Solved: Can any one tell me our data is secured in MPLS backbone

Shaik Sharief · ‎02-28-2013

Means we are customer for mpls providing isp they will configure vrf on all the interfaces of PE routers which are connected to our CE routers. what if they configured an additional vrf which is not connected to our CE router and imported all out router and they are capturing our data.

Fredrik Lönnman · ‎02-28-2013

Perhaps using DMVPN would be suitable inside the SP network.

Sent from Cisco Technical Support Android App

View solution in original post

grahamm11 · ‎02-28-2013

This would be possible using L3VPN but very unlikely that a SP would do it as they have to abide by codes of practise. If you are worried you could use IPSEC L3VPN instead.

Sent from Cisco Technical Support iPhone App

Nikhil Kapoor · ‎02-28-2013

Hi Sharief,

The scenario you mentioned is very much possible in L3 VPN scenarios. The option that I could think of is to use IPSEC tunnels between your spoke sites and use ISP for IP reachability only to those tunnels.

This way you will have your DATA encrypted over the ISP cloud and then decryption will happen at your site only.

HTH

Nikhil

Shaik Sharief · ‎02-28-2013

Thanks grahamm11 & Nikhil for your response, if we want implement any to any connectivity for 40 sites in remote location so we need to create site-to-site IPSec VPN for all 40 sites, is there any other easy process?

Nikhil Kapoor · ‎02-28-2013

Hi Sharief,

You may want to have a look at below doc.

http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/mxinf_ds.pdf

Thanks,

Nikhil

Shaik Sharief · ‎02-28-2013

Hi Nikhil,

I want to know for implementing IPSec VPN we need to configure 160 site-to-site tunnels for 40 remote sites right, Is there any easy method to implement this.

Nikhil Kapoor · ‎02-28-2013

Hi Sharief,

Since you have 40 sites. Then you may think of option of going HUB and spoke topology. In this way can decrease the overhead of configuring tunnels. Like you stated 40x40 and creating a full mesh.

Other option I could think of having a static routing between PE and CE. This way you have all administrative control of your prefixes.

HTH

Nikhil

Shaik Sharief · ‎02-28-2013

Hi Nikhil,

Thanks for your response, Hub and spoke topology is a good option, what if we are having voice traffic (QOS), then every voice packet need to go to hub site then to remote site right, is there any another option for any to any connectivity with IPSec tunneling to protect our data from SP.

And if we want to use static routing we need to create routes statically for every site on 40 sites, or we can use a default route on all 40 CE router

Nikhil Kapoor · ‎03-01-2013

HI Sharief,

True.. in that case I would suggest to check with SP and see if the SLA which they are proposing is within limits for your network to work under HUB and spoke toplogy.

2. Since we are looking for security and want to have administrative control. I would go for specific routes rather having default routes on the network. I know its going to be tiring job but I am sure we will have full administrative control of the network.

HTH

Nikhil

Fredrik Lönnman · ‎02-28-2013

Perhaps using DMVPN would be suitable inside the SP network.

Sent from Cisco Technical Support Android App

Shaik Sharief · ‎03-01-2013

Thanks Nikhil & Lonnman for your information, I think it is better to implement DMVPN in our CE routers and i am having another question if we are having 1841 and 2611 (CE) routers how many gre tunnels these routers support at same time, on a single site. or we need to use any extra module for vpn.