DMVPN versus FlexVPN Tidbit

I want to briefly dissect how DMVPN & FlexVPN are very similar in nature, but hit on some important differences in this tidbit. I will be covering some more in-depth labs relating to the two soon. So to start, FlexVPN is essentially the same as DMVPN in essence, and it is sometimes referred to as DMVPN "Phase 4".

DMVPN operates in three different phases. A high level of these 3 phases consist of:

Phase 1: All traffic flows through the hub.

Phase 2: Allows spoke-to-spoke tunnels.

Phase 3: Improves scalability of Phase 2. NHRP redirect and shortcuts take care of traffic.

Both FlexVPN & DMVPN use the same fundamental technologies which are:

  • IPsec

  • GRE/VTIs

  • NHRP

  • Routing

However, I want to cover some of the differences with FlexVPN. With FlexVPN IKEv2 is used instead of IKEv1, which allows granular configuration such as VRF or QoS. With DMVPN you have to rely on other protocols making it more complex. SVTIs & DVTIs are used which aides in providing additional flexibility (See more here: SVTIs & DVTIs Tidbit). NHRP is used to establish spoke-to-spoke tunnels, but there is no need to register with the hub. With FlexVPN we can rely on IPsec to introduce routing information. Lastly, with FlexVPN we have one standard, and not 3 unique phases.

I also want to cover the NHRP differences between the two:

  • DMVPN = uses NHRP for registration and resolution.

  • FlexVPN = uses NHRP only for resolution.

With FlexVPN we rely on IKEv2 routing which allows us to advertise a /32 route. This advertise route would be the remote tunnel interface address. This IKEv2 feature eliminates NHRP registration needs & allows communication between the hub & spoke/s.

See more about both technologies in other posts. Cheers!


Recent Posts

See All

In this tidbit I want to cover some high level notes on general trustsec items as well as some good-to-knows. A brief overview of what trustsec is: TrustSec provides scalable access controls by uniqu

In this tidbit I will cover some ESA nice-to-know CLI commands & their purposes: > status = view counters/gauges; counters are a total of various events in the system; gauges show current utilization