06-15-2011 02:28 PM - edited 02-21-2020 05:24 PM
A customer has an existing MPLS PNT with about 20 nodes, and they're looking to encrypt all traffic between sites. I'm researching a DMVPN/mGRE solution for this, and have a question regarding the actual migration process per location.
Again, this is not a solution to provide WAN backup over the Internet, but encryption over the single WAN port per site for MPLS traffic. My question is, after I configure the primary site as a DMVPN/mGRE hub, will the other sites still be able to communicate successfully with the hub prior to also building out their DMVPN configuration, or must the remote site be configured concurrently with the hub?
From what I've read, it seems as if the former is true, and that site-to-site connectivity would remain during the transition period to DMVPN everywhere. (It seems as you're only forcing traffic over the DMVPN once you add the tunnel IP subnet to the routing process.) I need to confirm, though, and possibly get some detail as to how far you can go w/ the configuration (on either/both ends) prior to a DMVPN cut, and what the cutover process actually looks like. Is any downtime really required at all?
Thanks again!
06-15-2011 06:46 PM
I think you should look in GETVPN which was designed for encrypting data for MPLS kinda solutions. It's a tunnel less encryption solution. I have personally never used it, but have heard that it works fine over mpls.
Manish
06-15-2011 06:48 PM
Thanks for the response, Manish - I've looked into GET VPN, but the problem in this particular environment is that it's relatively small (20 sites), cost is an issue, and GET VPN requires at least one additional router to perform for key server functionality.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide