DMVPN versus FlexVPN Tidbit

I want to briefly dissect how DMVPN & FlexVPN are very similar in nature, but hit on some important differences in this tidbit. I will be covering some more in-depth labs relating to the two soon. So to start, FlexVPN is essentially the same as DMVPN in essence, and it is sometimes referred to as DMVPN "Phase 4".


DMVPN operates in three different phases. A high level of these 3 phases consist of:


Phase 1: All traffic flows through the hub.

Phase 2: Allows spoke-to-spoke tunnels.

Phase 3: Improves scalability of Phase 2. NHRP redirect and shortcuts take care of traffic.


Both FlexVPN & DMVPN use the same fundamental technologies which are:

  • IPsec

  • GRE/VTIs

  • NHRP

  • Routing

However, I want to cover some of the differences with FlexVPN. With FlexVPN IKEv2 is used instead of IKEv1, which allows granular configuration such as VRF or QoS. With DMVPN you have to rely on other protocols making it more complex. SVTIs & DVTIs are used which aides in providing additional flexibility (See more here: SVTIs & DVTIs Tidbit). NHRP is used to establish spoke-to-spoke tunnels, but there is no need to register with the hub. With FlexVPN we can rely on IPsec to introduce routing information. Lastly, with FlexVPN we have one standard, and not 3 unique phases.


I also want to cover the NHRP differences between the two:

  • DMVPN = uses NHRP for registration and resolution.

  • FlexVPN = uses NHRP only for resolution.

With FlexVPN we rely on IKEv2 routing which allows us to advertise a /32 route. This advertise route would be the remote tunnel interface address. This IKEv2 feature eliminates NHRP registration needs & allows communication between the hub & spoke/s.


See more about both technologies in other posts. Cheers!

0 comments

Recent Posts

See All

ASA MultiContext Mode Packet Classification Tidbit

In order to understand how traffic flows through the segregated contexts it is important to understand how the ASA determines the context in which it will send the packets. This process is known as c

ASA Security Contexts Tidbit

In this tidbit I want to explain what Cisco ASA Security Contexts are in this blog. A very plain & simple way to put it, security contexts are a way to logically divide the ASA into multiple logical

Fundamentals of PKI Tidbit

I want to touch on some of the fundamentals and standards involved with PKI to give us an overview of what things are/mean. To start let's cover what the standards are. So you have probably seen or