GETVPN vs DMVPN: Understand the difference

Google ADs

Introduction to VPN Technologies

GETVPN and DMVPN are 2 commonly used VPN technologies in Enterprise WAN setups especially with large number of remote sites connecting to one HUB or Data Center Site. With both GETVPN and DMVPN technologies Hub to Spoke and Spoke to Spoke communication is possible. When any of these VPN solution needs to be deployed, especially on Cisco Routers, a security license is an additional overhead (cost) which needs to be considered.

What is GETVPN

GETVPN is designed for environments with full IP connectivity, such as MPLS networks. It provides end-to-end encryption without tunneling, preserving the original IP header. This makes it ideal for environments where QoS, multicast, or routing based on original IP is necessary.

Features

  • Tunnel-less encryption: Encrypts IP packets directly.
  • Preserves original IP headers: Allows for advanced QoS and routing.
  • Group-based key management: Uses a central Key Server for crypto policy distribution.
  • Best for private networks: Like MPLS backbones with consistent reachability.

What is DMVPN

DMVPN is designed for dynamic, scalable secure communication over public or hybrid networks. It creates on-demand VPN tunnels using multipoint GRE (mGRE) and NHRP (Next Hop Resolution Protocol).

Google ADs

Features

  • Dynamic tunnels: Branch-to-branch direct communication without going through HQ.
  • mGRE + IPsec: Allows many peers with a single tunnel interface.
  • Scales well: Ideal for hub-and-spoke or full mesh topologies.
  • Best for internet-based connectivity: Particularly for remote sites or mobile branches.

Comparison Table: GETVPN vs DMVPN

These VPN terms seem quite similar, however, have some uncommon attributes/behaviors as enlisted in below table –

PARAMETERGETVPNDMVPN
TerminologyGETVPN is a tunnel-less VPN technology providing end-to-end security for network traffic across fully meshed topology.DMVPN provides full meshed connectivity with simple configuration of hub and Spoke. DMVPN forms IPsec tunnel over dynamically/statically addressed spokes.
EncryptionGroup protectionPeer to Peer
ScalabilityMore scalable than DMVPNLess scalable than GETVPN
Public Internet supportNot supported (because of IP preservation)Yes
Essential ProtocolsGDOI , ESPNHRP
Multicast performanceBetter due to no multicast replication issues.Lower than in GETVPN
FailoverRoute redistribution and Stateful modelRoute redistribution model
Tunnel requirementNoYes
Target deploymentCustomer Sites connected on MPLS requiring additional security for communication across sites. Especially where multicast traffic is essential for enterprise.Customer Sites connected on Internet requiring Secured path for communication across sites.
Related termsKey Servers, Group Members, GDOImGRE, NHRP
RFCRFC-3547RFC 2332, RFC1701
TopologiesFull Mesh•Hub and Spoke

•Partial and Full Mesh

LicensingSecurity License on Cisco RoutersSecurity License on Cisco Routers

Download the comparison table: GETVPN vs DMVPN

GETVPN or DMVPN: When to choose which?

SituationRecommended VPN
You have an MPLS WAN and need native QoS/multicastGETVPN
Your branches connect over the internetDMVPN
You require encrypted site-to-site communication with dynamic tunnel setupDMVPN
You want centralized control over all encryption policiesGETVPN

Continue Reading

Introduction to GETVPN: Group Encrypted Transport VPN

DMVPN over IPSEC

ABOUT THE AUTHOR


Leave a Comment

Your email address will not be published. Required fields are marked *

Shopping Cart