Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MPLS over encryption

Hello Friend,

Need ur help on MPLS over-relay setup encryption.

I have 10sites across world which will connect via MPLS, were ISP will participate in customer routing they will do the optimized routing.

CE routers are managed my ISP, i need to encrypt the data before entering into the MPLS cloud and decrypt the data when its entering the other end LAN.

Basically looking for encryption between CE to CE is there is any way to do this?????

Regards,

Naren

  • MPLS
7 REPLIES
Hall of Fame Super Silver

Re: MPLS over encryption

Hello Naren,

CE to CE encryption is not a problem.

As discussed in a recent thread you can use DMVPN or GETVPN to implement a mesh of encrypted communication tunnels between different CE sites.

For DMVPN you can refer to the solution reference network design

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG.html

another design guide for enterprise using MPLS L3 VPN services

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/ngwane.html

I've tested DMVPN over an MPLS L3 VPN and it works well.

GETVPN is a more recent security framework that can be considered too

Hope to help

Giuseppe

New Member

Re: MPLS over encryption

Follow-up question, if I may...

Is it possible to stage a DMVPN (or GETVPN) one branch at a time, rather than have to implement all WAN endpoints at the same time?  Specifically, if we rolled out the DMVPN/GETVPN headend router(s) at HQ for the purpose of encrypting connectivity over the MPLS network, would all of the remote locations lose connectivity until they were configured for DMVPN as well, or could all of these sites still communicate with each other (and the headend) until time allowed for them to be reconfigured?

This will obviously become a very big issue for larger networks, so I'm hoping the MPLS can support DMVPN and non-DMVPN connectivity during a transition/migration period.  I've been through the Design Guide, but it doesn't seem to address this question.

Thank you!

Hall of Fame Super Silver

MPLS over encryption

Hello Bkccards64,

with DMVPN this should be possible, as from a routing point of view, you use a different routing protocol over the DMVPN (at least a different process): when you add a new site to DMVPN the routes of the site will disappear from the external routing domain ( the one used in MPLS L3 VPN), and will appear as coming from the DMVPN hub(s).

So actually you will have for some time level of non optimal paths but with the advantage of allowing for a smooth transition

Hope to help

Giuseppe

New Member

Re: MPLS over encryption

K, just to make sure, Giuseppe:

This would work even if the customer is not rolling out DMVPN as a backup solution over the Internet?  Meaning, each router will have a single WAN connection/interface, so for the above to be supported (stage migration of the network over to DMVPN), a node would have to be able to communicate over that single interface to both DMVPN and non-DMVPN endpoints.

Thanks again!

Hall of Fame Super Silver

MPLS over encryption

Hello BKccards64,

I'm sorry for late answer

yes even if the DMVPN is deployed over the same L3 VPN topology as I have explained in previous post it should be possible to perform a smooth migration

Hope to help

Giuseppe

New Member

Hi All,I have similar

Hi All,

I have similar requirement and running BGP between CE and PE, MPLS VPN between PE, P and PE. I need a solution to encrypt the traffic between two CE.

Please advice here. Thanks in advance !

New Member

Hi All, I have similar

Hi All,

 

I have similar requirement and running BGP between CE and PE, MPLS VPN between PE, P and PE. I need a solution to encrypt the traffic between two CE.

Please advice here. Thanks in advance !

4338
Views
0
Helpful
7
Replies