Solved: VPN on PE Device

Rowan Smith · ‎04-21-2013

I would like to be able to have my PE Device perform encryption before dropping a packet onto the MPLS network.

Effectively, I am looking for the ability to apply a GDOI-Crypto-Map to a MPLS interface.

Traffic received on the VRF-PE Interface is encrypted before being sent across the MPLS link and then decrypted when received at the next PE device before being forwarded to the CE.

CE1 ----- (vrf-1:1)|(PE1) -------- MPLS -------- (PE2)|(vrf1:1) ----- CE2

My connections between each PE are ethernet, and I want the traffic between PE1 and PE2 to be encrypted for specific RD mappings. Other RDs would not be encrypted.

Is this possible? Is this on a RoadMap somewhere?

I can't find any networking provider who is doing this.

Thanks.

Marcin Latosiewicz · ‎04-22-2013

Rowan,

IPsec (and GET as subset) will only work on IP, i.e. we cannot use label/RD to made a decision whether traffic should be encrypted or not.

Last time I heard PE-PE encryption was not supported, but considered for roadmaps for certain platforms.

We were also working on crypto as an ingress feature (unlike current egress implmentation), which would be interesting in your use case, however I'm not sure if that ever got too much traction.

Check with your SE, they can ping relevant folks on business units, depending on platforms needed.

M.

View solution in original post

Marcin Latosiewicz · ‎04-22-2013

Rowan,

IPsec (and GET as subset) will only work on IP, i.e. we cannot use label/RD to made a decision whether traffic should be encrypted or not.

Last time I heard PE-PE encryption was not supported, but considered for roadmaps for certain platforms.

We were also working on crypto as an ingress feature (unlike current egress implmentation), which would be interesting in your use case, however I'm not sure if that ever got too much traction.

Check with your SE, they can ping relevant folks on business units, depending on platforms needed.

M.