Solved

Usage of GETVPN in MPLS WAN

Posted on 2014-04-09
20
362 Views
Last Modified: 2014-04-13
Usage of GETVPN in MPLS WAN

I have done some reading about GETVPN, apparently it is not used over internet but over WAN such as MPLS.
I wonder why we would use GTEVPN instead of MPLS VPN if MPLS is already the WAN chosen for GETVPN

Any help will be very much appreciated.

Thanks
0
Comment
Question by:jskfan
  • 11
  • 8
20 Comments
 
LVL 22

Assisted Solution

by:Matt V
Matt V earned 56 total points
ID: 39989713
GET VPN provides the encryption over the carrier cloud.
0
 

Author Comment

by:jskfan
ID: 39989939
Why we would use GTEVPN instead of MPLS VPN if MPLS is already the WAN chosen
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 444 total points
ID: 39990025
With any carrier point-to-point link you are trusting the carrier with your data.

I've had carriers misconfigure MPLS so that I was able to see other customers' data and networks, which naturally makes me suspicious of whether my data was secure.

Performing your own encryption protects you from both deliberate and accidental breaches.

GETVPN can also operate over public networks, but if I recall there are scaling issues.
0
 

Author Comment

by:jskfan
ID: 39990231
I guess I am confusing MPLS and MPLS VPN…Are they the same ?

When you subscribe with an MPLS provider, would they automatically provide you with MPLS VPN or GETVPN ?
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 444 total points
ID: 39990380
No, typical MPLS provides no encryption.  It is simply a site-to-site link using layer 3 forwarding.
0
 

Author Comment

by:jskfan
ID: 39992430
OK…

So when you purchase MPLS from a carrier, then you will configure on your own either MPLS VPN or GETVPN.?

OR when you purchase MPLS from a carrier MPLS VPN will come with  it configured based on the info you gave to the carrier?
I also wonder why people would go for GETVPN instead of MPLS VPN, since the WAN is already MPLS?

Thank you
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 444 total points
ID: 39992456
I've never heard of MPLS VPN.

Encryption is to protect your data from prying eyes.  There would be little benefit to purchasing encryption services from the same person providing the carrier services.  If you trust your carrier, then there is no need for encryption, since you trust your data to be private.  If you don't trust your carrier, then you don't want to buy encryption from them since they'll just be able to decrypt the data anyway.




Thinking on it, I suspect that this is someone selling a "point-to-point" service, but over public networks, and calling it MPLS VPN.  Instead of providing true MPLS, they're providing what they claim is an equivalent service using public networks and encryption.

I've provided that same service to customers, but I wish I'd thought to call it "MPLS VPN."  What a brilliant product name.

Coming from a customer perspective, I would have concerns about how they're able to guarantee a level of service.
0
 

Author Comment

by:jskfan
ID: 39993724
http://en.wikipedia.org/wiki/MPLS_VPN

There is MPLS , I guess it is kind of Platform, and on that Platform you can configure either GETVPN or MPLS VPN.

Per the wikipedia link above, MPLS VPN itself is 3 categories:

Point-to-Point and Layer2 VPN ( I am not sure really how they work).
However Layer3 VPN uses VRF tables specific to each customers, I mean they separate each customer traffic into a separate VRF Table.
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 444 total points
ID: 39993912
MPLS is already supposed to do that.

Pointless to buy encryption from the carrier, from a security perspective.  It adds no value, and increases complexity.
0
 

Author Comment

by:jskfan
ID: 39994798
<<MPLS is already supposed to do that.>>
You are saying MPLS and MPLS VPN is just the same thing ? 2 words that mean the same function?


As far as I understand it , MPLS function is to do the Labeling, Swapping,and Popping off the Label.

MPLS VPN requires the configuration of VRF on the MPLS WAN Network …
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 28

Assisted Solution

by:asavener
asavener earned 444 total points
ID: 39994959
MPLS is already supposed to keep your data private.
0
 

Author Comment

by:jskfan
ID: 39996158
I thought MPLS VPN is a feature in MPLS, I mean when you subscribe to an MPLS carrier then you can either go for MPLS VPN they set it up for you  OR you can configure on your own the  GETVPN…... and both  are secure….

