[c-nsp] MPLS and IPSEC co-working

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Thu Aug 16 12:31:48 EDT 2007


Andris Zarins <> wrote on Thursday, August 16, 2007 1:44 PM:

>> Hi,
>> 
>> Network setup is pretty trivial - three routers running MPLS (LDP
>> full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is
>> asking to secure that infrastructure by running IPSEC (3DES). As far
>> as I know, I can not run LDP over Tunnel interfaces, and crypto-maps
>> will not help also. Concept of running IPSEC between CPEs doesn't
>> make sense, as there are no CPEs :(
>> 
>> 
>> Question is - is VRF-Lite plus back-to-back connectivity, like option
>> A for inter AS MPLS, the only viable option I have, or Im missing
>> something and there are other, more scalable ways to do it?

well, you can run MPLSoGRE at least on SW-based platforms (like the
7200), haven't checked for 6500/7600 or GSR.. You could also use
BGP-L3VPN over L2TPv3 and then encrypt the L2TPv3 traffic using
crypto-maps..

Not a complete solution, I know..

	oli


More information about the cisco-nsp mailing list