Use Case for Configuring Group VPNv2
Group VPNv2 is the name of the Group VPN technology on MX5, MX10, MX40, MX80, MX104, MX240, MX480, and MX960 routers. Group VPNv2 is different from the Group VPN technology implemented on SRX Security Gateways. The term Group VPN is sometimes used in this document to refer to the technology in general, not to the SRX technology.
Today’s networks support critical applications such as distributed computing, voice, and video over IP, which all require real-time branch-to-branch communication. With the increasing use of applications that are highly sensitive to latency and other delays, enterprise networks are tending toward meshed configurations where remote sites are directly connected to each other rather than through a central site. To provide the required infrastructure for supporting such applications and technologies, large service provider and enterprise networks implement any-to-any connectivity through IP VPNs and MPLS networks.
Although IP VPN and MPLS services separate enterprise traffic from the public Internet to provide security, there is an increasing need for enterprises to also encrypt private WANs that are built using service provider networks such as BGP over MPLS. In recent years, government regulations, such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and Payment Card Industry Data Security Standard (PCI DSS), mandate encryption even over private IP networks.
Hub and spoke VPNs solve the problem of secure communication for enterprise WANs over the public Internet. For private IP and MPLS networks, Group VPNv2 addresses the above-mentioned issues across multiple sites using a group IPsec security paradigm.
Group VPNv2 on certain MX Series routers with MS-MIC-16G or MS-MPC-PIC line cards provides tunnel-less any-to-any encryption between devices in a private IP and MPLS network. Each device is a group member, using the same IPsec security association (SA) pair and keys provided by one or more Cisco Group Controllers or Key Servers (GC/KS).
Group VPNv2 is manageable and scalable. It provides any-to-any encrypted communication by replacing statically configured pair-wise IKE connections per peer with a dynamic group key management system. By providing encryption across private IP and MPLS networks, the Group VPNv2 implementation simplifies the management of secure branch-to-branch communication.
In addition to simplified key management, reduced latency, and improved any-to-any connectivity capabilities, Group VPNv2 also provides encryption for all WAN traffic, providing security compliance for internal governance and regulations.
Configuring Group VPNv2 provides an innovative and scalable solution to protect enterprise traffic as it passes through the meshed private WAN. Group VPNv2 optimizes network utilization and provides increased revenue by maintaining full-mesh connectivity and routing paths with existing MPLS backbones, eliminating the management and performance cost of a traditional full-mesh VPN network.