Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec over MPLS

We are looking at deploying an IPSec VPN from CE-CE routers across an MPLS backbone. There will be several CE, PE and P routers and we will manage the MPLS backbone.

At all sites, the CE routers will be Cisco 7600 series with a VPN Accelerator module and a Firewall Services module. At all sites, the Cisco 7600 will also support an 802.1q trunk to a Layer 2 switch configured with 3 VLANS.

Packets coming from the WAN through the outside port (configured to belong to a port VLAN) are directed by the PFC2 to the VPN module outside port. The VPN module decrypts the packets and changes the VLAN to the corresponding interface VLAN and then presents the packet to the router through the VPN module inside port. The

MSFC then routes the packet to the Firewall Services module outside port configured as an Interface VLAN and then back out through the inside port interface VLAN to the MSFC, routed as normal, and out to the required VLAN host.

Will this work?

New Member

Re: IPSec over MPLS

MPLS blends the intelligence of routing with the performance of switching, providing significant benefits to service providers with existing native IP architectures, existing native IP plus ATM architectures, or a mixture of other Layer 2 technologies. MPLS-based Layer 3 VPNs conform to a peer-to-peer model that uses Border Gateway Protocol (BGP) to distribute VPN-related information. They are based on the Internet Engineering Task Force (IETF) RFC 2547bis specification for BGP, which defines a VPN solution that uses MPLS to forward customer traffic using per-customer labels. BGP distributes route information across the provider's backbone network so that the provider participates in and manages customer routing information.

Re: IPSec over MPLS

Looks doable, as long as the external VPNed traffic can reach the VAM to decrypt the traffic, the MSFC should be able to send it to the appropriate destination, and also specify interesting traffic (via ACL).

Your option here is to put VAM in front of FWSM so that source/destination (traffic) can be encrypt/decrypt before hitting the Firewall and to Internal network/segment.