Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
0
Helpful
5
Replies

Connecting three LAN via non private MPLS

Go to solution
wilson.jr
Level 1
Level 1

‎06-09-2011 11:08 AM - edited ‎03-04-2019 12:40 PM

Hi

I have three offices in Chile connected via L3 MPLS that can’t be trusted in term of privacy (security). We are planning to connect offices using VPN IPSec, GRE and OSPF on top of it because we use OSPF Company wide. All offices have Cisco 2900 series with IOS firewall routers as an edge router. Should we just use these routers and configure VPN tunnels between offices then configure GRE and OSPF on top or use commercial firewall (PIX) to create VPN tunnels then use routers to configure GRE and OSPF. Any advice will be appreciate.

Wilson

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎06-09-2011 11:19 AM

You don't need the firewalls. The routers can do all what they would do, and some more.

View solution in original post

0 Helpful

Go to solution
Roman Rodichev
Level 7
Level 7

‎06-09-2011 11:23 AM

You should use your 2900 and configure DMVPN multipoint tunnels with IPSEC protection on them. This way you will have one tunnel interface to deal with. OSPF works over DMVPN. It's not scalable, but with 3 sites it doesn't matter. You actually gain several advantages by running DMVPN tunnels over MPLS. DMVPN has a nice multipoint QOS support now. The only disadvantage is overhead. With IMIX 512byte traffic, you'll have around 20% overhead (same with regular IPSEC+GRE plus 2 extra bytes for mGRE)

View solution in original post

0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to Roman Rodichev

‎06-09-2011 06:15 PM 

The only disadvantage is overhead. With IMIX 512byte traffic, you'll have around 20% overhead (same with regular IPSEC+GRE plus 2 extra bytes for mGRE)

Most people forgets that Cisco supports LZS compression for IPSec. Once enabled, the overhead is much reduced.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame

‎06-09-2011 11:19 AM

You don't need the firewalls. The routers can do all what they would do, and some more.

0 Helpful

Go to solution
Roman Rodichev
Level 7
Level 7

‎06-09-2011 11:23 AM

You should use your 2900 and configure DMVPN multipoint tunnels with IPSEC protection on them. This way you will have one tunnel interface to deal with. OSPF works over DMVPN. It's not scalable, but with 3 sites it doesn't matter. You actually gain several advantages by running DMVPN tunnels over MPLS. DMVPN has a nice multipoint QOS support now. The only disadvantage is overhead. With IMIX 512byte traffic, you'll have around 20% overhead (same with regular IPSEC+GRE plus 2 extra bytes for mGRE)

0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to Roman Rodichev

‎06-09-2011 06:15 PM 

The only disadvantage is overhead. With IMIX 512byte traffic, you'll have around 20% overhead (same with regular IPSEC+GRE plus 2 extra bytes for mGRE)

Most people forgets that Cisco supports LZS compression for IPSec. Once enabled, the overhead is much reduced.

0 Helpful

Go to solution
wilson.jr
Level 1
Level 1
In response to paolo bevilacqua

‎06-10-2011 08:37 AM

Thank you all for reply.

I should mention that number of office may grow in the future. Will DMVPN scale easily? What is DMVPN limitation in hub and spoke deployment? On the end of the day what I should do DMVPN or IPSEC+GRE+OSPF? What are cons and pros?

Thank you very much

0 Helpful

Go to solution
paolo bevilacqua
Hall of Fame
Hall of Fame
In response to wilson.jr

‎06-10-2011 11:10 AM

As long you use the appropriate hardware and configuration, there are no scalability issues.

Beside, there is no real alternative to DMVPN.
Some people use it with many thousands of branches.

Thanks for the nice rating and good luck!

0 Helpful
Customers Also Viewed These Support Documents