cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1489
Views
0
Helpful
1
Replies

MPLS Over GETVPN Over mGRE

Ahmed Shahzad
Level 1
Level 1

Is that possible to run MPLS over GETVPN? We have a customer having MPLS connectivity from a service provider and they want to run their own MPLS over the service provider MPLS. I found the implementation guide to run MPLS over DMVPN but not sure either the same is true for GETVPN. The reference documents are:

http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html#wp236761


http://www.cisco.com/web/strategy/docs/gov/IntegNet_Feb17_915_Lynn.pdf

I got the following answer from Cisco PDI:

"Technically, you can only run MPLS over MPLS if the provider is offering Inter-AS option C or CsC services.  What most customers end up doing is running MPLSoGRE where the tunnels are dynamically instantiated under an mGRE interface.  The provider MPLS VPN only sees IP packets from the CE which is acting as the enterprise "PE".

Now that you are encapsulating MPLS in GRE packets, it is quite easy to encrypt the GRE packets across the provider core by simply applying a GET map on the CE's WAN interface.  The policy can be 'permit ip any any' or more specifically defined as 'permit gre any any'.  Since GET won't change the routing relationship, the MPLS VPN service provided by the carrier is very basic ... it simply provides routing between the GRE tunnel end-points.  They will also need to provide routes for the CE (which are acting as Group Members) to reach a Key Server.

Stack looks like this:

User IP

------

Enterprise VPN Label

------

GRE IP

------

GET VPN IPSec

------

WAN Encap

   |

   V

MPLS VPN"

 

I still have following queries:

The proposed mGRE tunnel with MPLS will work fine for direct spoke to spoke communication?

Is there any limitation on the design with GETVPN over mGRE and MPLS?

Anyone have specific example for such scenario?

 

Cheers,

 

1 Reply 1

dfusik
Cisco Employee
Cisco Employee

Ahmed,

Better late than never to get a response! There are two ways to approach this now.

Approach 1: L3VPN over mGRE with GETVPN

Approach 2: 2547 over DMVPN Phase 3 with 'mpls nhrp' (go to slide 110)

Hope this helps!