There's a mobile version of our website.
Need ur help on MPLS over-relay setup encryption.
I have 10sites across world which will connect via MPLS, were ISP will participate in customer routing they will do the optimized routing.
CE routers are managed my ISP, i need to encrypt the data before entering into the MPLS cloud and decrypt the data when its entering the other end LAN.
Basically looking for encryption between CE to CE is there is any way to do this?????
CE to CE encryption is not a problem.
As discussed in a recent thread you can use DMVPN or GETVPN to implement a mesh of encrypted communication tunnels between different CE sites.
For DMVPN you can refer to the solution reference network design
another design guide for enterprise using MPLS L3 VPN services
I've tested DMVPN over an MPLS L3 VPN and it works well.
GETVPN is a more recent security framework that can be considered too
Hope to help
Follow-up question, if I may...
Is it possible to stage a DMVPN (or GETVPN) one branch at a time, rather than have to implement all WAN endpoints at the same time? Specifically, if we rolled out the DMVPN/GETVPN headend router(s) at HQ for the purpose of encrypting connectivity over the MPLS network, would all of the remote locations lose connectivity until they were configured for DMVPN as well, or could all of these sites still communicate with each other (and the headend) until time allowed for them to be reconfigured?
This will obviously become a very big issue for larger networks, so I'm hoping the MPLS can support DMVPN and non-DMVPN connectivity during a transition/migration period. I've been through the Design Guide, but it doesn't seem to address this question.
with DMVPN this should be possible, as from a routing point of view, you use a different routing protocol over the DMVPN (at least a different process): when you add a new site to DMVPN the routes of the site will disappear from the external routing domain ( the one used in MPLS L3 VPN), and will appear as coming from the DMVPN hub(s).
So actually you will have for some time level of non optimal paths but with the advantage of allowing for a smooth transition
Hope to help
K, just to make sure, Giuseppe:
This would work even if the customer is not rolling out DMVPN as a backup solution over the Internet? Meaning, each router will have a single WAN connection/interface, so for the above to be supported (stage migration of the network over to DMVPN), a node would have to be able to communicate over that single interface to both DMVPN and non-DMVPN endpoints.
I'm sorry for late answer
yes even if the DMVPN is deployed over the same L3 VPN topology as I have explained in previous post it should be possible to perform a smooth migration
Hope to help
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion