cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11320
Views
16
Helpful
7
Replies

DMVPN Vs GRE IPSEC

pshah.1979
Level 1
Level 1

Hi Netpro

Need comparision between DMVPN Vs GRE IPSEC. Looking for Real Life pros&cons between them?

7 Replies 7

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Pratik,

DMVPN = point-to-multipoint GRE + IPSec

GRE+ IPSec = point-to-point GRE + IPSec

DMVPN requires to deploy a certification authority server, using a single shared key is not secure enough.

We can say that DMVPN is more hard to deploy but it is far easier to mantain and should be a winning choice if number of remote sites increases over time.

Hub router configuration doesn't need to be changed when a new remote site has to be added this helps also on scalability.

DMVPN disadvantage: it is Cisco proprietary.

point-to-point GRE and IPsec is easier to setup but harder to mantain: adding a new remote site requires configuration on hub and new remote.

Also when doing changes there are some errors that can impact multiple remote sites: if for example in a crypto map block a non-existing ACL is invoked this is seen as a permit ip any any and causes that connectivity to all remote sites configured in following crypto map blocks is broken.

it is enough to delete an ACL to do this.

a possible advantage is that it is possible to accomodate a remote peer that has different authentication and encryption capabilities and non cisco devices.

Hope to help

Giuseppe

Giuseppe,

in DMVPN can we now the traffic utilization from Hub to single spoke or multiple spoke.

Hello Pratik,

>> in DMVPN can we now the traffic utilization from Hub to single spoke or multiple spoke.

not totally clear to me.

in DMVPN you can decide if you want to allow dynamic spoke to spoke communications (DMVPN phase2 and later) or you can decide to block this and to have only spokes to hubs communication.

in this case spoke to hub to spoke is required.

if you mean how you can monitor traffic volume to specific remote sites that is a different matter.

Hope to help

Giuseppe

Hello Giuseppe,

A very fine answer indeed. There is one thing I wanted to point out, though - the DMVPN does not have to be implemented using IPsec. While of course every reasonable implementation of DMVPN uses IPsec for data confidentiality and integrity purposes, the IPsec itself is just an add-on on top of the real DMVPN provided by NHRP and multipoint GRE tunnels.

Regarding the proprietarity - actually, all protocols used in DMVPN are open and described in RFCs. A different thing, though, is that I haven't seen any other vendor implementing them.

Best regards,

Peter

Hello Peter,

to be honest I've reported what I've read in the forums.

I don't remember who noted this but DMVPN is considered proprietary.

other vendors have probably similar frameworks.

Hope to help

Giuseppe

Giuslar,

One of the consideration before moving to DMVPN would be to understand if its possible to know tunnel traffic between Hub and different spoke.

In a simple IPSEC over GRE Tunnel or more tunnels its easy to identify traffic size or bandwidth consumed

In DMVPN can we get the same.

Hello Pratik,

I think that modular QoS may help on this by providing a way to "count" traffic towards each remote site.

see

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPN_2_Phase2.html

and qos for the enterprise

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND_40/QoSIntro_40.html#wp60933

Hope to help

Giuseppe

Review Cisco Networking for a $25 gift card