Giuseppe Larosa Sun, 11/15/2009 - 14:39

Hello Pratik,

DMVPN = point-to-multipoint GRE + IPSec

GRE+ IPSec = point-to-point GRE + IPSec

DMVPN requires to deploy a certification authority server, using a single shared key is not secure enough.

We can say that DMVPN is more hard to deploy but it is far easier to mantain and should be a winning choice if number of remote sites increases over time.

Hub router configuration doesn't need to be changed when a new remote site has to be added this helps also on scalability.

DMVPN disadvantage: it is Cisco proprietary.

point-to-point GRE and IPsec is easier to setup but harder to mantain: adding a new remote site requires configuration on hub and new remote.

Also when doing changes there are some errors that can impact multiple remote sites: if for example in a crypto map block a non-existing ACL is invoked this is seen as a permit ip any any and causes that connectivity to all remote sites configured in following crypto map blocks is broken.

it is enough to delete an ACL to do this.

a possible advantage is that it is possible to accomodate a remote peer that has different authentication and encryption capabilities and non cisco devices.

Hope to help


pshah.1979 Sun, 11/15/2009 - 23:36


in DMVPN can we now the traffic utilization from Hub to single spoke or multiple spoke.

Giuseppe Larosa Mon, 11/16/2009 - 04:49

Hello Pratik,

>> in DMVPN can we now the traffic utilization from Hub to single spoke or multiple spoke.

not totally clear to me.

in DMVPN you can decide if you want to allow dynamic spoke to spoke communications (DMVPN phase2 and later) or you can decide to block this and to have only spokes to hubs communication.

in this case spoke to hub to spoke is required.

if you mean how you can monitor traffic volume to specific remote sites that is a different matter.

Hope to help


Peter Paluch Mon, 11/16/2009 - 02:03

Hello Giuseppe,

A very fine answer indeed. There is one thing I wanted to point out, though - the DMVPN does not have to be implemented using IPsec. While of course every reasonable implementation of DMVPN uses IPsec for data confidentiality and integrity purposes, the IPsec itself is just an add-on on top of the real DMVPN provided by NHRP and multipoint GRE tunnels.

Regarding the proprietarity - actually, all protocols used in DMVPN are open and described in RFCs. A different thing, though, is that I haven't seen any other vendor implementing them.

Best regards,


Giuseppe Larosa Mon, 11/16/2009 - 04:46

Hello Peter,

to be honest I've reported what I've read in the forums.

I don't remember who noted this but DMVPN is considered proprietary.

other vendors have probably similar frameworks.

Hope to help


pshah.1979 Mon, 11/16/2009 - 11:51


One of the consideration before moving to DMVPN would be to understand if its possible to know tunnel traffic between Hub and different spoke.

In a simple IPSEC over GRE Tunnel or more tunnels its easy to identify traffic size or bandwidth consumed

In DMVPN can we get the same.


This Discussion