Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2229
Views
9
Helpful
3
Replies

dmvpn or getvpn or DVTI

Go to solution
John Mayer
Level 1
Level 1

‎09-01-2014 10:26 PM - edited ‎02-21-2020 07:48 PM

Hello

actually i have situation as discuss below and I'm confused about design and implement which VPN topology i have to choose DMVPN, GETVPN or DVTI

 

i have 4 branch and 1 main site, branches have 2 connectivity to HQ one via INTERNET an another via MPLS, so i want to have Fail-over on links and also have secure tunnel on both ways

Best Regards

John Mayer

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎09-01-2014 11:50 PM

GETVPN is not meant to be used over the internet. So this is not the solution.

With this small amount of sites I would configure static VTIs over MPLS and use DVTIs on the internet if the branches have dynamic IPs. If the branches also have static IPs, I would configure these links also with staid VTIs.

DMVPN could also be used in this scenario, but the protocol overhead is not needed in this small-scale-scenario.

View solution in original post

0 Helpful

Go to solution
Frank DeNofa
Cisco Employee
Cisco Employee
In response to John Mayer

‎09-09-2014 04:23 PM

John,

 

Contrary to what Karsten suggested, I think DMVPN would be a good way to go with 15 sites. Once you get everything up and working, it is extremely easy to add new sites with no changes needed on your Hub router. Here's a guide which discusses DMVPN configured in a dual Hub dual cloud scenario: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html#dualhubdual

 

You could easily use EIGRP to exchange routes and configure failover if one of the Hubs or tunnels goes down. This document discusses having two physical Hubs, but you can easily configure both DMVPN clouds on a single Hub router.

 

Here's a document which has some DMVPN FAQs: https://supportforums.cisco.com/document/50111/dynamic-multipoint-vpn-dmvpn-design-and-positioning-questions-and-answers-live#Q._What_are_the_advantagesdisadvantages_of_using_DMVPN_or_VTI

 

HTH,

Frank

View solution in original post

3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎09-01-2014 11:50 PM

GETVPN is not meant to be used over the internet. So this is not the solution.

With this small amount of sites I would configure static VTIs over MPLS and use DVTIs on the internet if the branches have dynamic IPs. If the branches also have static IPs, I would configure these links also with staid VTIs.

DMVPN could also be used in this scenario, but the protocol overhead is not needed in this small-scale-scenario.

0 Helpful

Go to solution
John Mayer
Level 1
Level 1
In response to Karsten Iwen

‎09-02-2014 01:51 AM

thanks for your replay

maybe we have to extend our branches up to 15 until end of the year,

in my opinion we can have two DMVPN interface but with single HUB and have EIGRP routing for failover links

is it possible???

and for implementation and maintenance which one of Static VTI or DMVPN you perefer???

0 Helpful

Go to solution
Frank DeNofa
Cisco Employee
Cisco Employee
In response to John Mayer

‎09-09-2014 04:23 PM

John,

 

Contrary to what Karsten suggested, I think DMVPN would be a good way to go with 15 sites. Once you get everything up and working, it is extremely easy to add new sites with no changes needed on your Hub router. Here's a guide which discusses DMVPN configured in a dual Hub dual cloud scenario: http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/41940-dmvpn.html#dualhubdual

 

You could easily use EIGRP to exchange routes and configure failover if one of the Hubs or tunnels goes down. This document discusses having two physical Hubs, but you can easily configure both DMVPN clouds on a single Hub router.

 

Here's a document which has some DMVPN FAQs: https://supportforums.cisco.com/document/50111/dynamic-multipoint-vpn-dmvpn-design-and-positioning-questions-and-answers-live#Q._What_are_the_advantagesdisadvantages_of_using_DMVPN_or_VTI

 

HTH,

Frank

Customers Also Viewed These Support Documents