[c-nsp] MPLS and IPSEC co-working

Enno Rey erey at ernw.de
Thu Aug 16 08:39:25 EDT 2007


hi,

On Thu, Aug 16, 2007 at 02:43:44PM +0300, Andris Zarins wrote:
> 
> > Hi,
> > 
> > Network setup is pretty trivial - three routers running MPLS (LDP
> > full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is
> > asking to secure that infrastructure by running IPSEC (3DES).

does the customer really ask to secure "the infrastructure" (or is intended to "secure the (production) traffic"?).
If the former (which doesn't make too much sense except for some "really special" risk analysis), you might have problems. You could try to work with static labels (seems a pretty static setup ;-) or _try_ to secure LDP with crypto-maps (the TCP-based binding phase should not be to problematic, not sure about the UDP/multicast based neighbor discovery).

If the latter (what I expect), just use appropriate crypto-maps.

thanks,

Enno





 As far
> > as I know, I can not run LDP over Tunnel interfaces, and crypto-maps
> > will not help also. Concept of running IPSEC between CPEs doesn't make
> > sense, as there are no CPEs :( 
> > 
> > 
> > Question is - is VRF-Lite plus back-to-back connectivity, like option
> > A for inter AS MPLS, the only viable option I have, or Im missing
> > something and there are other, more scalable ways to do it?
> > 
> > 
> > Thanks,
> > Andris
> > CCIE #17473
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Enno Rey

ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902
PGP FP 055F B3F3 FE9D 71DD C0D5  444E C611 033E 3296 1CC1

Handelsregister Heidelberg: HRB 7135
Geschaeftsfuehrer: Roland Fiege, Enno Rey


More information about the cisco-nsp mailing list