We're currently getting into MPLS and I have a question about which would be a preferable method of connecting the sites, DMVPN or BGP/EIGRP redistribution.
Currently, we have our headquarters in NY and 9 locations in the USA, all currently connected via IPSec/GRE tunnels and using EIGRP for routing. Each location only has between 15-35 people. We're looking to implement VoIP and have the ability to transfer telephone calls from one location, directly to the other (mesh topology rather than hub/spoke). This was one of the reasons that MPLS was chosen.
This may be a subjective question but would it be better to continue using GRE/IPSec tunnels using DMVPN to get the "any to any" connectivity or just redistribute the EIGRP and BGP routes from our ISP? I'm looking for which would be easier to manage and best performance.
I was thinking that DMVPN might be more overhead than distribution since we're doing encryption and having to build tunnels on demand to send the traffic. We are planning on using new Cisco 1841 routers for each location if that helps.
Thank you in advance for the help.
This is a very interesting question and I am not sure that we would be able to determine the best answer without knowing a bit more about the environment. With the existing IPSec/GRE you have reachability to everywhere and you have the protections of IPSec. The traffic through the public cloud is protected by IPSec so that messages are authenticated (you know that it came from exactly who it claims to have come from), you know that it has not been tampered with in transit (the hashing functions of IPSec), and you know that no one can have observed the traffic (the encryption of IPSec).
If you go to an MPLS implementation (with BGP/EIGRP) you give up those protections. In your organization are those protections important? Giving them up would not mean so much for your VOIP but would giving them up potentially impact your other network traffic? Do you trust the provider MPLS network to provide adequate levels of protection to all your traffic?
When you answer these questions I think you will have made a major step toward answering your design question.
Thanks very much for your reply. I appreciate the feedback.
Right now,we are using IPSec/GRE but not DMVPN so we have a hub/spoke topology. I suppose that if we need "any to any" connectivity, we can just add DMVPN to our existing environment.
As for MPLS, I was under the impression that this is a private network and is inherently secure, therefore things like IPSec aren't necessary any longer. Perhaps I just bit the hook that the ISP's have been throwing in the water?
I think that security rates just as high as the quality of the VoIP traffic.
Ok that is an old debate and here are my thoughts.
If you want your network to be 'invisible in the SP Core' then MPLS is the way to go but of course somebody with a sniffer nearby can still read your traffic in which case encryption (IPSec) is the best bet.
But for any to any connectivity, DMVPN is not very good and cisco recommends 80-20 share, 80 to the hub and 20 to the spokes for DMVPN which is not very neat. I ll recommend MPLS for you .
the security of an MPLS L3VPN is about equal to ATM or Frame Relay PVCs. This said, you should consider the security requirements of your environment. It might or might not be necessary to encrypt all or specific traffic handed over to a third party (ISP) for transportation.
So DMVPN/IPSec will be the way to go for enhanced security, MPLS L3VPN would be for simplicity and performance.
Hope this helps! Please rate all posts.
Thanks for your feedback.
I think the 80/20 split would work for us since it would only be some voice calls needing "any to any" connectivity. For the most part, the data traffic needs to come through the hub site.
Ok and of course the other problem is u will be dependent on ur hub location to resolve all ur spokes. if the hub is down the entire n/w is down. MPLS will give you a full mesh vpn. Or ill suggest this, have a MPLS VPN let voice traffic be on plain MPLS (y wud u want to encrypt voice traffic ) and have IPSec from spoke to hub to encrypt all the traffic. This is a model which is fairly preferred.
Yes, subjective question. :-)
Personally, Id use DMVPN without encryption if your company isnt concerned about securing their data over a ISP network. DMVPN with EIGRP adds 24 bytes per packet (from my notes, but I always seem to think its 20 bytes), and take roughly 2kbps per spoke connection for EIGRP.
As far as security, if it isn't encrypted, it isn't secure. It's just a matter of how -many- organizations are looking at your companies data. Believing that MPLS or Frame is secure is similar to believing that no one listens to your phone calls. Realistically, most people don't care if their phone call is eavesdropped, and similarly, their data.
Back in the old days, to work on voice lines we'd normally listen to lines before taking them down. If we were down to one or two lines we'd leave them up so that we'd know when we could start working on them. Since then, I don't concider the public voice or data network to be secure, but that's really beyond the topic.
Take a look on this---VPN Service Without Tunnels:
Cisco Group Encrypted Transport is a revolutionary WAN security technology that defines a new category of VPN, one that does not use tunnels. For the first time, Group Encrypted Transport VPN eliminates the need to compromise between network intelligence and data privacy.