How to protect myself from MPLS service groups

Answered Question
Jun 17th, 2010
User Badges:

My service is proposing us procuring MPLS service groups instead of point to point DS3s and T1s.  They say our HQ gets and OC3 and larger branches would get DS3 speed and smaller sites will get T1 speed all back to a service provider core router.


I was thinking to run GRE tunnels (encrypted as VTI tunnels) between  all the sites with access lists on the physical interfaces.  That all makes sense to me on a point to point network (ie. 1 GRE tunnel per point to point circuit).


My question is how do I architect my gre tunnels?  A full mesh of GRE tunnels seems like an n+1 problem that will become unwieldly.  A partial mesh seems inefficient.


Or is there a design reference document for that will give me some detailed options?

Correct Answer by gatlin007 about 6 years 9 months ago

Tod,

You have a very good question.  More and more enterprise networks are becoming concerned about security in the WAN.  We don’t use translucent envelopes when mailing letters through the postal service; why would we transmit clear text packets outside the enterprise campus?  MPLS VPN is private but not encrypted.

A scalable solution for IPSEC over an MPLS network is DMVPN.

http://www.cisco.ws/en/US/products/ps6658/index.html


This approach attempts to address the N+1 problems associated with typical GRE tunnels by using point-to-multipoint tunnels.  It allows the enterprise to use its own routing domain between the sites that the service provider doesn’t participate in.  This also gets around a ‘max route’ attribute each MPLS VPNv4 is generally allocated.  Given this it’s important to not redistribute between the service providers routing protocol (typically BGP unless otherwise negotiated) and the enterprise routing domain.


If you have equipment that supports it, GET VPN looks like the latest greatest in IPSEC scalability.


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/product_data_sheet0900aecd80582067.html





Chris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (3 ratings)
Loading.
Hitesh Vinzoda Thu, 06/17/2010 - 22:34
User Badges:
  • Silver, 250 points or more

Hi Larson,


What is the need of GRE tunnels.. ?? aint MPLS suffiecient for you.


HTH


Hitesh Vinzoda


Pls rate useful posts

Tod Larson Fri, 06/18/2010 - 04:12
User Badges:

We want to running routing protocols, multicast and encrypt all the traffic.  IPsec encrypted GRE tunnels fills the bill nicely.  It there is a better options I am interested.

Hitesh Vinzoda Fri, 06/18/2010 - 04:31
User Badges:
  • Silver, 250 points or more

If you have opted MPLS from service provider... any how you will have separate VRF or VPN and you would be running protocol of your choice if you speak with ISP...


Also when deploying large scale GRE, keep in mind that these packets are process switched not switched in hardware...


HTH


Hitesh Vinzoda


Pls rate useful posts

Correct Answer
gatlin007 Fri, 06/18/2010 - 09:52
User Badges:
  • Silver, 250 points or more

Tod,

You have a very good question.  More and more enterprise networks are becoming concerned about security in the WAN.  We don’t use translucent envelopes when mailing letters through the postal service; why would we transmit clear text packets outside the enterprise campus?  MPLS VPN is private but not encrypted.

A scalable solution for IPSEC over an MPLS network is DMVPN.

http://www.cisco.ws/en/US/products/ps6658/index.html


This approach attempts to address the N+1 problems associated with typical GRE tunnels by using point-to-multipoint tunnels.  It allows the enterprise to use its own routing domain between the sites that the service provider doesn’t participate in.  This also gets around a ‘max route’ attribute each MPLS VPNv4 is generally allocated.  Given this it’s important to not redistribute between the service providers routing protocol (typically BGP unless otherwise negotiated) and the enterprise routing domain.


If you have equipment that supports it, GET VPN looks like the latest greatest in IPSEC scalability.


http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/product_data_sheet0900aecd80582067.html





Chris

Tod Larson Fri, 06/18/2010 - 20:48
User Badges:

Chris,

DMVPN works like a champ in my lab.  I love that I can add a new router without doing anything to the core router.


Thank you for the input.

Tod

Actions

This Discussion

Related Content