MPLS over encryption

Unanswered Question
May 31st, 2010

Hello Friend,

Need ur help on MPLS over-relay setup encryption.

I have 10sites across world which will connect via MPLS, were ISP will participate in customer routing they will do the optimized routing.

CE routers are managed my ISP, i need to encrypt the data before entering into the MPLS cloud and decrypt the data when its entering the other end LAN.

Basically looking for encryption between CE to CE is there is any way to do this?????



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Mon, 05/31/2010 - 11:52

Hello Naren,

CE to CE encryption is not a problem.

As discussed in a recent thread you can use DMVPN or GETVPN to implement a mesh of encrypted communication tunnels between different CE sites.

For DMVPN you can refer to the solution reference network design

another design guide for enterprise using MPLS L3 VPN services

I've tested DMVPN over an MPLS L3 VPN and it works well.

GETVPN is a more recent security framework that can be considered too

Hope to help


bkccards64 Sun, 06/12/2011 - 14:31

Follow-up question, if I may...

Is it possible to stage a DMVPN (or GETVPN) one branch at a time, rather than have to implement all WAN endpoints at the same time?  Specifically, if we rolled out the DMVPN/GETVPN headend router(s) at HQ for the purpose of encrypting connectivity over the MPLS network, would all of the remote locations lose connectivity until they were configured for DMVPN as well, or could all of these sites still communicate with each other (and the headend) until time allowed for them to be reconfigured?

This will obviously become a very big issue for larger networks, so I'm hoping the MPLS can support DMVPN and non-DMVPN connectivity during a transition/migration period.  I've been through the Design Guide, but it doesn't seem to address this question.

Thank you!

Giuseppe Larosa Mon, 06/13/2011 - 13:12

Hello Bkccards64,

with DMVPN this should be possible, as from a routing point of view, you use a different routing protocol over the DMVPN (at least a different process): when you add a new site to DMVPN the routes of the site will disappear from the external routing domain ( the one used in MPLS L3 VPN), and will appear as coming from the DMVPN hub(s).

So actually you will have for some time level of non optimal paths but with the advantage of allowing for a smooth transition

Hope to help


bkccards64 Tue, 06/14/2011 - 06:26

K, just to make sure, Giuseppe:

This would work even if the customer is not rolling out DMVPN as a backup solution over the Internet?  Meaning, each router will have a single WAN connection/interface, so for the above to be supported (stage migration of the network over to DMVPN), a node would have to be able to communicate over that single interface to both DMVPN and non-DMVPN endpoints.

Thanks again!

Giuseppe Larosa Sat, 06/18/2011 - 11:20

Hello BKccards64,

I'm sorry for late answer

yes even if the DMVPN is deployed over the same L3 VPN topology as I have explained in previous post it should be possible to perform a smooth migration

Hope to help


PIKH170488 Tue, 07/15/2014 - 12:36

Hi All,

I have similar requirement and running BGP between CE and PE, MPLS VPN between PE, P and PE. I need a solution to encrypt the traffic between two CE.

Please advice here. Thanks in advance !

PIKH170488 Tue, 07/15/2014 - 12:33

Hi All,


I have similar requirement and running BGP between CE and PE, MPLS VPN between PE, P and PE. I need a solution to encrypt the traffic between two CE.

Please advice here. Thanks in advance !


Login or Register to take actions

This Discussion

Posted May 31, 2010 at 8:35 AM
Replies:7 Overall Rating:
Views:4136 Votes:0

Related Content


Discussions Leaderboard

Rank Username Points
Giuseppe Larosa
Rank Username Points
Vasilii Mikhail...