My service is proposing us procuring MPLS service groups instead of point to point DS3s and T1s. They say our HQ gets and OC3 and larger branches would get DS3 speed and smaller sites will get T1 speed all back to a service provider core router.
I was thinking to run GRE tunnels (encrypted as VTI tunnels) between all the sites with access lists on the physical interfaces. That all makes sense to me on a point to point network (ie. 1 GRE tunnel per point to point circuit).
My question is how do I architect my gre tunnels? A full mesh of GRE tunnels seems like an n+1 problem that will become unwieldly. A partial mesh seems inefficient.
Or is there a design reference document for that will give me some detailed options?
You have a very good question. More and more enterprise networks are becoming concerned about security in the WAN. We don’t use translucent envelopes when mailing letters through the postal service; why would we transmit clear text packets outside the enterprise campus? MPLS VPN is private but not encrypted.
A scalable solution for IPSEC over an MPLS network is DMVPN.
This approach attempts to address the N+1 problems associated with typical GRE tunnels by using point-to-multipoint tunnels. It allows the enterprise to use its own routing domain between the sites that the service provider doesn’t participate in. This also gets around a ‘max route’ attribute each MPLS VPNv4 is generally allocated. Given this it’s important to not redistribute between the service providers routing protocol (typically BGP unless otherwise negotiated) and the enterprise routing domain.
If you have equipment that supports it, GET VPN looks like the latest greatest in IPSEC scalability.