Solved: Hub and Spoke vs Peer to Peer VPN topology when using a dynamic IP

Chess Norris · ‎11-06-2025

Hello,

I'm planning to configure a new L2L tunnel between to FTD firewalls, where one side is getting a dynamic IP from the ISP and the other side have a fixed IP address.

I found some older guides recommended using Hub and Spoke as VPN topology, but Peer to Peer VPN also have an option to use a dynamic IP address on one side (see below), so not quite sure what the difference is or what is recommended?

Thanks

/Chess

Rob Ingram · ‎11-06-2025

@Chess Norris yes it sounds like peer-to-peer would suffice for this scenario, either dynamic crypto map or dynamic VTI. DVTI is preferred nowadays, but either will work.

View solution in original post

Rob Ingram · ‎11-06-2025

@Chess Norris it depends on how you plan to scale the VPN deployment, hub and spoke is one-to-many, where as peer to peer is one-to-one.

Chess Norris · ‎11-06-2025

@Rob Ingram In this case it will only be a simple one-to-one tunnel, so then I guess a peer-to-peer tunnel with a dynamic crypto-map would be ok.

Thanks

/Chess

Rob Ingram · ‎11-06-2025

@Chess Norris yes it sounds like peer-to-peer would suffice for this scenario, either dynamic crypto map or dynamic VTI. DVTI is preferred nowadays, but either will work.

Chess Norris · ‎11-06-2025

Thank you @Rob Ingram