Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2885
Views
0
Helpful
3
Replies

VPLS over IPSEC

Ronit Bhattacharjee
Level 1
Level 1

‎02-01-2018 09:57 PM - edited ‎03-01-2019 03:16 PM

I have fully functioning Layer 2 MPLS running over my network on Cisco ASR 920 routers. One of the links between 2 routers is provided via a 3rd party service provider, though, which requires us to use encryption on this link to protect our data.

 

I configured a simple site-to-site VPN between these 2 routers by configuring a crypto-map on the interface between them with the crypto ACL matching interesting traffic between the loopbacks (the loopbacks which are used to create the Pseudowires).

 

The Crypto SA and IPSEC are up, OSPF is up, LDP is up, looks like everything is working, but if I do a "show crypto IPsec sa", the number of matches for encrypted/decrypted packets is too low, considering the Layer 2 traffic I am pushing through this link.

 

It looks like only LDP packets are being encrypted, not the actual encapsulated MPLS packets.

 

Am I doing something wrong, is this even supposed to work?

Labels:
Preview file
13 KB
Preview file
11 KB
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-02-2018 12:28 AM

I don't know the answer.

 

Personally I would use GRE over IPSec, and then run the VPLS over that.  More specifically I would use a VTI interface.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/zZ-Archive/IPsec_Virtual_Tunnel_Interface.html

0 Helpful

Ronit Bhattacharjee
Level 1
Level 1
In response to Philip D'Ath

‎02-02-2018 12:37 AM

Thanks for your help, I tried running VPLS over plain GRE (without encryption), but cannot get traffic to pass through, somehow.

 

When I turn off MPLS on the physical interface, instead bring up a GRE tunnel and configure MPLS on the GRE tunnel, I am unable to ping across the switches in the same Vlan.

 

1. Can ping Tunnel source to destination

2. Can ping between Tunnel IPs 

3. OSPF is up between routers, advertising the Loopbacks (Via the Tunnel)

4. LDP is up between both routers

 

Would trying with the VTI tunnel be any different (I see tunnel mode is IPsec ipv4 and encryption is enabled) if it doesn't work with Plain GRE?

 

Can it be a limitation with the ASR 920 series?

 

 

 

 

0 Helpful

Ronit Bhattacharjee
Level 1
Level 1
In response to Philip D'Ath

‎02-02-2018 01:27 AM

1. My original plan of matching loopback IPs in the crypto ACL would obviously not work, because the interface sees MPLS labels, not IP headers

2. VTI tunnels don't seem to be supported on ASR 920s, traffic isn't forwarded over GRE tunnels.

 

1.PNG

0 Helpful
Customers Also Viewed These Support Documents