11-17-2023 01:59 PM
What would the Network community prefer. DMVPN using routers? Or Site to site VPN using firewalls? And why?
As of now we are using DMVPN with ISR 1000s but I also have firepowers and I like to do site to site with the Firewalls and save money on Routers
Please suggest if it’s a good idea or a terrible mistake
Thanks in Advance!!
11-17-2023 02:07 PM
Dmvpn use when you have branch try to access DC or other branch (spoke) and dc and branch dont have it public IP. This process done via nhrp requests and reply and traffic protect by ipsec
Site to site in FW can not do that, one site must know peer public IP to form tunnel. There is hub and spoke vpn in FW but it not allow spoke to spoke like dmvpn and hence all traffic must pass through hub.
11-17-2023 03:54 PM
You can use S2S over private IP addresses, can you share restriction about public IPs for S2S VPN in Firepower/FTD?
11-17-2023 02:31 PM
Site to site VPNs and DMVPN cover different usecases.
DMVPN gives you a dynamic overlay network using NHRP, GRE and IPSEC. You want to use DMVPN when it's not feasible to maintain site-to-site tunnels. The typical usecases are when you have to deal with spokes with dynamic IP addresses or when you need to maintain a mesh network with many nodes. If your network has static endpoints and a limited number of tunnels, there is (likely) no need to use DMVPN .
11-17-2023 03:53 PM
Hi,
firewalls are stateful devices. For corporate site-to-site connectivity (I mean not VPN, just connectivity between sites), if you use firewalls you need to configure not only VPN and routing, but also policies within firewall. This adds complexity, troubleshooting, needs better understanding of "firewalling" (sometimes, simple any any allow rule is not enough to permit certain traffic) etc. But gives opportunity to have one device on site (which is security device) and even run direct internet access safely on site. In any case, if you choose firewall you have not only S2S connection option but also dynamic VTI support in FTD devices (which gives scalability in WAN with hub&spoke topology).
However, if you have routers and you want connect sites, then you need simple routing based configuration without any policy configurations. In routers you may use, DMVPN and also FlexVPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide