topic MPLS security and encryption in Network Security

MPLS security and encryption

lakhwaraa — Mon, 28 Oct 2024 09:28:13 GMT

I have a main headoffice and some branches conncted with each other over MPLS conncetion provided by a third party vendor.

i want to enable encryption or some security over my MPLS interface so that my data should not compromise. I have
Branch end: cisco router 1921
Hub (Main) cisco 3750 Switch and cisco router 1111
Due to huge amount of traffice i have used switch as it has gigaports for traffice movements.
i am finding difficulty in implementing security over my mpls traffic

Re: MPLS security and encryption

Rob Ingram — Mon, 28 Oct 2024 09:32:37 GMT

@lakhwaraa GEVPN would be a solution to encrypt traffic over the MPLS, Cisco routers support GETVPN. The 3750 switch would not support any encryption, so I would recommend replacing it with another Cisco router.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_getvpn/configuration/xe-3s/sec-get-vpn-xe-3s-book/sec-get-vpn.html

Re: MPLS security and encryption

Cristian Matei — Mon, 28 Oct 2024 09:49:33 GMT

Hi,

Do your branches communicate directly through MPLS cloud or inter-branch traffic is route via HUB? Questions is, is your trafic flow hub & spoke or full-mesh?

Ultimately, you have two options that scale, based on the device models you have (IOS upgrade may be necessary though): GETVPN or DMVPN Phase3 With IPsec; have you ever worked before with any of these technologies? do you have multicast traffic of only unicast traffic?

Best,

Cristian.

Re: MPLS security and encryption

lakhwaraa — Mon, 28 Oct 2024 09:55:11 GMT

i am using 2 interfaces on my router (1 interface has mpls and other interface has isp). i have established DMVPN with ipsec to be used by tunnel connection when MPLS is down. My traffic has encryption when going through tunnel but no encryption through mpls as all routes are provided by vendor from hub to spoke.

Re: MPLS security and encryption

Cristian Matei — Mon, 28 Oct 2024 10:37:47 GMT

Hi,

In this case, the easiest solution is to add another DMVPN cloud / topology over MPLS (use Phase 3 and obviously add IPsec on top of it); you would additionally need to change routing over MPLS, you will only advertise your DMVPN tunnel endpoints to MPLS cloud via BGP and add your own overlay routing over DMVPN.

Best,

Cristian.

Re: MPLS security and encryption

lakhwaraa — Mon, 28 Oct 2024 10:40:20 GMT

Could you provide me some guide for this solution. i have never worked with MPLS

Re: MPLS security and encryption

lakhwaraa — Mon, 28 Oct 2024 10:52:32 GMT

I have done following configuration just as i have done for my dmvpn
ON HUB

Hub
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication your-auth-key
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp shortcut
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 1234

router bgp 65001
neighbor 10.0.0.2 remote-as 65002 # Spoke IP
network 10.0.0.0 mask 255.255.255.0

crypto isakmp policy 10
encryption aes
hash sha
authentication pre-share
group 2
!
crypto isakmp key your-secret-key address 192.0.2.2
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto map dmvpn 10 ipsec-isakmp
set peer 192.0.2.2
set transform-set ESP-AES-SHA
match address 100
!
interface GigabitEthernet0/1
crypto map dmvpn

ON Spoke

interface Tunnel0
ip address 10.0.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication your-auth-key
ip nhrp map 10.0.0.1 192.0.2.1 # Public IP of the hub
ip nhrp map multicast 192.0.2.1
ip nhrp network-id 1
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key 1234

router bgp 65002
neighbor 10.0.0.1 remote-as 65001 # Hub IP
network 10.0.0.0 mask 255.255.255.0

crypto isakmp policy 10
encryption aes
hash sha
authentication pre-share
group 2
!
crypto isakmp key your-secret-key address 192.0.2.1
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto map dmvpn 10 ipsec-isakmp
set peer 192.0.2.1
set transform-set ESP-AES-SHA
match address 100
!
interface GigabitEthernet0/1
crypto map dmvpn

But i am still unable to understand that this hub spoke model works on routers. i have cisco switch which is advertising routes to my router at hub. How to deal with this.

Re: MPLS security and encryption

Cristian Matei — Mon, 28 Oct 2024 11:12:08 GMT

Hi,

From your perspective, WAN transport being Internet or MPLS (both are MPLS in the backend) it doesn't matter; routers that are under your management do not run MPLS; so you'll end up performing a similar DMVPN config like the presented one, on the routers under your management.

Best,

Cristian.

Re: MPLS security and encryption

MHM Cisco World — Mon, 28 Oct 2024 19:45:39 GMT

Sorry I dont get it'

You use DMVPN over MPLS ?

If yes why you use public IP of Hub?

The IP is private in underlying mpls not public

MHM

Re: MPLS security and encryption

Cristian Matei — Mon, 28 Oct 2024 20:18:33 GMT

Hi,

Even though on the hub side, the switch is in front of the router/ DMVPN hub, it's not a problem; you would need to ensure that HUB's IP used to terminate the DMVPN tunnel is routable over MPLS (switch makes routing happen between HUB router and distant sites via MPLS).

Assuming one spoke IP facing MPLS is 192.168.20.6 and HUB's IP facing switch/MPLS is 192.168.10.6, and you want to run BGP over DMVPN, here's your config (move away from crypto-map and use tunnel protection, NHRP authentication is removed as it's pointless when using IPsec, GRE tunnel key is only required if you source two GRE multipoint tunnels off the same source interface so it was removed):

Hub interface Tunnel0 ip address 10.0.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp map multicast dynamic ip nhrp network-id 1 ip nhrp redirect tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN ! router bgp 65001 neighbor 10.0.0.2 remote-as 65002 network 10.0.0.0 mask 255.255.255.0 ! crypto isakmp policy 10 encryption aes hash sha authentication pre-share group 2 ! crypto isakmp key your-secret-key address 192.168.20.6 ! crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac mode transport ! crypto ipsec profile DMVPN set transform-set ESP-AES-SHA Spoke interface Tunnel0 ip address 10.0.0.2 255.255.255.0 no ip redirects ip mtu 1400 ip nhrp nhs 10.0.0.1 nbma 192.168.10.6 multicast ip nhrp network-id 1 ip nhrp shortcut tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel protection ipsec profile DMVPN ! router bgp 65002 neighbor 10.0.0.1 remote-as 65001 # Hub IP network 10.0.0.0 mask 255.255.255.0 ! crypto isakmp policy 10 encryption aes hash sha authentication pre-share group 2 ! crypto isakmp key your-secret-key address 192.168.10.6 ! crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac mode transport ! crypto ipsec profile DMVPN set transform-set ESP-AES-SHA

Best,

Cristian.