DMVPN over MPLS implementation

brian.k.clarke · ‎06-15-2011

A customer has an existing MPLS PNT with about 20 nodes, and they're looking to encrypt all traffic between sites. I'm researching a DMVPN/mGRE solution for this, and have a question regarding the actual migration process per location.

Again, this is not a solution to provide WAN backup over the Internet, but encryption over the single WAN port per site for MPLS traffic. My question is, after I configure the primary site as a DMVPN/mGRE hub, will the other sites still be able to communicate successfully with the hub prior to also building out their DMVPN configuration, or must the remote site be configured concurrently with the hub?

From what I've read, it seems as if the former is true, and that site-to-site connectivity would remain during the transition period to DMVPN everywhere. (It seems as you're only forcing traffic over the DMVPN once you add the tunnel IP subnet to the routing process.) I need to confirm, though, and possibly get some detail as to how far you can go w/ the configuration (on either/both ends) prior to a DMVPN cut, and what the cutover process actually looks like. Is any downtime really required at all?

Thanks again!

manish arora · ‎06-15-2011

I think you should look in GETVPN which was designed for encrypting data for MPLS kinda solutions. It's a tunnel less encryption solution. I have personally never used it, but have heard that it works fine over mpls.

Manish

brian.k.clarke · ‎06-15-2011

Thanks for the response, Manish - I've looked into GET VPN, but the problem in this particular environment is that it's relatively small (20 sites), cost is an issue, and GET VPN requires at least one additional router to perform for key server functionality.