Table of Contents
Introduction to VPN Technologies
GETVPN and DMVPN are 2 commonly used VPN technologies in Enterprise WAN setups especially with large number of remote sites connecting to one HUB or Data Center Site. With both GETVPN and DMVPN technologies Hub to Spoke and Spoke to Spoke communication is possible. When any of these VPN solution needs to be deployed, especially on Cisco Routers, a security license is an additional overhead (cost) which needs to be considered.
What is GETVPN
GETVPN is designed for environments with full IP connectivity, such as MPLS networks. It provides end-to-end encryption without tunneling, preserving the original IP header. This makes it ideal for environments where QoS, multicast, or routing based on original IP is necessary.
Features
- Tunnel-less encryption: Encrypts IP packets directly.
- Preserves original IP headers: Allows for advanced QoS and routing.
- Group-based key management: Uses a central Key Server for crypto policy distribution.
- Best for private networks: Like MPLS backbones with consistent reachability.
What is DMVPN
DMVPN is designed for dynamic, scalable secure communication over public or hybrid networks. It creates on-demand VPN tunnels using multipoint GRE (mGRE) and NHRP (Next Hop Resolution Protocol).
Features
- Dynamic tunnels: Branch-to-branch direct communication without going through HQ.
- mGRE + IPsec: Allows many peers with a single tunnel interface.
- Scales well: Ideal for hub-and-spoke or full mesh topologies.
- Best for internet-based connectivity: Particularly for remote sites or mobile branches.
Comparison Table: GETVPN vs DMVPN
These VPN terms seem quite similar, however, have some uncommon attributes/behaviors as enlisted in below table –
PARAMETER | GETVPN | DMVPN |
---|---|---|
Terminology | GETVPN is a tunnel-less VPN technology providing end-to-end security for network traffic across fully meshed topology. | DMVPN provides full meshed connectivity with simple configuration of hub and Spoke. DMVPN forms IPsec tunnel over dynamically/statically addressed spokes. |
Encryption | Group protection | Peer to Peer |
Scalability | More scalable than DMVPN | Less scalable than GETVPN |
Public Internet support | Not supported (because of IP preservation) | Yes |
Essential Protocols | GDOI , ESP | NHRP |
Multicast performance | Better due to no multicast replication issues. | Lower than in GETVPN |
Failover | Route redistribution and Stateful model | Route redistribution model |
Tunnel requirement | No | Yes |
Target deployment | Customer Sites connected on MPLS requiring additional security for communication across sites. Especially where multicast traffic is essential for enterprise. | Customer Sites connected on Internet requiring Secured path for communication across sites. |
Related terms | Key Servers, Group Members, GDOI | mGRE, NHRP |
RFC | RFC-3547 | RFC 2332, RFC1701 |
Topologies | Full Mesh | •Hub and Spoke •Partial and Full Mesh |
Licensing | Security License on Cisco Routers | Security License on Cisco Routers |
Download the comparison table: GETVPN vs DMVPN
GETVPN or DMVPN: When to choose which?
Situation | Recommended VPN |
---|---|
You have an MPLS WAN and need native QoS/multicast | GETVPN |
Your branches connect over the internet | DMVPN |
You require encrypted site-to-site communication with dynamic tunnel setup | DMVPN |
You want centralized control over all encryption policies | GETVPN |
Continue Reading
Introduction to GETVPN: Group Encrypted Transport VPN
ABOUT THE AUTHOR

You can learn more about her on her linkedin profile – Rashmi Bhardwaj