Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1139
Views
0
Helpful
4
Replies

DMVPN vs Site to Site VPN

hizlerclaus
Level 1
Level 1

‎11-17-2023 01:59 PM

What would the Network community prefer. DMVPN using routers? Or Site to site VPN using firewalls? And why?

As of now we are using DMVPN with ISR 1000s but I also have firepowers and I like to do site to site with the Firewalls and save money on Routers

Please suggest if it’s a good idea or a terrible mistake

Thanks in Advance!!

10.0.0.0.1 192.168.1.254
Labels:
0 Helpful
4 Replies 4

MHM Cisco World
VIP
VIP

‎11-17-2023 02:07 PM

Dmvpn use when you have branch try to access DC or other branch (spoke) and dc and branch dont have it public IP. This process done via nhrp requests and reply and traffic protect by ipsec

Site to site in FW can not do that, one site must know peer public IP to form tunnel. There is hub and spoke vpn in FW but it not allow spoke to spoke like dmvpn and hence all traffic must pass through hub. 

0 Helpful

Kanan Huseynli
VIP
VIP
In response to MHM Cisco World

‎11-17-2023 03:54 PM

You can use S2S over private IP addresses, can you share restriction about public IPs for S2S VPN in Firepower/FTD?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Torbjørn
Spotlight
Spotlight

‎11-17-2023 02:31 PM

Site to site VPNs and DMVPN cover different usecases.

DMVPN gives you a dynamic overlay network using NHRP, GRE and IPSEC. You want to use DMVPN when it's not feasible to maintain site-to-site tunnels. The typical usecases are when you have to deal with spokes with dynamic IP addresses or when you need to maintain a mesh network with many nodes. If your network has static endpoints and a limited number of tunnels, there is (likely) no need to use DMVPN .

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

Kanan Huseynli
VIP
VIP

‎11-17-2023 03:53 PM

Hi,

firewalls are stateful devices. For corporate site-to-site connectivity (I mean not VPN, just connectivity between sites), if you use firewalls you need to configure not only VPN and routing, but also policies within firewall. This adds complexity, troubleshooting, needs better understanding of "firewalling" (sometimes, simple any any allow rule is not enough to permit certain traffic) etc. But gives opportunity to have one device on site (which is security device) and even run direct internet access safely on site. In any case, if you choose firewall you have not only S2S connection option but also dynamic VTI support in FTD devices (which gives scalability in WAN with hub&spoke topology).

However, if you have routers and you want connect sites, then you need simple routing based configuration without any policy configurations.  In routers you may use, DMVPN and also FlexVPN.

 

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card