cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
601
Views
0
Helpful
3
Replies

DMVPN - Question

Carl Williams
Level 1
Level 1

Hi All

Quick question really, I have a new requirement i need to modify my network to compensate for the encryption of traffic between PE's.

I'm obviously going to use DMVPN which will require me to have MGRE deployed on the PE's.

Traffic will simply just traverse the core as plain old IP.

I may require VRF encryption DMVPN seems to be the best solution here, also for vrf traffic protection

CE's will be configured as spokes and PE's as Hubs. Do you think three PE's as hubs will be difficult to configure.  

Topology can be found below.

The one VRF should be encrypted between the three sites.

                                        ------  PE-3 ---- CE-3

CE-1 --- PE-1 ----- P1 ---- P2 ------ PE-2 ----- CE-2

3 Replies 3

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Carl,

DMVPN can be used for CE to CE encryption without involving the PE nodes, in this way the L3 VPN is used just to export the "public" IP address of each CE node = VRF access link

Having the PE nodes to take part in encryption with customer devices is not desired by anyone. It does not make sense.

Encryption is also used to avoid that customer traffic can be sniffed within SP network.

Hope to help

Giuseppe

Hi Mate

So is it feasible to have a VRF encrpted tunnel, between PE and CE.

Altimately this is what we're going to require between customer sites.

regards

Carl Williams

hi Carl,

As Giuseppe wrote in the previous post, the right choice would be to implement an end-to-end VPN solution directly between the CEs. PEs dont have to participate in the VPN tunnel.The connectivity will look something like as shown in the topology on my blog - http://eminent-ccie.blogspot.com/2010/07/ip-multicast-over-dmvpn-in-mpls-vpn.html. (diagram)

Routing between CEs will be directly controlled by the CE. Any of the CE can be treated as Hub, rest as spokes. Tunnel endpoints should be reachable using the direct path via physical intterace (not via tunnel). LAN subnets across each CE should be routed via tunnel.

IF you are specifically interested for ONLY PE-CE encrypted tunnel, you can use static P2P IPSEC tunnels between PE-CE. Traffic across the MPLS core will be unencrypted in this case. You'll need multiple encrypted tunnels per PE-CE connection. This configuration is rarely used and needed.

For end-to-end encrypted solution, you can look for GETVPN solution as well, it has more advntages and recommened in these type of private MPLS scenarios.

HTH

Swap

#19804 x2

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: