DMVPN - Dynamic Multipoint VPN and MPLS VPN are two of the most popular VPN mechanisms. In this post, we will look at DMVPN vs MPLS VPN comparison, from many different aspects. At the end of this post, you will be more comfortable positioning these private VPN mechanisms.
DMVPN vs MPLS VPN
When we compare the two protocols, we look at many different aspects. For this comparison, I think very first we should say that DMVPN is a Cisco preparatory tunnel-based VPN mechanism but MPLS VPN is standard-based, RFC 2547, non-tunnel based VPN mechanism. Although, whether MPLS LSP is a tunnel or not is an open discussion in the networking community, we won't start that discussion here again.
DMVPN and MPLS VPN over the Internet
Another important consideration for MPLS VPN vs DMVPN is, that DMVPN can be set up over the Internet but MPLS VPN works over private networks, Layer 2 or Layer 3 based private networks. DMVPN tunnels can come up over the Internet and inside the tunnels routing protocols can run to advertise the Local Area Networks subnets.
But MPLS requires Private network underlay.
Figure - DMVPN Networks can run over Internet or Private Networks
DMVPN vs MPLS VPN Security
Both VPN mechanisms don't come with encryption by default. Many people wrongly know that DMVPN comes with the IPSEC.
In fact, it is wrong. There is only two standard-based technology for DMVPN, they are mandatory for DMVPN. These are; MGRE - Multipoint GRE and NHRP - Next Hop resolution protocol. IPSEC is optional for the DMVPN.
Same for the MPLS VPN. IPSEC or GETVPN can run over MPLS VPN but they don't come together with the MPLS VPN, which means that MPLS VPN doesn't require IPSEC or GETVPN for its operation This is true for the DMVPN as well. It doesn't require either of them.
Last but not least for the security of the MPLS vs DMVPN, GETVPN can provide the most scalable encryption method for both MPLS VPN as well as DMVPN.
MPLS over DMVPN
MPLS can run over DMVPN. The reason for it is to create even more scalable VPNs over DMVPN. Without MPLS, if there are many different business units that need to communicate river DMVPN, to segment those business units' network traffic, many different tunnels would be required.
With MPLS VPN over DMVPN, which is commonly known as 2547 over DMVPN method, we don't need to create multiple DMVPN tunnels, but with just 1 single DMVPN tunnel, we can carry many different business units by segmenting their traffic in a scalable manner.
DMVPN over MPLS VPN
DMVPN can run over MPLS VPN as well. So, DMVPN doesn't only run over the Internet but the underlay network for DMVPN can be an MPLS network. In this case, DMVPN tunnel endpoint reachability is provided by the underlay MPLS VPN network.
Underlay MPLS network can be MPLS Layer 2 VPN or MPLS Layer 3 VPN. In both cases, MPLS VPNs can provide reachability between the DMVPN Hub and Spokes.
So far all this information about MPLS VPN vs DMVPN is applicable for every DMVPN Phase, DMVPN Phase 1, DMVPN Phase 2, and DMVPN Phase 3.
