Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Should I use DMVPN/certificates?


I have a current customer network of 3660 VPN routers at the head end with numerous (30 or so) 1800 and 2600 spokes. This uses pre shared keys. The only traffic is spoke to hub, there is no requirement for spoke to spoke. All spokes have static IP addresses. This solution works great and has been running well for three years. However, the customer requires more encryption throughput. The network is to change to a 6500 with VPN module in the core and 3845 VPN routers as the spokes (a few 7200's with VAM2+ as well).

I have been reading cco pages about certificates and DMVPN. This looks like a great potential solution, though I have never configured this before. However, I think I may be making the solution overly complex for only 30 routers in this simple scenario. What would you guys recommend here? Anyone done this with fewer routers? Any certificates would have to be done on the 6500 IOS CA system. Any comments on this as a CA solution?

I have a week "play" time with this in pre staging lab before it goes live.

Much appreciate any feedback...


New Member

Re: Should I use DMVPN/certificates?

Hi again !!

I should add that 20 of the 30 sites are very small sites of five or so users but five sites (with the 7200) have 500 users. If not DMVPN I was perhaps thinking of static IPSec maps to the main sites and EZVPN to the small ones.

Sound sensible....?????


New Member

Re: Should I use DMVPN/certificates?

If you have Spoke static IP address and you don't need spoke to spoke traffic, you better configure static tunnel with certificate.

Cisco Employee

Re: Should I use DMVPN/certificates?

Hello Steve,

IMHO, the power of DMVPN is realized until you have at least 50+ sites and require spoke-to-spoke communication. You'd probably be better off with static crypto maps. As far as PSK vs. Digital Certs, obviously Digital Certs are more secure. It just becomes a question about manageability. PSK would be fine as well.

Hope that helps! If so, please rate.


CreatePlease to create content