cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
202
Views
1
Helpful
2
Replies

GETVPN in 6500 E series

w-abulhamid
Level 1
Level 1

Hello

I want to ask if 6509 E switch support GETVPN because I didn't find GDOI under crypto.

Actually I need to encrypt MPLS links between ASR 9010 P router and 6500 PE until I get replacement of these devices. and if it not support what is the best option to encrypt the MPLS traffic and not impact real time packets like voice/video traffic.

 

Thank you

2 Replies 2

if GDOI is not found then you can not use GETVPN |
you can apply IPSec since it only P2P 

MHM

AshSe
Level 4
Level 4

Hello @w-abulhamid 

The Cisco Catalyst 6500 series switches, including the 6509-E, do not natively support GETVPN (Group Encrypted Transport VPN) because they lack support for the GDOI (Group Domain of Interpretation) protocol, which is a key component of GETVPN. GETVPN is typically supported on Cisco routers and some high-end platforms like the ASR series, but not on the Catalyst 6500 series.

Options for Encrypting MPLS Traffic Between ASR 9010 and Catalyst 6500

Since the Catalyst 6500 does not support GETVPN, you will need to consider alternative encryption methods that can work with your existing hardware and minimize the impact on real-time traffic like voice and video. Here are some options:


1. IPsec VPN

  • Description: You can use IPsec to encrypt traffic between the ASR 9010 and the Catalyst 6500. However, the Catalyst 6500 has limited IPsec capabilities and may require a VPN Services Module (VPNSM) or an ASA Services Module (ASA-SM) to handle IPsec encryption.
  • Pros:
    • Widely supported and secure.
    • Can be implemented without replacing hardware immediately.
  • Cons:
    • May introduce latency, which could impact real-time traffic.
    • Requires additional configuration and possibly hardware modules.
  • Recommendation: If you choose this option, ensure QoS (Quality of Service) is configured to prioritize voice and video traffic to minimize latency and jitter.

2. External Encryption Device

  • Description: Use an external encryption device (e.g., Cisco's Network Encryption devices or third-party solutions) to encrypt traffic between the ASR 9010 and the Catalyst 6500.
  • Pros:
    • Offloads encryption processing from the routers/switches.
    • Can provide high-performance encryption with minimal impact on latency.
  • Cons:
    • Additional cost for the external devices.
    • Adds complexity to the network design.
  • Recommendation: This is a good option if you need high-performance encryption without impacting the performance of your existing devices.

3. MACsec (802.1AE)

  • Description: If your Catalyst 6500 and ASR 9010 support MACsec, you can use it to encrypt traffic at Layer 2. However, MACsec is typically supported on newer hardware and may not be available on the Catalyst 6500.
  • Pros:
    • Minimal impact on latency.
    • Operates at Layer 2, so it is transparent to higher-layer protocols.
  • Cons:
    • Limited support on older hardware like the Catalyst 6500.
  • Recommendation: Check if your devices support MACsec, but this is unlikely to be a viable option for the Catalyst 6500.

4. Wait for Hardware Replacement

  • Description: If encryption is not immediately critical, you could wait for the replacement of the Catalyst 6500 with a device that supports GETVPN or other modern encryption methods.
  • Pros:
    • Avoids the complexity of implementing a temporary solution.
  • Cons:
    • Leaves traffic unencrypted in the interim.
  • Recommendation: If encryption is not an urgent requirement, this may be the simplest approach.

Best Option for Real-Time Traffic

If encryption is critical and you need to minimize the impact on real-time traffic, the external encryption device option is likely the best choice. These devices are purpose-built for encryption and can handle high-throughput traffic with minimal latency, ensuring that voice and video traffic are not significantly impacted.

Additionally, regardless of the encryption method you choose, ensure that QoS is properly configured to prioritize real-time traffic (e.g., using DSCP markings for voice and video) to mitigate the impact of encryption on latency-sensitive applications.

 

Hope This Helps!!!

 

AshSe

Forum Tips: 

  1. Insert photos/images inline - don't attach.
  2. Always mark helpful and correct answers, it helps others find what they need.
  3. For a prompt reply, kindly tag @name. An email will be automatically sent to the member.