Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

GET VPN advice

Hi all experts.

Our organization has 200 branches country wide. Recently a cisco vendor adviced us to move to GET VPN. We are currently using DMVPN.

Let me simplify our scenario. Lets say i have hub and spoke topology. All the branches are given seperate /30 subnet, that is routed to our main aggregation subnet /30. We then configure DMVPN tunnel and run ospf to provide lan to lan connectivity. So far the scenario is simple. Now the consultant told us, that we wont be requiring any tunnels since GET VPN supports multicast and is able to form ospf adjacencies.

My point is, how can ospf adjacecny be made if i have different subnet between hub and branches ?

Cisco Employee

Re: GET VPN advice


DMVPN was designed with public internet in mind.

GET was thought to be a solution for private WANs - MPLS VPN for example.

GET still encapsulates traffic but indeed does not forum a tunnel-like adjacancy.

My point - how is the traffic being routed between hub and spokes right now? I mean how does the hub know how to get to all those /30s ?

Maybe a topology diagram?


Cisco Employee

Re: GET VPN advice

One of the main attributes of Group Encrypted Transport VPN (GET VPN) solution is that it offers IP header preservation while using IPsec tunnel mode. Thus, packets protected by IPsec in a GET VPN setup, retain the original source and destination addresses in the "outer" IP header rather than replacing them with tunnel endpoint addresses. GET VPN is not Hub to Spoke, think of it more like a solution where one is providing any to any encryption within a group of trusted sites.

Given the above, if you have basic L3 connectivity between your sites GET-VPN will work on top of that transparently, you will not need an overlay IP network like with DMVPN tunnels.


CreatePlease to create content