So, I do not see the need to configure GETVPN while MPLS VPN offers the same level of security and the carrier configure it for you .


the link below, states that both are secure:
http://searchenterprisewan.techtarget.com/definition/virtual-routing-and-forwarding

"Because traffic is automatically segregated, VRF also increases network security and can eliminate the need for encryption and authentication. ".
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 444 total points
ID: 39996256
VRF is not VPN.

VRF is a way of logically separating out the traffic.  VPN encrypts the traffic.

With VRF, the carrier can still snoop on your data.  (For example, if law enforcement or the NSA asks for it.)  If you encrypt the data yourself using GETVPN, then all the carrier can see is the number and size of the packets; they can see the actual data.
0
 

Author Comment

by:jskfan
ID: 39996533
http://searchenterprisewan.techtarget.com/definition/virtual-routing-and-forwarding

in the same link, you can read:

<<Internet service providers (ISPs) often take advantage of VRF to create separate virtual private networks (VPNs) for customers; thus the technology is also referred to as VPN routing and forwarding.>>
0
 
LVL 28

Assisted Solution

by:asavener
asavener earned 444 total points
ID: 39996577
Personally, I've never heard anyone call VRF "vpn routing and forwarding."

In any case, my statement is still true. VRF provides no encryption and does not keep the carrier from snooping on your data.  GETVPN does provide encryption.
0
 

Author Comment

by:jskfan
ID: 39997062
If you Google MPLS VPN, you get tons of info, it is just hard to understand, since it uses VRFs, Route Distinguisher, BGP. Actually it is hard for me to understand all those components….But it does exist….and the only reason I posted this question is if MPLS VPN runs on MPLS platform and offers authentication and encryption, why bother configuring GETVPN. However I guess GETVPN is less complicated to understand than MPLS VPN...
0
 

Author Comment

by:jskfan
ID: 39997150
http://searchenterprisewan.techtarget.com/guides/MPLS-VPN-fundamentals

in the link above I can read "an MPLS VPN is a VPN that is built on top of an MPLS network"
0
 

Author Comment

by:jskfan
ID: 39997160
Wow…hard to understand the flip flop from one article ti another. in the article it says MPLS VPN does not offer encryption.

http://searchenterprisewan.techtarget.com/guides/MPLS-VPN-fundamentals

<<Remember that MPLS-based VPNs aren't encrypted; they only separate your data from other customers' data logically. Your data shares the same physical path with other customers of the service provider, just like frame relay or any other WAN. Some vendors may offer additional services that allow you to encrypt your traffic. In fact, you may want to explore the possibility of using your existing IPsec VPN equipment to create permanent tunnels between sites over a new high-speed MPLS backbone to get the best of both worlds. Remember that MPLS-based VPNs aren't encrypted; they only separate your data from other customers' data logically. Your data shares the same physical path with other customers of the service provider, just like frame relay or any other WAN. Some vendors may offer additional services that allow you to encrypt your traffic. In fact, you may want to explore the possibility of using your existing IPsec VPN equipment to create permanent tunnels between sites over a new high-speed MPLS backbone to get the best of both worlds. >>
0
 
LVL 28

Accepted Solution

by:
asavener earned 444 total points
ID: 39997402
Remember that MPLS-based VPNs aren't encrypted; they only separate your data from other customers' data logically. Your data shares the same physical path with other customers of the service provider, just like frame relay or any other WAN. Some vendors may offer additional services that allow you to encrypt your traffic. In fact, you may want to explore the possibility of using your existing IPsec VPN equipment to create permanent tunnels between sites over a new high-speed MPLS backbone to get the best of both worlds.
This is exactly what I've been saying, except that I think calling MPLS a VPN is disingenuous.

Nobody calls frame relay or those other WAN connections VPNs.
0
 

Author Closing Comment

by:jskfan
ID: 39997523
Terminology makes technology hard to understand…I will keep reading about it…

Thank you for your Help!
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now