cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
698
Views
9
Helpful
5
Replies

How to protect myself from MPLS service groups

Tod Larson
Level 3
Level 3

My service is proposing us procuring MPLS service groups instead of point to point DS3s and T1s.  They say our HQ gets and OC3 and larger branches would get DS3 speed and smaller sites will get T1 speed all back to a service provider core router.

I was thinking to run GRE tunnels (encrypted as VTI tunnels) between  all the sites with access lists on the physical interfaces.  That all makes sense to me on a point to point network (ie. 1 GRE tunnel per point to point circuit).

My question is how do I architect my gre tunnels?  A full mesh of GRE tunnels seems like an n+1 problem that will become unwieldly.  A partial mesh seems inefficient.

Or is there a design reference document for that will give me some detailed options?

1 Accepted Solution

Accepted Solutions

Tod,

You have a very good question.  More and more enterprise networks are becoming concerned about security in the WAN.  We don’t use translucent envelopes when mailing letters through the postal service; why would we transmit clear text packets outside the enterprise campus?  MPLS VPN is private but not encrypted.

A scalable solution for IPSEC over an MPLS network is DMVPN.

http://www.cisco.ws/en/US/products/ps6658/index.html


This approach attempts to address the N+1 problems associated with typical GRE tunnels by using point-to-multipoint tunnels.  It allows the enterprise to use its own routing domain between the sites that the service provider doesn’t participate in.  This also gets around a ‘max route’ attribute each MPLS VPNv4 is generally allocated.  Given this it’s important to not redistribute between the service providers routing protocol (typically BGP unless otherwise negotiated) and the enterprise routing domain.

If you have equipment that supports it, GET VPN looks like the latest greatest in IPSEC scalability.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/product_data_sheet0900aecd80582067.html

Chris

View solution in original post

5 Replies 5

Hitesh Vinzoda
Level 4
Level 4

Hi Larson,

What is the need of GRE tunnels.. ?? aint MPLS suffiecient for you.

HTH

Hitesh Vinzoda

Pls rate useful posts

We want to running routing protocols, multicast and encrypt all the traffic.  IPsec encrypted GRE tunnels fills the bill nicely.  It there is a better options I am interested.

If you have opted MPLS from service provider... any how you will have separate VRF or VPN and you would be running protocol of your choice if you speak with ISP...

Also when deploying large scale GRE, keep in mind that these packets are process switched not switched in hardware...

HTH

Hitesh Vinzoda

Pls rate useful posts

Tod,

You have a very good question.  More and more enterprise networks are becoming concerned about security in the WAN.  We don’t use translucent envelopes when mailing letters through the postal service; why would we transmit clear text packets outside the enterprise campus?  MPLS VPN is private but not encrypted.

A scalable solution for IPSEC over an MPLS network is DMVPN.

http://www.cisco.ws/en/US/products/ps6658/index.html


This approach attempts to address the N+1 problems associated with typical GRE tunnels by using point-to-multipoint tunnels.  It allows the enterprise to use its own routing domain between the sites that the service provider doesn’t participate in.  This also gets around a ‘max route’ attribute each MPLS VPNv4 is generally allocated.  Given this it’s important to not redistribute between the service providers routing protocol (typically BGP unless otherwise negotiated) and the enterprise routing domain.

If you have equipment that supports it, GET VPN looks like the latest greatest in IPSEC scalability.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/product_data_sheet0900aecd80582067.html

Chris

Chris,

DMVPN works like a champ in my lab.  I love that I can add a new router without doing anything to the core router.

Thank you for the input.

Tod

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco