Sunday, July 21, 2019

IPSec over GRE tunnels vs VPNv4 solution to extend remote site connectivity to internet

Hi r/networking,

I hope everyone is enjoying Monday morning after the weekend !

I have to implement a internet reachability for my current customer remote sites over the Core network. It is basically the sites will send traffic through core and reach datacenter which is peering to Internet Exchanges via NCS5508 IP Backbone. The network is all Cisco with NCS5500 series in core.The network is complete IPv6 till datacenter and only has IPv4 towards internet which we use NAT-ing to send out traffic.

Now to provide solution, i have two options in my mind :

  1. Use IPSec over GRE tunnels and advertise default route towards Internet exchanges with GRE tunnel headend on remote side and tail end on NCS5508 in IP backbone. This will also help me to encrypt the traffic across my core but seems unnecessary as we own the complete network.
  2. Use VPNv4 to provide the same reachability. In this the traffic will not be segregated in core as well like in IPSec solution but will not have encryption. I think one add-on will be to have VPNv4 also over IPSec tunnels in core.

My question to all the folks is how does VPNv4 (without IPSec add-on) compare with the IPSec solution and why generally we prefer VPNv4 in this kind of scenario. In both cases to extend the solution to more sites we need to add a vrf or a tunnel.

I just don't see the disadvantages. All inputs are appreciated.



No comments:

Post a Comment