Unanswered Question
Jul 23rd, 2008

Hi !

I'm a network admin for a small company, we have offices in few countries and recently ordered managed circuits from Orange Business Services. Up to now we have been running VPN's over internet.

I know MPLS quite well, MP-BGP.. and the plan is (hopefully not was) to run MPLS between the offices to be able to separate different security zones without having to use ACL's ..Firewalls ..etc. Our company has different divisions that need full separation.

So, the platform I chose is 2811+sec bundle. I have in a lab put a full mesh GRE tunnels, running OSPF/MP-BGP and mpls ip on the GRE interfaces. All works quite well. I add the encryption ontop and it works in if I use esp (not AH).

We are going to be running GRE tunnels over Orange and also over the Internet as backup. We are price sensitive.

I'm looking for a validation of this setup , is this OK? It's not the strongest platform but circuit speed is around 10-20Mbps.

Is there some other tunneling technology that I should be using ?

Any other general thoughts on a setup like this ?

I used profile ipsec configuration on the GRE tunnel - I'm looking for minimizing the overhead - encryption is perhaps not the biggest issue over the OBS network - so if there is a faster-better way - I would be really interested

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Wed, 07/23/2008 - 13:35

Hello Benedikt,

you can check with Orange if they can provide a Carrier Supporting Carrier service and see how it is priced.

In this way you wouldn't need the GRE tunnel mesh over the Orange VPN service.

About your solution I'm afraid about performance because 20 Mbps is fine for a 2811 but without using GRE and encryption even if you have HW security module on board.

The CSC could be lighter at the forwarding level.

Security issues are reduced in a MPLS VPN service.

Give a look at the following link:

Hope to help



This Discussion