Posted by: Mudassir Ali | May 31, 2011

Cisco Site-to-Site VPN Technologies Comparison

Cisco Site-to-Site VPN Technologies Comparison


Cisco site-to-site VPN solutions integrate advanced network intelligence and routing to deliver reliable transport for complex mission-critical traffic, such as voice and client-server applications, without compromising communications quality. These solutions are built on five underlying VPN technologies: Dynamic Multipoint VPN

(DMVPN), Easy VPN, GRE tunneling, standard IP Security (IPSec), and the new Group Encrypted Transport VPN (GET-VPN). Each technology has it benefits and is customized to meet specific deployment requirements. Following is a comparison of the technologies and guidance on when to use them.

Cisco GET-VPN Cisco DMVPN Cisco GRE-Based VPN Cisco Easy VPN Standard IPsec VPN
Tunnel-less VPN Tunnel-based VPN
CustomerBenefits Simplifies encryption integration on IP and MultiprotocolLabel Switching (MPLS) WANsSimplifies encryption management through use of “group

keying” instead of point-to-point key pairs

Enables scalable and manageable any-to-any


between sites

Supports quality of service (QoS), multicast, and routing

Simplifies encryption configurationand management for pointto-point GRE tunnels

Provides on-demand spoke-tospoke


Supports QoS, multicast, and


Enables transport ofmulticast and routing trafficacross an IPsec VPN

Supports non-IP protocols

Supports QoS

Simplifies IPsec and remote-sitedevice management through dynamicconfiguration


Supports QoS

Provides encryptionbetween sitesSupports QoS
When to use Adds encryption to MPLS or IP WANs while preservingany-to-any connectivity andnetworking features

Offers scalable, full-time meshing for IPsec VPNs

Enables participation of smaller routers in meshed


Simplifies encryption key management while supporting

routing, QoS, and multicast

Simplifies configuration for huband-spoke VPNs while supportingrouting, QoS, and multicast

Provides low-scale, on-demand


Use when routing must besupported across the VPNUse for same functions as

hub-and-spoke DMVPN,

but it requires more

detailed configuration

Use when simplifying overall VPNconfiguration and management isthe primary goal, but only limited


features are required

Use to provide simple, unified


framework for mix of

Cisco VPN products

Use when multivendorinteroperability isrequired
ProductInteroperability Cisco routers only Cisco routers only Cisco routers only Cisco, ASA 5500 Series, Cisco VPN 3000Series, and Cisco PIX® Firewall Multivendor
Scale Thousands Thousands hub and spoke;hundreds partially meshed spoketo-spoke connections Thousands Thousands Thousands
Provisioning andManagement CLI, Cisco Security Manager Cisco Security Manager andCisco Router and Security DeviceManager Cisco Security Manager andCisco Router and SecurityDevice Manager Configuration automatically pushed toremote sites from headend; headendpolicies defined in Cisco Security

Manager or Cisco Router and Security

Device Manager

Cisco Security Managerand Cisco Router andSecurity Device Manager
Topology Hub and spoke; any-to-any Hub and spoke; on-demand spoketo-spoke partial mesh; spoke-tospokeconnections automatically

terminated when no traffic present

Hub and spoke; small-scalemeshing as manageabilityallows Hub and spoke Hub and spoke; small-scalemeshing as manageabilityallows
Routing Supported; Cisco GET-VPN any-to-any connectivity capabilitycan also be used to provide secure routing across anentire router backbone Supported Supported Not supported Not supported
QoS Supported Supported Supported Supported, but QoS policy is not dynamicallypushed to the remote sites Supported
Multicast Natively supported across MPLS and private IP networks;tunneled across Internet-based WANs Tunneled Tunneled Not supported Not supported
Non-IP Protocols Not supported Not supported Supported Not supported Not supported
Private IPAddressing Requires use of GRE or DMVPN with Cisco GET-VPN tosupport private addressesacross public Internet backbones Supported Supported Supported Supported
High availability Routing Routing Routing Stateless failover Stateless failover

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: