MPLS and GRE

Hi !
I'm a network admin for a small company, we have offices in few countries and recently ordered managed circuits from Orange Business Services. Up to now we have been running VPN's over internet.
I know MPLS quite well, MP-BGP.. and the plan is (hopefully not was) to run MPLS between the offices to be able to separate different security zones without having to use ACL's ..Firewalls ..etc. Our company has different divisions that need full separation.
So, the platform I chose is 2811+sec bundle. I have in a lab put a full mesh GRE tunnels, running OSPF/MP-BGP and mpls ip on the GRE interfaces. All works quite well. I add the encryption ontop and it works in if I use esp (not AH).
We are going to be running GRE tunnels over Orange and also over the Internet as backup. We are price sensitive.
I'm looking for a validation of this setup , is this OK? It's not the strongest platform but circuit speed is around 10-20Mbps.
Is there some other tunneling technology that I should be using ?
Any other general thoughts on a setup like this ?
I used profile ipsec configuration on the GRE tunnel - I'm looking for minimizing the overhead - encryption is perhaps not the biggest issue over the OBS network - so if there is a faster-better way - I would be really interested

Hello Benedikt,
you can check with Orange if they can provide a Carrier Supporting Carrier service and see how it is priced.
In this way you wouldn't need the GRE tunnel mesh over the Orange VPN service.
About your solution I'm afraid about performance because 20 Mbps is fine for a 2811 but without using GRE and encryption even if you have HW security module on board.
The CSC could be lighter at the forwarding level.
Security issues are reduced in a MPLS VPN service.
Give a look at the following link:
http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/sbb2scsc.html
Hope to help
Giuseppe

Similar Messages

  • Sup32 and mpls over gre

    does sup32 on 7600 router support mpls over gre, my uplinks
    to the core are connected via sup32?

    Hello Atif,
    in the following link the datasheet of sup32
    http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps5972/product_data_sheet0900aecd801c5cab_ps368_Products_Data_Sheet.html
    table1 contains the following:
    Hardware-enabled MPLS-Enables use of VPNs and Layer 2 tunneling while improving traffic engineering for QoS and adding multiprotocol support
    • Hardware-enabled IPv6-Expands available IP addresses, enabling better address allocation and address aggregation and supporting greater end-to-end connectivity and services
    • Hardware-enabled GRE tunnels for IP traffic
    be aware that performances are limited in comparison to sup720 as it is shown in table2.
    Hope to help
    Giuseppe

  • Need clarity on MPLS and the various MTUs

    Hi All,
    I'd like some clarification on MTUs and how they are affected by MPLS. This is my current understanding of a standard IP over Ethernet frame;
    Ethernet MTU = 1514
    IP MTU = 1500
    TCP MSS = 1460
    1. If this is correct what happens to the above sizes when MPLS adds one label?
    2. Next what happens when MPLS adds a second label for VPN/VFR?
    3. Do you have to re-configure switches along the path to accomodate larger Ethernet frames?
    4. Also how do the above sizes relate to the MPLS MTU and how will it change depending on one or two labels ?
    Next what happens when you try to run MPLS over GRE which I understand has the following characteristics;
    Ethernet MTU = 1490 (inside the tunnel)
    IP MTU = 1476
    TCP MSS = 1436
    5. Since you cannot adjust the Ethernet MTU of a Tunnel, as it's dependant on it's carrier interface, what adjustments will be needed in the above to make it work with one or two labels.
    6. Last question, the ip tcp adjust-mss can be used to reduce fragmentation of tcp packets in the above environments. Will it work if applied to the PE (Ethernet)interface linking to a P. In other words will the MSS adjustment occur before label switching.
    7. In the question above will ip tcp adjust-mss work in both directions e.g. ingress & egress of the MPLS?
    If anyone can clarify the above related concepts I would greatly appreciaate it.
    Thanks,
    Roman.

    1- Correct. