Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

secure vpn on mpls

my customer is having around 200 sites connected to the MAIN OFFICE through MPLS. The provider is using 3550 in all their sites and the main office as well for the MPLS. Also the main office is secured only by the PIX 525UR with failover.

Each site is having 10 users accessing the oracle server in the MAIN OFFICE through oracle client.


Now, they wanted this transactions in a secured manner using VPN. Am not well verse with MPLS but the customer wanted a secured VPN using IPSec. What is the best solution for this case.

Thanks alot in advance.



Re: secure vpn on mpls


The MPLS VPN transports IP traffic. So what you can do is simply setting up your IPSec VPNs and get reachability between the IPSec gateways through the MPLS VPN.

So place a firewall/IPSec gateway in front of the Oracle server and into each location and setup VPNs for the Oracle traffic. I am assuming that there is other traffic, which should not be encrypted. Then you would need a split tunnel setup, where only Oracle traffic is encrypted, but not the rest.

So finally: MPLS VPNs do not interfere with IPSec.

Hope this helps! Please rate all posts.

Regards, Martin

New Member

Re: secure vpn on mpls

Hi Martin,

Is your recommendation regardless of whether MPLS VPN is enabled on the provider or not? (idont have this information yet)

Could the 525UR handle as much as 2000 vpn users, distributed on 2000 sites? I was thinking of putting a VPN concentrator on the Main and just VPN client on the remotes or the 3002 as option.

Any advise on this please.


Re: secure vpn on mpls


well 2000 vpn users are a bit much. I would recommend to use either VPN concentrator or PIX for remote locations (even 501 might do for 10 users depending on required throughput).

Centrally I would opt for an ASA ... many nice features there.

As long as there is IP connectivity between your IPSec gateways/firewalls it does not really matter, whether it is MPLS VPN or internet. MPLS VPN is somewhat more nice, because you can get QoS to prioritize your important traffic (like Oracle encrypted) based on IP precedence. Be aware that according to the IPSec standard IP precedence of the original IP header will be copied into your new IPSec header. This way the MPLS SP can treat the traffic properly.

This type of SLA is usually not offered for internet access.

Regards, Martin

New Member

Re: secure vpn on mpls

I just notice that you are not recommending VPN Concentrators on the Main. As far as i know, this boxes job is for VPN mainly.

Any reason for this?



CreatePlease to create content