DMVPN versus Traditional Crypto Map

DanielSheppard · ‎02-23-2012

Hello,

I have been doing a little research into DMVPN, however I haven't been able to find any data comparing a DMVPN to the traditional tunnels.

Can anyone provide me with some throughput comparison? Either real world experience or tech docs would work.

With and Without the VPN AIM would be nice as well, but if we must make an assumption, assume with the AIM.

Thanks

Marcin Latosiewicz · ‎02-24-2012

Daniel,

It's not really like comparing apples and oranges but it's a different technology.

It will depend differently dependin on platform I don't think a big comparison exists at this point externally (considering veriaty of platforms/modules using IPsec).

DMVPN is using GRE over IPsec with NHRP, while old crypto maps are a bit like a pipe, (at a very high level of abstraction) as long as a packet is matching encryption rule it will be forwarded through pure IPsec.

Crypto maps ofer less flexability in terms of what can be sent via tunnel and how you operate, but as a rule of thumb, since we don't have to perform two encapsulations crypto maps will have a bit more raw performance than GRE over IPsec solutions (considering also GRE overhead will decrease raw Mbit/s count). Of course one could argue that it's not entirely like this for hardware platforms (cat6k, ASR1k ...).

If I can leave you with a thought, crypto map based solutions are slowly fading away, tunnel protections based solutions (mentioned DMVPN, but mostly Flex and VTI) offer more flexibility with almost none of the shortcomings.

Tunnel protection is what you should consider for any future deployments.

M.