I have a new challenge in my MPLS network. This is the vrf encryption. I need to configure some encrypted vrfs and I don't have any ideea how to do it.
If somebody have some ideas about this subject, please shoot me.
Thanks in advance,
Oops, encrypting all PE to PE traffic is a different beast. PE to PE traffic is MPLS labeled (ethertype 0x8847) and not IPv4 (ethertype 0x0800), hence IPSec will not encrypt it. You need to make it "look like IPv4". The only solution I can think of: configure GRE tunnels between the PE routers, encrypt them and enable MPLS and routing on the GRE tunnel interfaces. You need to make sure, that your BGP next-hop addresses are routed through the GRE tunnel. This works, but be aware that you need special attention to MTU related issues. Make sure your customer gets 1500 Bytes end-to-end, which means additional overhead because of additional MPLS labels and IPSec/GRE headers.
MPLS TE is adding additional complexity. Turning on MPLS TE over your encrypted GRE tunnels does not bring any advantage as far as I can see now, if you create a full mesh of GRE tunnels. You could use MPLS TE to transport your encrypted GRE traffic adding even more overhead ...
As you can see, the solution is quite complex and you might want to consider encrypting CE to CE traffic, which should be more simple. But if your requirements rule out this solution there is little choice.
Hope this helps! Please use the rating system.