Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

DMVPN versus Traditional Crypto Map


I have been doing a little research into DMVPN, however I haven't been able to find any data comparing a DMVPN to the traditional tunnels.

Can anyone provide me with some throughput comparison?  Either real world experience or tech docs would work.

With and Without the VPN AIM would be nice as well, but if we must make an assumption, assume with the AIM.


Cisco Employee

DMVPN versus Traditional Crypto Map


It's not really like comparing apples and oranges but it's a different technology.

It will depend differently dependin on platform I don't think a big comparison exists at this point externally (considering veriaty of platforms/modules using IPsec).

DMVPN is using GRE over IPsec with NHRP, while old crypto maps are a bit like a pipe, (at a very high level of abstraction) as long as a packet is matching encryption rule it will be forwarded through pure IPsec.

Crypto maps ofer less flexability in terms of what can be sent via tunnel and how you operate, but as a rule of thumb, since we don't have to perform two encapsulations crypto maps will have a bit more raw performance than GRE over IPsec solutions (considering also GRE overhead will decrease raw Mbit/s count). Of course one could argue that it's not entirely like this for hardware platforms (cat6k, ASR1k ...).

If I can leave you with a thought, crypto map based solutions are slowly fading away, tunnel protections based solutions (mentioned DMVPN, but mostly Flex and VTI) offer more flexibility with almost none of the shortcomings.

Tunnel protection is what you should consider for any future deployments.


CreatePlease to create content