06-17-2010 07:40 PM - edited 03-04-2019 08:49 AM
My service is proposing us procuring MPLS service groups instead of point to point DS3s and T1s. They say our HQ gets and OC3 and larger branches would get DS3 speed and smaller sites will get T1 speed all back to a service provider core router.
I was thinking to run GRE tunnels (encrypted as VTI tunnels) between all the sites with access lists on the physical interfaces. That all makes sense to me on a point to point network (ie. 1 GRE tunnel per point to point circuit).
My question is how do I architect my gre tunnels? A full mesh of GRE tunnels seems like an n+1 problem that will become unwieldly. A partial mesh seems inefficient.
Or is there a design reference document for that will give me some detailed options?
Solved! Go to Solution.
06-18-2010 09:52 AM
Tod,
You have a very good question. More and more enterprise networks are becoming concerned about security in the WAN. We don’t use translucent envelopes when mailing letters through the postal service; why would we transmit clear text packets outside the enterprise campus? MPLS VPN is private but not encrypted.
A scalable solution for IPSEC over an MPLS network is DMVPN.
http://www.cisco.ws/en/US/products/ps6658/index.html
This approach attempts to address the N+1 problems associated with typical GRE tunnels by using point-to-multipoint tunnels. It allows the enterprise to use its own routing domain between the sites that the service provider doesn’t participate in. This also gets around a ‘max route’ attribute each MPLS VPNv4 is generally allocated. Given this it’s important to not redistribute between the service providers routing protocol (typically BGP unless otherwise negotiated) and the enterprise routing domain.
If you have equipment that supports it, GET VPN looks like the latest greatest in IPSEC scalability.
Chris
06-17-2010 10:34 PM
Hi Larson,
What is the need of GRE tunnels.. ?? aint MPLS suffiecient for you.
HTH
Hitesh Vinzoda
Pls rate useful posts
06-18-2010 04:12 AM
We want to running routing protocols, multicast and encrypt all the traffic. IPsec encrypted GRE tunnels fills the bill nicely. It there is a better options I am interested.
06-18-2010 04:31 AM
If you have opted MPLS from service provider... any how you will have separate VRF or VPN and you would be running protocol of your choice if you speak with ISP...
Also when deploying large scale GRE, keep in mind that these packets are process switched not switched in hardware...
HTH
Hitesh Vinzoda
Pls rate useful posts
06-18-2010 09:52 AM
Tod,
You have a very good question. More and more enterprise networks are becoming concerned about security in the WAN. We don’t use translucent envelopes when mailing letters through the postal service; why would we transmit clear text packets outside the enterprise campus? MPLS VPN is private but not encrypted.
A scalable solution for IPSEC over an MPLS network is DMVPN.
http://www.cisco.ws/en/US/products/ps6658/index.html
This approach attempts to address the N+1 problems associated with typical GRE tunnels by using point-to-multipoint tunnels. It allows the enterprise to use its own routing domain between the sites that the service provider doesn’t participate in. This also gets around a ‘max route’ attribute each MPLS VPNv4 is generally allocated. Given this it’s important to not redistribute between the service providers routing protocol (typically BGP unless otherwise negotiated) and the enterprise routing domain.
If you have equipment that supports it, GET VPN looks like the latest greatest in IPSEC scalability.
Chris
06-18-2010 08:48 PM
Chris,
DMVPN works like a champ in my lab. I love that I can add a new router without doing anything to the core router.
Thank you for the input.
Tod
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: