Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DMVPN - Question

Hi All

Quick question really, I have a new requirement i need to modify my network to compensate for the encryption of traffic between PE's.

I'm obviously going to use DMVPN which will require me to have MGRE deployed on the PE's.

Traffic will simply just traverse the core as plain old IP.

I may require VRF encryption DMVPN seems to be the best solution here, also for vrf traffic protection

CE's will be configured as spokes and PE's as Hubs. Do you think three PE's as hubs will be difficult to configure.  

Topology can be found below.

The one VRF should be encrypted between the three sites.

                                        ------  PE-3 ---- CE-3

CE-1 --- PE-1 ----- P1 ---- P2 ------ PE-2 ----- CE-2

Hall of Fame Super Silver

Re: DMVPN - Question

Hello Carl,

DMVPN can be used for CE to CE encryption without involving the PE nodes, in this way the L3 VPN is used just to export the "public" IP address of each CE node = VRF access link

Having the PE nodes to take part in encryption with customer devices is not desired by anyone. It does not make sense.

Encryption is also used to avoid that customer traffic can be sniffed within SP network.

Hope to help


New Member

Re: DMVPN - Question

Hi Mate

So is it feasible to have a VRF encrpted tunnel, between PE and CE.

Altimately this is what we're going to require between customer sites.


Carl Williams

New Member

Re: DMVPN - Question

hi Carl,

As Giuseppe wrote in the previous post, the right choice would be to implement an end-to-end VPN solution directly between the CEs. PEs dont have to participate in the VPN tunnel.The connectivity will look something like as shown in the topology on my blog - (diagram)

Routing between CEs will be directly controlled by the CE. Any of the CE can be treated as Hub, rest as spokes. Tunnel endpoints should be reachable using the direct path via physical intterace (not via tunnel). LAN subnets across each CE should be routed via tunnel.

IF you are specifically interested for ONLY PE-CE encrypted tunnel, you can use static P2P IPSEC tunnels between PE-CE. Traffic across the MPLS core will be unencrypted in this case. You'll need multiple encrypted tunnels per PE-CE connection. This configuration is rarely used and needed.

For end-to-end encrypted solution, you can look for GETVPN solution as well, it has more advntages and recommened in these type of private MPLS scenarios.



#19804 x2

CreatePlease to create content