[c-nsp] GET-VPN and BGP
Luan Nguyen
luan at netcraftsmen.net
Fri Feb 27 09:06:45 EST 2009
How could GET be easier than DMPVN? :)
They both have pros and cons, so you have to look at the current design and
decide which will fit better.
First, one has to look at the hardware/software pieces to see whether they
can do GET-VPN.
Also, with ~50 nodes, you probably want a redundant key servers solution.
That's 2 extra devices. Then you need to decide where to put the key
servers.
Also, one needs to look at the integration between features. If you have
Zone Based Firewall, then GET is a pain to look at. With DMVPN, you just
need to throw the tunnel interface into a zone.
If the customer already used GRE/IPSEC, then in my opinion, it's easier to
migrate into DMVPN than GET-VPN.
Regards,
----------------------------------------------------------------------------
---------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net
[Blog] http://cnc-networksecurity.blogspot.com/
------------------------------------------------------------------------
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Derick Winkworth
Sent: Thursday, February 26, 2009 8:01 PM
To: Mike Louis
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] GET-VPN and BGP
We have deployed several networks now with GET, and now that we are used
to it.. there is no looking back at DMVPN. When it comes to
troubleshooting on the CE device, I feel GET is much easier. There is
no overlay network with GET.
Mike Louis wrote:
> Dear list,
>
> I am working with a customer who is migrating from a static MPLS VPN to a
BGP based MPLS VPN. Today they currently have a hub and spoke IPSEC VPN
running overtop of their MPLS WAN. Once they migrate to BGP they would like
to have a solution that will support the any-to-any connectivity the MPLS
WAN offers and be able to scale well to many sites >50. What are my options
here. Configuring point to point static IPSEC tunnels are not practical.
>
> I see DMVPN and GET-VPN as practical options. Any thoughts or opinions on
why they should consider one or the other?
>
> Any feedback is greatly appreciated.
>
> Mike
>
>
>
> ________________________________
> Note: This message and any attachments is intended solely for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, legally privileged,
confidential, and/or exempt from disclosure. If you are not the intended
recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited. If
you have received this communication in error, please notify the original
sender immediately by telephone or return email and destroy or delete this
message along with any attachments immediately.
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.0.237 / Virus Database: 270.11.3/1974 - Release Date: 02/26/09
14:51:00
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list