Cisco Group Encrypted Transport VPN (GET VPN)

Have you ever deployed Cisco Group Encrypted Transport VPN (GET VPN) in a production environment? GET VPN is designed to encrypt traffic over private MPLS/VPLS and eliminates the requirement to build a tunnel. GET VPN is on the security blueprint.

Cisco Group Encrypted Transport VPN Configuration Guide, Cisco IOS XE Release 3S - Cisco Group Encrypted Transport VPN [Support] - Cisco

Find more posts tagged with

SAVE $250 on Your CISCO Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View CISCO Boot Camps

Comments

Danielh22185

Network_Engineer wrote: »

Have you ever deployed Cisco Group Encrypted Transport VPN (GET VPN) in a production environment? GET VPN is designed to encrypt traffic over private MPLS/VPLS and eliminates the requirement to build a tunnel. GET VPN is on the security blueprint.

Cisco Group Encrypted Transport VPN Configuration Guide, Cisco IOS XE Release 3S - Cisco Group Encrypted Transport VPN [Support] - Cisco

I haven't deployed it before but maintain it. My company uses GET VPN all over the place for WAN / Branch site connectivity back to our DCs. I enjoy it but need to learn a lot more about it from a deployment standpoint.

Thanks for the link too!

malcybood

I think DMVPN is the preferred encryption method for most companies, especially as it lays the foundation for iWAN and allows companies to be transport independent. It also means that the reliance for the ISP to support technologies such as IPV6 and multicast is less as customers can run these features over the DMVPN mGRE tunnels.

The main thing to remember about GET VPN is that it does not create tunnels and the original IP header remains unchanged across the transit, whereas with DMVPN and IPSec a new IP header is added.

With GET VPN only the payload is encrypted meaning the underlying transport i.e. MPLS network would need to support multicast etc natively.

Because the GET VPN IP header doesn't change, it is only used within private networks and is not used on the internet as the source IP address will typically be an RFC1918 address that can't be routed on the internet.

For the reasons above GET VPN is only used on internal MPLS / VPLS / P2P networks and DMVPN is used when there is internet based multipoint VPN within the customer requirements.

From a migration perspective in respect to adding an encryption overlay GET VPN is more graceful as you can switch the feature on in a per node basis using the "Receive Only SA" feature meaning some sites can be configured for GET and others can still communicate directly pre-deployment.

DMVPN you need to trombone through a transit site / data centre when routing betweeen DMVPN and unencrypted sites, similar to if you were migrating between two service providers.