cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5274
Views
5
Helpful
23
Replies

MPLS routes to advertise from CE to PE

j44mistry
Level 1
Level 1

Hi,

I am new to MPLS and requirements.  

We have a new MPLS circuit being deployed between two sites. 

The ISP has asked me for what Routing Protocol , AS number and any LAN subnets I want to be advertise on CE Router.

Our Customer Router will be running EIGRP and is going to advertise 10.136.16.0/20 and 10.130.0.0 for VPN tunnels already.

So far I have told ISP that routers will need to be running BGP AS65001 on both CE routers at Site A and B.

What LAN routes need to be advertised from CE router ?  

I am hoping to have GRE VPN tunnels initiate from customer router.

Please see attached diagram.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

Apologies but I didn't read your question carefully enough.

If you are going to be using GRE tunnels (not sure why ?) then you don't need to advertise all local subnets to MPLS.

You just need to advertise the GRE end points ie. you need reachability between the routers terminating the GRE tunnels and then you can simply advertise the local subnets with EIGRP across the tunnel.

Jon

View solution in original post

23 Replies 23

Jon Marshall
Hall of Fame
Hall of Fame

You need to advertise each sites local subnets from the CE router.

So on the CE router if you are using BGP to peer with the PE then you either use network statements under your BGP configuration or you redistribute EIGRP into BGP.

Note also on each CE you also need to redistribute BGP back into EIGRP as well.

Are you going to be using the same AS number at each site ?

Jon

Hi Jon,

We need GRE Tunnels to keep our data secure. 

So interms of the diagram I need to advertise 10.136.16.0/20 and Tunnel Network which 10.130.0.0 ?   or are you saying with GRE I dont ? 

Is it better to use static or BGP routing in CPE routers ?

Yes my BGP is rusty does AS number need to be same of different ?

Regards,

If you are using tunnels all you need is to advertise the tunnel endpoints.

The internal subnets you use don't need to be advertised to MPLS, only through the tunnel.

Whether to use BGP or statics depends on your SP as much as anything else ie. what they prefer and want to use.

If the BGP AS number is the same then you need to use the "allowas-in <num>" command under your BGP configuration.

Jon

Hi Jon,

The tunnels are point to point /30 addresses.  When you say advertise end points is it not better just to advertise the full tunnel network /16 or just /30 network at both ends ?

Also is it better to have same or different AS numbers between two sites ?

I am thinking may be static would be better  just for two sites ?  or is it not good for future growth if we add more sites to MPLS ?

I'm not sure what you mean by full tunnel network ?

If you advertise all the sites subnets via BGP and then you use EIGRP across the tunnel the CE router will pick the BGP routes by default because of the lower AD which would not be what you want.

You can modify this but not sure why you need to advertise the entire internal IP range ?

BGP AS numbers, entirely up to you.

If you use statics then you don't need BGP but then you need statics on your CE device and also the SP needs statics on their PE devices.

They may or may not want to do this.

What have they offered as alternatives ?

Jon

Hi Jon,

I hope to speak to ISP provider tomorrow to get more info.  

If I want to do an end to end test prior to implementing GRE VPN tunnel , I would still need to advertise LAN subnet ?

I read somewhere that to use same AS number at both sites the provider needs to support eBGP on their network.  

For an end to end test without tunnels yes you need to advertise whatever subnets you want to test between.

I do not understand your last statement.

If you use BGP it will be EBGP between your CE and the SP's PE devices.

Jon

Hi Jon,

I spoke to ISP and looks like I dont need to do GRE VPN tunnel as the IP-Connect service applied for will already be doing IP-VPN.   The  BGP AS number has to be the same for both sites as it represents the company AS when we add more sites.

I was asked to reaplce the public point to point addresses I assigned on WAN and LAN links with private addressing. 

The CE router will be configured for EIGRP and will redistribute the LAN subnets specified rom EIGRP to BGP so I dont really have to do anything on the Customer router.

HTH,

Thanks Both !

Thanks for getting back.

Just for your information when the SP says it is already doing VPN that doesn't usually mean they are encrypting your traffic as in an IPSEC VPN.

What they probably mean is that they are using MPLS VPNs to keep your traffic separate from any other customers traffic.

This may be all you need but just thought it worth mentioning.

Jon

Hi Jon,

Oh OK something to think about as all they said was it was a secure method of transfering data in a private and secure way.  They said we would have problems if we did run GRE VPN over it and recommended not to.

Thanks again !!

No problem.

It is a secure method of transferring data because it is a private network unlike the internet and your traffic is kept separate from any other customers traffic.

It just means your traffic is not encrypted as it goes across the MPLS network.

For a lot of companies though that is good enough.

So unless you have very strict security requirements it's probably nothing to worry about too much.

Jon

Hi Jon,

Yes,  but I guess the VPN is between PE to PE routers and not CE to CE ? 

Regards,

Yes the VPN is PE to PE.

The CE routers do not run MPLS but again that is not usually an issue because the CE device is on the customer premises.

To you as the customer you do not need to know anything about the actual MPLS implementation details, you just treat the MPLS network as a WAN and run standard routing protocols to advertise your subnets.

Jon

Hi Jon,

Do you think it would still be possible for us to do GRE VPN with IPSEC or just IPSEC later on over MPLS circuit  if we wanted to encrypt traffic ?

Also the private point to point /30 addresses assigned for the LAN and WAN were taken from the LAN 10.136.16.0/20 network.   

Does that matter or do they have to be different ?  As eigrp will be advertising 10.136.16.0 /20 on CE.

The P2P addresses are

10.136.31.52 /30 LAN link and 10.131.31.56 /30 WAN link

 

Review Cisco Networking for a $25 gift card