Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
988
Views
0
Helpful
4
Replies

MPLS Design Question

Nick wfd
Level 1
Level 1

‎12-08-2012 02:58 PM

Hello,

i had a mpls design question, currently we are designing a mpls network consisting of 7 locations.(5offices and two data centers) .All 7 locations will be communicating with each other over MPLS. We have internet links at each data center and traffic to the internet will be exiting through the two data centers and both serve as backup's to each other. CE routers are either 3800 or 2800 series.

We will be running BGP between CE and PE.

How can we encrypt internal traffic between all locations , can we use ipsec to encrypt over mpls and how will this affect in terms of processing on the CE router. Also at the same time we dont want to encrypt traffic to the internet, Voip and Video traffic.Any sample configuration or document will be helpful

Many Thanks,

Labels:
0 Helpful
4 Replies 4

Reza Sharifi
Hall of Fame
Hall of Fame

‎12-08-2012 08:54 PM

Hi,

You can use IPSec over GRE and encrypt traffic between your locations.  Either 2800 or 3800 will work fine for this 7 locations. Just make sure you have the right image and license installed on your routers.

Have a look at this link for config examples:

https://supportforums.cisco.com/docs/DOC-3067

HTH

0 Helpful

Nick wfd
Level 1
Level 1
In response to Reza Sharifi

‎12-08-2012 09:15 PM

Thanks, Can i not configure ipsec over mpls between ce-ce ? , also we have a firewall installed before the edge router at all locations.

Can we configure the firewall to be the ipsec vpn gateway and have the ce router just do bgp with pe  or do we need to do both ipsec and bgp on the ce router.

Many Thanks.

0 Helpful

Reza Sharifi
Hall of Fame
Hall of Fame
In response to Nick wfd

‎12-09-2012 08:44 AM

Can i not configure ipsec over mpls between ce-ce

Sure, you can.  That is actually where it should be done. (ce-ce)

Usually, you want to do your tunneling between the CEs and then clear text towards the firewall, so you can see what is coming to it.

http://www.cisco.com/en/US/prod/collateral/routers/ps9343/Deploying_and_Configuring_MPLS_Virtual_Private_Networks_In_IP_Tunnel_Environment.pdf

HTH

0 Helpful

Nick wfd
Level 1
Level 1
In response to Reza Sharifi

‎12-19-2012 11:22 AM

Thanks, the requirement is to encrypt any traffic between the locations and the datacenter, so i can configure site to site ipsec for this traffic over mpls between each location and data center.

Is it possible to configure remote access ipsec vpn between location and data center over mpls, so that if a user wants to connect to the datacenter resources from a office location, then they can use the ipsec client to authenticate and then  connect to the datacenter over MPLS link.

0 Helpful
Customers Also Viewed These Support Documents