Best way to do encryption over MPLS network ?

carl_townshend · ‎11-19-2021

Hi Guys

At the moment, we have a mpls network, about 20 sites, 40 routers.

We run gre tunnels in a full mesh which are encrypted with ipsec.

Is this design OK? or would it be better to use dmvpn / get vpn?

Obviously at present, if we get a new site we have to build lots of tunnels on all routers, but it works.

If we went to dmvpn, and lost both hub sites, then we would be out of action I guess, same with get vpn if you lost the KS.

Whats the best design in this scenario?

Cheers

Kasun Bandara · ‎11-19-2021

Hi,

you can easily do this with GETVPN.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

balaji.bandi · ‎11-19-2021

SD-WAN new buzz in the market, if not old stable one GETVPN (as you mentioned is good option here)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎11-19-2021

Hello.

GETVPN has certain minimum requirements. What hardware are you using, and which IOS versions are you running ?

DMVPN with dual redundant hubs is a standard design.

carl_townshend · ‎11-22-2021

Hi Georg

Mostly ISR4k routers are deployed, generally version 16.6.4 is on alot of them. would this support GETVPN?

How many Key servers can you have for redundancy?

If you lost all key servers, how long would it work for, until the key has to be renewed?

I would be interested to know the failure scenarios?

cheers

paul driver · ‎11-19-2021

Hello
DMVPN is for when you are using internet based circuits not MPLS, as others have stated GETVPN would be applicable for MPLS, However going forward (obviously not now) for future design migration eventually I foresee EVPN will be the way to go

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

carl_townshend · ‎11-22-2021

Hi Paul, why would we use EVPN over the MPLS? and would this be configured on our CE routers, or do you mean the PE would do it?

cheers

Joseph W. Doherty · ‎11-19-2021

What's possible better, would depends on your requirements. The biggest advantage of something like DMVPN, much, much less work to setup a new "branch", including the possibility of using dynamic addressing for branch's physical end point and/or, if supported, using something like DMVPN adaptive rate QoS.

You're correct losing two DMVPN hubs a problem, but this also assumes you only have two such hubs. (Also possibly presumes they are at the same location.)

BTW, if using GRE tunnels, depending on which tunnel mode you use can decrease some overhead, as might VTI tunnels which (I recall?) eliminates GRE overhead.

Also BTW, if you really need encryption over a "private" MPLS network, what about lack of encryption between internal hosts and WAN routers and/or possibly lack of encryption for data stored on hosts?

pman · ‎11-19-2021

Hi,

Attached compare between the different technologies:

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKRST-2309.pdf

MHM Cisco World · ‎11-20-2021

DMVPN is use for IP reachability between sites and also secure data.
since you have MPLS which cover the IP reachability then you need only them secure the traffic which done by GETVPN.

for DMVPN with hub lost connection issue ,GETVPN with KS have same issue.