This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

LSVPN versus Cisco DMVPN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LSVPN versus Cisco DMVPN

Brandon_Wertz
L6 Presenter

‎02-20-2017 07:55 AM

Looking for some feedback on anyone's experience with both/either.

 

In the Cisco realm say a mesh of 50 some sites each router has a tunnel between each site and a connection can go direct to the other location because routing is shared across the entire mesh.

 

In Palo's LSVPN solution is that how it works as well?  Are routes shared between each site's PA device and subsequently a host at each site could talk direct to the other site without having to go through a middle-man?

 

 

Also any gotcha's you might have seen in Palo's LSVPN design?

 

Thanks,

Brandon

1 person had this problem.
0 Likes Likes
3 REPLIES 3

pulukas
L7 Applicator

‎02-21-2017 06:36 AM

LSVPN is really aimed at simplifying the configuration deploy and not really at routing performance.  The LSVPN config basically sets up a mesh of SSL VPN between the sites and the hub that can be deployed via Panorama simply.

 

If you have a large hub and spoke setup with an experienced network team I would recommend building route based vpn for the setup.  You can use limited templates to simplify the process but it is more work to get up and running.  But in the end this will be a more traditional routed network setup that performs at higher levels and is easier to troubleshoot in my opinion.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

OtakarKlier
Cyber Elite
Cyber Elite
In response to pulukas

‎02-21-2017 01:16 PM

Hello PuLucas, 

Would a dynamic protocol such as OSPF overcome the routing?

 

Thouhgts?

0 Likes Likes

David_Ibrahim
L0 Member
In response to pulukas

‎11-02-2020 09:41 AM

Hi @pulukas ,

 

I just want to be sure that I understand what you said here. Please correct me if I am wrong. 

"If you have a large hub and spoke setup with an experienced network team I would recommend building route based vpn for the setup."  I honestly do not understand what you mean by route-based VPN.

 

Are you saying that you recommend individual IPSec S2S VPN tunnels between hub and spokes compared to DMVPN?

 

Thanks.

0 Likes Likes
  • 7813 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks