Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
714
Views
0
Helpful
2
Replies

Can 1 set of GET VPN routers protect 2 VLANs at each location?

Go to solution
steveflu0
Level 1
Level 1

‎03-16-2011 12:00 PM

Greetings,

I'm setting up a new MPLS WAN for both data and voice traffic. There are 5 brances. Each branch has two VLANs - one for voice and one for data – each with its own IP subnet. The MPLS router at each branch has one internal Ethernet port which is on both VLANs and has IP addresses in both subnets. The MPLS network applies QoS across the MPLS network based on the VLAN tag of the packets as they are presented to the internal Ethernet interface.

I may want to encrypt both the voice and data traffic, but I don't want to screw up the MPLS network's ability to apply QoS. (And yes, I know encrypting voice data may have consequences like jitter and latency problems). The Group Encrypted Transport (GET) VPN technology seems great for MPLS.

So, what do I do?

1) Buy two complete sets of GET VPN routers (two at each branch plus keyservers). My switches on the internal side of the VPN boxes would strip the VLAN tags going to them and a switch on the external side would reapply the tags and send them on to the MPLS router. I'm pretty sure this would work, it's just expensive.

2) Buy one set of GET VPN routes and have them run two separate VPNs, with both internal and external interfaces sending/receiving packets on two different VLANs/IP addresses. This would be cool if it can be done.

3) I suppose it MAY somehow be possible to have one set of GET VPN routers that have two VLANs/IP addresses on the LAN side but somehow set up one VPN that keeps the VLAN tags intact on each packet.

4) Something else?

Thanks!

Steve

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎03-20-2011 01:51 AM

Hi Steve,

if you can modify (or ask the MPLS provider to modify) the config on the MPLS routers then there are other options, e.g. just have one vlan between your GET router and the MPLS router, and apply QoS based on destination IP. Or if the mpls router trusts the qos bits of ingress packets then you can do the QoS marking earlier in the path (i.e. on or before the GET router).

If you cannot or do not want to touch the MPLS routers, then I'd say your option 2 or 3 are both possible (actually I'm not sure what the difference would be between #2 and #3).

You can create 2 subinterfaces/vlan-interfaces on the inside and 2 on the outside (or use 4 physical interfaces and do the tagging on the switch). Apply a crypto map to both outside interfaces (I suppose the difference between #2 and #3 is if you configure the same crypto map or a different one), and configure your routing to route voice out one interface and data out the other (as you are already doing right now on your CE routers I guess).

Alternatively (I suppose this is more like option #2) use VRFs to seperate voice and data which would simplify the routing (actually it would be like your option #1 but with 2 virtual routers on 1 box) but the GETvpn would get a bit more complicated.

I hope this helps a bit but I'm not a design specialist so I would advise (especially when going the VRF route) to discuss this further with your Cisco reseller or if appliccable, with your Cisco account team, since you'll probably want to think about supportability, performance, scalability, maybe redundancy as well.

Herbert

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Herbert Baerten
Cisco Employee
Cisco Employee

‎03-20-2011 01:51 AM

Hi Steve,

if you can modify (or ask the MPLS provider to modify) the config on the MPLS routers then there are other options, e.g. just have one vlan between your GET router and the MPLS router, and apply QoS based on destination IP. Or if the mpls router trusts the qos bits of ingress packets then you can do the QoS marking earlier in the path (i.e. on or before the GET router).

If you cannot or do not want to touch the MPLS routers, then I'd say your option 2 or 3 are both possible (actually I'm not sure what the difference would be between #2 and #3).

You can create 2 subinterfaces/vlan-interfaces on the inside and 2 on the outside (or use 4 physical interfaces and do the tagging on the switch). Apply a crypto map to both outside interfaces (I suppose the difference between #2 and #3 is if you configure the same crypto map or a different one), and configure your routing to route voice out one interface and data out the other (as you are already doing right now on your CE routers I guess).

Alternatively (I suppose this is more like option #2) use VRFs to seperate voice and data which would simplify the routing (actually it would be like your option #1 but with 2 virtual routers on 1 box) but the GETvpn would get a bit more complicated.

I hope this helps a bit but I'm not a design specialist so I would advise (especially when going the VRF route) to discuss this further with your Cisco reseller or if appliccable, with your Cisco account team, since you'll probably want to think about supportability, performance, scalability, maybe redundancy as well.

Herbert

0 Helpful

Go to solution
steveflu0
Level 1
Level 1
In response to Herbert Baerten

‎03-21-2011 02:56 PM

Herbert,

Thanks very much for the very informative reply! Now that I'm confident it's possible, I will move forward with a reseller.

Thanks again!

Steve

0 Helpful
Customers Also Viewed These Support Documents