05-31-2010 08:35 AM
Hello Friend,
Need ur help on MPLS over-relay setup encryption.
I have 10sites across world which will connect via MPLS, were ISP will participate in customer routing they will do the optimized routing.
CE routers are managed my ISP, i need to encrypt the data before entering into the MPLS cloud and decrypt the data when its entering the other end LAN.
Basically looking for encryption between CE to CE is there is any way to do this?????
Regards,
Naren
05-31-2010 11:52 AM
Hello Naren,
CE to CE encryption is not a problem.
As discussed in a recent thread you can use DMVPN or GETVPN to implement a mesh of encrypted communication tunnels between different CE sites.
For DMVPN you can refer to the solution reference network design
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG.html
another design guide for enterprise using MPLS L3 VPN services
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/ngwane.html
I've tested DMVPN over an MPLS L3 VPN and it works well.
GETVPN is a more recent security framework that can be considered too
Hope to help
Giuseppe
06-12-2011 02:31 PM
Follow-up question, if I may...
Is it possible to stage a DMVPN (or GETVPN) one branch at a time, rather than have to implement all WAN endpoints at the same time? Specifically, if we rolled out the DMVPN/GETVPN headend router(s) at HQ for the purpose of encrypting connectivity over the MPLS network, would all of the remote locations lose connectivity until they were configured for DMVPN as well, or could all of these sites still communicate with each other (and the headend) until time allowed for them to be reconfigured?
This will obviously become a very big issue for larger networks, so I'm hoping the MPLS can support DMVPN and non-DMVPN connectivity during a transition/migration period. I've been through the Design Guide, but it doesn't seem to address this question.
Thank you!
06-13-2011 01:12 PM
Hello Bkccards64,
with DMVPN this should be possible, as from a routing point of view, you use a different routing protocol over the DMVPN (at least a different process): when you add a new site to DMVPN the routes of the site will disappear from the external routing domain ( the one used in MPLS L3 VPN), and will appear as coming from the DMVPN hub(s).
So actually you will have for some time level of non optimal paths but with the advantage of allowing for a smooth transition
Hope to help
Giuseppe
06-14-2011 06:26 AM
K, just to make sure, Giuseppe:
This would work even if the customer is not rolling out DMVPN as a backup solution over the Internet? Meaning, each router will have a single WAN connection/interface, so for the above to be supported (stage migration of the network over to DMVPN), a node would have to be able to communicate over that single interface to both DMVPN and non-DMVPN endpoints.
Thanks again!
06-18-2011 11:20 AM
Hello BKccards64,
I'm sorry for late answer
yes even if the DMVPN is deployed over the same L3 VPN topology as I have explained in previous post it should be possible to perform a smooth migration
Hope to help
Giuseppe
07-15-2014 12:36 PM
07-15-2014 12:33 PM
Hi All,
I have similar requirement and running BGP between CE and PE, MPLS VPN between PE, P and PE. I need a solution to encrypt the traffic between two CE.
Please advice here. Thanks in advance !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Hi All,
I have similar requirement and running BGP between CE and PE, MPLS VPN between PE, P and PE. I need a solution to encrypt the traffic between two CE.
Please advice here. Thanks in advance !