04-09-2008 02:45 AM
Hello guys,
I have a new challenge in my MPLS network. This is the vrf encryption. I need to configure some encrypted vrfs and I don't have any ideea how to do it.
If somebody have some ideas about this subject, please shoot me.
Thanks in advance,
Alexandru
Solved! Go to Solution.
04-11-2008 02:04 AM
Hi,
Oops, encrypting all PE to PE traffic is a different beast. PE to PE traffic is MPLS labeled (ethertype 0x8847) and not IPv4 (ethertype 0x0800), hence IPSec will not encrypt it. You need to make it "look like IPv4". The only solution I can think of: configure GRE tunnels between the PE routers, encrypt them and enable MPLS and routing on the GRE tunnel interfaces. You need to make sure, that your BGP next-hop addresses are routed through the GRE tunnel. This works, but be aware that you need special attention to MTU related issues. Make sure your customer gets 1500 Bytes end-to-end, which means additional overhead because of additional MPLS labels and IPSec/GRE headers.
MPLS TE is adding additional complexity. Turning on MPLS TE over your encrypted GRE tunnels does not bring any advantage as far as I can see now, if you create a full mesh of GRE tunnels. You could use MPLS TE to transport your encrypted GRE traffic adding even more overhead ...
As you can see, the solution is quite complex and you might want to consider encrypting CE to CE traffic, which should be more simple. But if your requirements rule out this solution there is little choice.
Hope this helps! Please use the rating system.
Regards, Martin
04-10-2008 03:26 AM
Hi Alexandru,
As I am against any violence, I will not try to shoot you, but try to answer your question ;-)
First, could you please clarify what you mean with "encrypted VRFs"? The two things I could think of:
1) encrypt traffic sent across a MPLS L3VPN
2) IPSec access to a VRF
For 1) you would connect IPSec capable devices (CEs) to the VRF. The MPLS L3VPN would basically give connectivity between the IPSec VPN endpoints. Therefore no encryption is required inside the VRF, just plain IPv4 routing and forwarding. Regarding how to setup IPSec encryption between your CE devices, it really would depend on what devices you have. It might be helpful to read the "Enterprise Branch Security Design Guide" or several other SRNDs on IPSec and Security in the WAN following this link
http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor13
For option 2) - IPSec access into a VRF - the technical details and example configurations can be found in "VRF Aware IPSec"
http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/h_vrfip.html
In case you have further questions, go ahead and shoot :-)
Hope this helps! Please use the rating system.
Regards, Martin
04-10-2008 05:14 AM
Thanks for the hints you gave me.
What I want to do is the encryption between the PE routers for all vrfs. I have also configured TE tunnels between the PE routers and I need to encrypt this traffic through TE tunnels.
Regards, Alexandru
04-11-2008 02:04 AM
Hi,
Oops, encrypting all PE to PE traffic is a different beast. PE to PE traffic is MPLS labeled (ethertype 0x8847) and not IPv4 (ethertype 0x0800), hence IPSec will not encrypt it. You need to make it "look like IPv4". The only solution I can think of: configure GRE tunnels between the PE routers, encrypt them and enable MPLS and routing on the GRE tunnel interfaces. You need to make sure, that your BGP next-hop addresses are routed through the GRE tunnel. This works, but be aware that you need special attention to MTU related issues. Make sure your customer gets 1500 Bytes end-to-end, which means additional overhead because of additional MPLS labels and IPSec/GRE headers.
MPLS TE is adding additional complexity. Turning on MPLS TE over your encrypted GRE tunnels does not bring any advantage as far as I can see now, if you create a full mesh of GRE tunnels. You could use MPLS TE to transport your encrypted GRE traffic adding even more overhead ...
As you can see, the solution is quite complex and you might want to consider encrypting CE to CE traffic, which should be more simple. But if your requirements rule out this solution there is little choice.
Hope this helps! Please use the rating system.
Regards, Martin
04-23-2008 07:04 AM
Hello again,
I try for two weeks to encrypt my PE-PE traffic and I have no results. I create a GRE tunnel and I try to encrypt it. It isn't work. The isakmp SA it is not established. Do you have an example for the PE-PE encryption?
Regards,
Alexandru
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide