03-14-2012 09:45 AM - edited 03-04-2019 03:39 PM
Hi all,
Some of you may know I have been asking various questions related to a University project so I have another question regarding this. We have multiple offices and the plan is to connect them via ISP's MPLS service , I want to be able to send routing updates across the MPLS WAN so am I correct in think that using GRE tunneling is a good method? Then maybe using IPSEC to provide encryption?
Thanks
Tony
03-14-2012 10:07 AM
In addition, would I technically be using a IPSec tunnel with GRE as the carrier protocol?
03-14-2012 10:09 AM
Hi Tony,
Yes, it is certainly possible.
I assume that you will be make tunnel between loopback to loopback. In that case, you just need to make sure that those loopback are also sent in MPLS cloud.
However, my question and concern is why you need to make tunnel, when you can run routing protocol without tunnels (atleast ospf is what I'm aware of)
Regards,
Smitesh
03-14-2012 10:13 AM
Thanks Smitesh.
Why would I need to do loopback to loopback? Can I not just configure tunnel interfaces at either side?
As far as I know, because it is not a point to point WAN connection then I need to run a tunnel between sites for routing updates.
Regards
Tony
03-14-2012 10:26 AM
Certainly, you can make tunnel on interface to interface.
However, industry best pratice is to use loopback interfaces.
Just as an example, VPLS is also MPLS variant, and over that you can run any protocol.
Even, if we forgot VPLS, in MPLS also you can run atleast OSPF (which I'm aware of).
Regards,
Smitesh
03-14-2012 11:10 AM
Smitesh
I would not agree that it is industry best practice to do loopback to loopback for tunnels that will be GRE with IPSec. I see many of them done using the outside/public interface as the peering address rather than loopback. Since one requirement for the GRE/IPSec tunnel is that the peer address be reachable, it is frequently easier to accomplish this with interfaces that have public addresses than it is with loopback interfaces which frequently have private IP addresses.
I believe that another factor which might impact the decision of which interface to use as the tunnel peer address might be that since the loopback interface is frequently used for management functions you would frequently want to advertise the loopback address with the dynamic routing protocol that runs over the tunnel. If you are advertising the loopback through the tunnel then you can not use the loopback as the tunnel peer address since that would create the recursive routing problem.
Since Tony tells us that this is for an MPLS network the question of public vs private address may not be such an issue. But I still believe that using the address of the interface that connects the router to the MPLS cloud would be a good choice for the tunnel peer address.
HTH
Rick
[edit] I do agree with the point that Smitesh makes that many MPLS networks do support running a dynamic routing protocol within the MPLS cloud and that using tunnels may not be required to get routing updates between the various sites participating in the MPLS.
03-14-2012 03:01 PM
Thanks for that. So how do I know if I am required to use tunneling or not?
Also, by using the public address on the router as the tunnel not create problems?
03-16-2012 06:12 PM
Tony
We do not know enough about your environment or about your provider and the capabilities of their MPLS offering to be able to say whether you would need to use tunnels or not. Probably the best thing would be to ask for information from the provider about the capabilities of their MPLS offering, and perhaps to ask them specifically whether they support sending routing updates between sites over the MPLS. Many providers do support this, but only your provider can know for sure what applies to your implementation.
Using a public address as the peer address for a tunnel does not necessarily cause problems. You could certainly create a problem in configuring a tunnel using the public address, but you can also create problems when configuring tunnels and using private addresses for the peer address.
HTH
Rick
03-17-2012 02:50 AM
Tony
Thanks for that. So how do I know if I am required to use tunneling or not?
Also, by using the public address on the router as the tunnel not create problems?
My 2 cents here.
Whether you use public or private IP addressing , you can use GRE/IPsec tunneling. However, if you going to run GRE over the public world then definetly use IPSec as well. If you want to run GRE on private infrastructure you can run it whether with or without IPsec. I have worked on a govt project where we set up IPVPN for different sites and used GRE tunnels in a hub and spoke fashion. We used IPsec as well for security purposes. One consideratino you need to keep in mind is MTU and fragmentation issues. GRE and IPsec induce a fair bit of overhead so you need to take that into account
HTH
Kishore
03-14-2012 09:55 PM
Hi Richard,
I agree with you on tunnel over loopbacks.
However, I should have been more explainatory while I suggested tunnels over loopbacks.
First thing, when we make tunnel over loopbacks; definately for tunnels to form over any internet cloud; we would require source and desintination IP addresses.
When I suggested tunnnel over loopback; I assume that tunnels would be either unnumbered or having private IP space and will be build with source and destination IP address under tunnel configuration.
This type of setup is particularly helpful when you have dual connection ( primary and backup topology); so that when one connection fails; tunnels can be still UP via secondary link.
(edit): We also have RRI which can avoid advertising loopback over tunnel, i suppose.
Regards,
Smitesh
Message was edited by: smitesh kharecha
03-17-2012 02:11 AM
Hi Tony,
I work to a large ISP.
It is needed to configure GRE tunnels to pass the routing traffic (e.g. updates etc)
You can use any routing protocol since the provider IP/MPLS routes the traffic based only on the IP dest. of the GRE header.
You can then configure IPsec if it needed to encrypt the traffic too.
You can use any IP addressing for source or destination of your tunnel, but these IPs should be reachable between the endpoints. The IP/MPLS provider should permit the IP Protocol number 47 (GRE). Please note: The 47 is IP protocol number of GRE and not a port number inside TCP or UDP header.
Hope that helps,
Vasilis
03-17-2012 03:35 PM
How many offices? You aren't suggesting having a tunnel between each to every other? That'd be a lot!
Besides, if you are talking about a L3VPN MPLS service then you will peer with the service provider routers and they will be part of your routing domain ensuring that all your sites are sharing routing information.
Are you suggesting you have a different kind of MPLS service?
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide