Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VRF encryption

Hello guys,

I have a new challenge in my MPLS network. This is the vrf encryption. I need to configure some encrypted vrfs and I don't have any ideea how to do it.

If somebody have some ideas about this subject, please shoot me.

Thanks in advance,

Alexandru

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VRF encryption

Hi,

Oops, encrypting all PE to PE traffic is a different beast. PE to PE traffic is MPLS labeled (ethertype 0x8847) and not IPv4 (ethertype 0x0800), hence IPSec will not encrypt it. You need to make it "look like IPv4". The only solution I can think of: configure GRE tunnels between the PE routers, encrypt them and enable MPLS and routing on the GRE tunnel interfaces. You need to make sure, that your BGP next-hop addresses are routed through the GRE tunnel. This works, but be aware that you need special attention to MTU related issues. Make sure your customer gets 1500 Bytes end-to-end, which means additional overhead because of additional MPLS labels and IPSec/GRE headers.

MPLS TE is adding additional complexity. Turning on MPLS TE over your encrypted GRE tunnels does not bring any advantage as far as I can see now, if you create a full mesh of GRE tunnels. You could use MPLS TE to transport your encrypted GRE traffic adding even more overhead ...

As you can see, the solution is quite complex and you might want to consider encrypting CE to CE traffic, which should be more simple. But if your requirements rule out this solution there is little choice.

Hope this helps! Please use the rating system.

Regards, Martin

4 REPLIES
Cisco Employee

Re: VRF encryption

Hi Alexandru,

As I am against any violence, I will not try to shoot you, but try to answer your question ;-)

First, could you please clarify what you mean with "encrypted VRFs"? The two things I could think of:

1) encrypt traffic sent across a MPLS L3VPN

2) IPSec access to a VRF

For 1) you would connect IPSec capable devices (CEs) to the VRF. The MPLS L3VPN would basically give connectivity between the IPSec VPN endpoints. Therefore no encryption is required inside the VRF, just plain IPv4 routing and forwarding. Regarding how to setup IPSec encryption between your CE devices, it really would depend on what devices you have. It might be helpful to read the "Enterprise Branch Security Design Guide" or several other SRNDs on IPSec and Security in the WAN following this link

http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor13

For option 2) - IPSec access into a VRF - the technical details and example configurations can be found in "VRF Aware IPSec"

http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/h_vrfip.html

In case you have further questions, go ahead and shoot :-)

Hope this helps! Please use the rating system.

Regards, Martin

New Member

Re: VRF encryption

Thanks for the hints you gave me.

What I want to do is the encryption between the PE routers for all vrfs. I have also configured TE tunnels between the PE routers and I need to encrypt this traffic through TE tunnels.

Regards, Alexandru

Cisco Employee

Re: VRF encryption

Hi,

Oops, encrypting all PE to PE traffic is a different beast. PE to PE traffic is MPLS labeled (ethertype 0x8847) and not IPv4 (ethertype 0x0800), hence IPSec will not encrypt it. You need to make it "look like IPv4". The only solution I can think of: configure GRE tunnels between the PE routers, encrypt them and enable MPLS and routing on the GRE tunnel interfaces. You need to make sure, that your BGP next-hop addresses are routed through the GRE tunnel. This works, but be aware that you need special attention to MTU related issues. Make sure your customer gets 1500 Bytes end-to-end, which means additional overhead because of additional MPLS labels and IPSec/GRE headers.

MPLS TE is adding additional complexity. Turning on MPLS TE over your encrypted GRE tunnels does not bring any advantage as far as I can see now, if you create a full mesh of GRE tunnels. You could use MPLS TE to transport your encrypted GRE traffic adding even more overhead ...

As you can see, the solution is quite complex and you might want to consider encrypting CE to CE traffic, which should be more simple. But if your requirements rule out this solution there is little choice.

Hope this helps! Please use the rating system.

Regards, Martin

New Member

Re: VRF encryption

Hello again,

I try for two weeks to encrypt my PE-PE traffic and I have no results. I create a GRE tunnel and I try to encrypt it. It isn't work. The isakmp SA it is not established. Do you have an example for the PE-PE encryption?

Regards,

Alexandru

1125
Views
0
Helpful
4
Replies
CreatePlease to create content