Achieving Segmentation Using MPLS over GRE and MPLS VPNs over GRE Solutions
In today's world, an enterprise campus is home to many different and often competing users. Multitenant environments such as universities, airports, and some public-sector networks (including educational networks) fall under this category.
Such enterprises leverage their high-touch intelligent networking infrastructure to provide connectivity and network services for all stakeholders. For instance, different airlines could share one physical airport network and get billed for this connectivity. This setup accelerates the return on network infrastructure investment, and it optimizes network operations and operational expenses through virtualization. Regulatory compliance, mergers and acquisitions (M&A), and network infrastructure consolidation are among the many drivers. For the users of this single physical network, it results in seamless and instant-on delivery of services, which in turn results in increased revenue streams.
MPLS (or MPLs-based applications) has gained a lot of ground because of its capability to provide this virtualization within a large enterprise network and still provide the much-needed segmentation. The relevant technologies that you hear about are usually MPLS/LDP over GRE, and MPLS VPNs (2547) over GRE, in addition to a host of other MPLS-based technologies.
Use Case: Self-Managed MPLS and Enterprise Private WAN Segmentation
An enterprise is running a "self-managed" or "self-deployed MPLS" core to achieve this network segmentation. Deploying MPLS (or RFC 2547) over a mesh of GRE tunnels (enterprise provider edge [PE] to enterprise PE) allows the enterprise to extend their MPLS network over almost any IP network. Additional benefits include flexibility of edge router roles (provider [P] or PE), independence from the service provider (SP) cloud (which sees those packets as IP packets), and an easier add-on encryption capability, something you can call MPLS over GRE over IPsec. Several large enterprises today are running this environment in their production network.
Configurations of such deployments are fairly straightforward, where WAN edge routers (or customer edges [CE]) basically serve as enterprise Ps or PEs (also referred to as E-Ps or E-PEs), as documented in the text that follows.
Figure 12-3 shows the isolated self-deployed enterprise MPLS clouds that are connected together via an SP MPLS core using LDP over GRE.
)
Figure 12-3 Enterprise PEs (E-PE) are connected across the enterprise-owned/managed MPLS cloud.
A point-to-point GRE tunnel is set up between each WAN edge router pair if a full mesh is desired. From a control-plane perspective, the following protocols are to be run within the GRE tunnels:
- An IGP such as EIGRP or OSPF for MPLS device reachability. (This makes the E-PE, E-P, and route reflectors [RRs], if configured, reachable to each other.)
- LDP, to allow the formation of LSPs over which traffic is forwarded.
- MP-iBGP for VPN route and label distribution between the E-PE devices.
You will need to configure MPLS labeling, using the mpls ip command, on the tunnel interfaces rather than on the WAN edge router physical interfaces. You can verify this configuration with the show platform software interface command:
E-PE-SF(config)# interface Tunnel10 description GRE tunnel to E-P-NY bandwidth 10000 ip address 172.16.10.5 255.255.255.0 ip mtu 1400 mpls ip tunnel source Loopback10 tunnel destination 10.10.10.1E-PE-SF# sh platform software interface fp active name Tunnel10Name: Tunnel10, ID: 24, CPP ID: 25, Schedules: 0 ----output truncated----Flags: ipv4, mplsICMP Flags: unreachables, redirects, no-info-reply, no-mask-reply ICMP6 Flags: unreachables, redirects Dirty: unknown AOM dependency sanity check: PASS AOM Obj ID: 1081
Figure 12-4 shows the end-to-end protocol stacks for an MPLS/LDP over GRE scenario.
)
Figure 12-4 Protocol stacks for packets at both P and in the MPLS cloud.
This will effectively create an LSP from E-P-SF to E-P-NY, and the intermediary SP cloud does not have to be an MPLS-based service.
Figure 12-5 shows the end-to-end protocol stacks for an MPLS VPNs over GRE scenario, or something also known as 2547 VPNs over GRE.
)
Figure 12-5 Protocol stacks at both PEs and in the MPLS cloud.
Full-mesh peer-to-peer (p2p) GRE tunnels can easily become an administrative hassle in a network with large number of WAN edge routers. In those cases, enterprises can also consider 2547 over Dynamic Multipoint VPN (DM VPN), or 2547 over mGRE over IPsec, to ease the burden of tunnel administration. These solutions will be supported on ASR 1000 in the future IOS XE versions.
The Cisco ASR 1000 provides the extreme flexibility necessary to meet the changing business environments that need virtualization in today's multitenant enterprise networks by supporting MPLS/2547 over GRE solutions at serial interface, Fast Ethernet, Gigabit Ethernet, or even 10 Gigabit Ethernet speeds natively or higher with the unique capability to perform all these encapsulations inside the single QFP chipset.