Questions on GET VPN

Unanswered Question
Feb 15th, 2009
User Badges:

Hello folk


I am working on understanding GET vpn. I want to ask few questions:


1) Suppose i have 4 spoke (branches) and one HUB site. With GET VPN spokes are authenticates with hub (key server) and then get security policies and then form VPN with HUB dynamically.It means we dont need to form static vpn tunnels from spokes to hub. DMVPN provides spoke to spoke dynamic VPN tunnel and GET vpn provides spoke to hub dynamic vpn tunnel. Am i right in understanding? But how about routing from spoke to hub and from spoke to spoke? It can be dynamic?


2) GET VPN is tunnel less which preserve the multicast header. But if we have internet between branches and hub then internet does not support routing of multicast traffic. It means GET vpn is beneficial if we have privte WAN?


Thanks


-Kashif

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ivan Martinon Mon, 02/16/2009 - 07:08
User Badges:
  • Cisco Employee,

hi Kashif,


Get VPN does not form tunnels to hub as DMVPN does, it creates a tunnel to hub to download the Security policies and then it uses these to create a VPN "domain" in which "tunnels" from spoke to spoke are not needed, what I mean is that the WAN where GETVPN is running becomes the encryption domain and then when you need to reach a spoke you go to it via this encrypted domain. Routing happens on the WAN environment prior to the encryption.


2 GETVPN is only recommented for private WAN environments.

kashif.rana Mon, 02/16/2009 - 08:55
User Badges:

Hi Imartino,


Thanks a lot for your reply and great explanation. One more question is that if branches and HUB are interconnected via MPLS network then encryption of multicast traffic with header preservation is not possible i guess because service provider will not do the routing of multicast traffic then in this condition GET VPN can not be used?


Thanks


-Kashif

Ivan Martinon Mon, 02/16/2009 - 09:00
User Badges:
  • Cisco Employee,

I have been reading, and it seems that GETVPN will allow you to pass mutlicast via those tunnels, I am not sure how the config goes though

nedian123 Wed, 03/18/2009 - 23:42
User Badges:

Check out following points by one of the Cisco Engineer(taken from Ask the Experts forum)


***************************************

Following slide gives a very good comparison (high level) of various site to site solutions:


http://www.cisco.com/application/pdf/en/us/guest/products/ps7180/c1031/cdccont_0900aecd80582078.pdf


To summerize, major advantages of GETVPN are:


a) No overlay routing


GETVPN does not run into similar scalability concerns that IPSec/GRE or DMVPN solutions run into


b) Tunnel header preservation - superior multicast handling


Source and destination stays intact. Multicast packets only need to be encrypted once and then multicast core is responsible for replicating and distributing traffic.


c) Separation of control and data plane.


Inproved scalability because unlike DMVPN or IPsec/GRE or EzVPN hub, a Key Server is not in the data path and is only responsible for control plane thereby resulting in better network scalability


d) Any to Any connectivity w/o a need to negotiate new IPsec tunnels


Due to groups SA concept, any packet which any group member encrypts, can be decrypted by any other group member.


One thing I must point out is that GETVPN is only suitable in environments where we have end to end routing e.g. MPLS or L2 (FR/ATM) connectivity, This is because of tunnel header preservation. If GETVPN has to be deployed on the Internet, it has to be combined with DMVPN or GRE overlay.


You can find much more info on following URL:


http://www.cisco.com/go/getvpn


Flash demo on the right hand side provides a very good overview.

*************************************



Regards,


Akhtar

Actions

This Discussion