Hi Peter,

Thanks for the reply and suggestions.

I forgot to mention in the above post that we are having EBGP peerings between our CE and the SP,will this have any impact to the above suggestions.

Moreover,i am just curious to know whether is there any possibility of data sniffing in the SP cloud as i assume that each customer will be in a seprate VRF,please shed some light on this.

Thanks

Hi,

I forgot to mention in the above post that we are having EBGP peerings between our CE and the SP,will this have any impact to the above suggestions.

None to my best knowledge.

Moreover,i am just curious to know whether is there any possibility of data sniffing in the SP cloud as i assume that each customer will be in a seprate VRF,please shed some light on this.

Assuming that a service provider is truly the owner of its entire network and can access any of its own devices, it is always possible to sniff customer traffic, no matter what VRF the customer is in. Once the customer traffic starts flowing down the SP cloud, SP has the ability to sniff it. That is why this family of VPNs provided by late ATM, Frame Relay, and nowadays with MPLS (L3 and L2 variants) has been called "trusted VPNs" - you know that the data flowing through the VPN is only logically separated from other customers but it is not protected against sniffing by the SP itself, but you assume that the SP is well-behaved, that's why you trust him.

Different customers, of course, can not sniff each other's traffic as long as the VPN is properly configured.

Best regards,
Peter

Hi Peter,

Thanks for the reply.

Please let me know if there is any other solution than GETVPN or the above suggested solutions.

Moreover,will this have any impact on the VOICE traffic as we are having a centralized IPT deployment.

Thanks

Hi Peter,

Can you please put some light on the below query.

Please let me know if there is any other solution than GETVPN or the above suggested solutions.

Moreover,will this have any impact on the VOICE traffic as we are having a centralized IPT deployment.

Moreover can a GM be a KS or we need them to be separate routers.

Thanks

Hello,

I apologize for answering so late.

Please let me know if there is any other solution than GETVPN or the above suggested solutions.

For a truly scalable design, I do not see any other solution. However, you have mentioned that you have around 4 sites. I thought you have orders of magnitude more sites than that (40 or 400 perhaps). With just 4 sites, even static IPsec tunnels would work. However, with any explicit tunneling mechanism except GETVPN, such as DMVPN or static pure IPsec or GRE+IPsec tunnels, you would need to change your routing paradigm and choose from these two options:

1. The PE-CE routing protocol between your CE router and the provider's PE would only advertise the addresses on PE-CE links, not internal networks behind CE routers. You would run a separate routing protocol over the tunnels that advertises the internal networks. The PE-CE routing protocol would effectively only make sure that on CE can reach the other CEs.
2. Override the existing routing statically to make sure the traffic goes through the tunnels.

GETVPN's advantage is that it does not require changes to your underlying routing, as it assumes that the visibility is already there, and you just want to put IPsec protection on top of it without impacting the visibility itself.

Moreover,will this have any impact on the VOICE traffic as we are having a centralized IPT deployment.

GETVPN will not influence how and where the traffic flows. The flows and their paths remain the same after deploying GETVPN. However, the increased delay incurred by encrypting and decrypting the packet flows most certainly needs to be empirically tested whether it is still in acceptable range. Also, any QoS policies need to be checked whether they act on DSCP marking or on L4 headers. After encrypting the traffic, the DSCP marking is the only one available to differentiate voice from other classes.

Moreover can a GM be a KS or we need them to be separate routers.

To my best knowledge, these two types of routers have to be separate in real deployment. You will need a standalone router to perform just the function of a KS, and another routers that act as GMs.

Please can just provide me with a sample config to configure VPN tunnels between the sites

If you are considering the GETVPN then one of the documents I have linked in my original response contains a basic setup example.

http://www.cisco.com/c/en/us/products/collateral/security/group-encrypted-transport-vpn/deployment_guide_c07_554713.html

If you are considering a static tunnel deployment then you must keep in mind that the routing will have to be modified as I explained earlier in this response. It's not as simple as configuring 3 static tunnels on each of your 4 locations.

Best regards,
Peter

Hi Peter,

Thanks a lot for replying my queries.

1.The PE-CE routing protocol between your CE router and the provider's PE would only advertise the addresses on PE-CE links, not internal networks behind CE routers. You would run a separate routing protocol over the tunnels that advertises the internal networks. The PE-CE routing protocol would effectively only make sure that on CE can reach the other CEs.

As mentioned earlier we are running BGP between the our CE-PE.I assume that you mean to disable any route advertisements in BGP and just the IP's on the point to point link are advertised which will help in setting up the tunnels..?

or as suggested in the second option just to disable the routing protocol and configure static routes.

Thanks

Hi Iwen,

Please can just provide me with a sample config to configure VPN tunnels between the sites.

I have around 4 sites.

Thanks