypto map blocks is broken.
it is enough to delete an ACL to do this.
a possible advantage is that it is possible to accomodate a remote peer that has different authentication and encryption capabilities and non cisco devices.
Hope to help
Giuseppe
11-15-2009 11:36 PM
Giuseppe,
in DMVPN can we now the traffic utilization from Hub to single spoke or multiple spoke.
11-16-2009 04:49 AM
Hello Pratik,
>> in DMVPN can we now the traffic utilization from Hub to single spoke or multiple spoke.
not totally clear to me.
in DMVPN you can decide if you want to allow dynamic spoke to spoke communications (DMVPN phase2 and later) or you can decide to block this and to have only spokes to hubs communication.
in this case spoke to hub to spoke is required.
if you mean how you can monitor traffic volume to specific remote sites that is a different matter.
Hope to help
Giuseppe
11-16-2009 02:03 AM
Hello Giuseppe,
A very fine answer indeed. There is one thing I wanted to point out, though - the DMVPN does not have to be implemented using IPsec. While of course every reasonable implementation of DMVPN uses IPsec for data confidentiality and integrity purposes, the IPsec itself is just an add-on on top of the real DMVPN provided by NHRP and multipoint GRE tunnels.
Regarding the proprietarity - actually, all protocols used in DMVPN are open and described in RFCs. A different thing, though, is that I haven't seen any other vendor implementing them.
Best regards,
Peter
11-16-2009 04:46 AM
Hello Peter,
to be honest I've reported what I've read in the forums.
I don't remember who noted this but DMVPN is considered proprietary.
other vendors have probably similar frameworks.
Hope to help
Giuseppe
11-16-2009 11:51 AM
Giuslar,
One of the consideration before moving to DMVPN would be to understand if its possible to know tunnel traffic between Hub and different spoke.
In a simple IPSEC over GRE Tunnel or more tunnels its easy to identify traffic size or bandwidth consumed
In DMVPN can we get the same.
11-17-2009 02:59 AM
Hello Pratik,
I think that modular QoS may help on this by providing a way to "count" traffic towards each remote site.
see
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html
and qos for the enterprise
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide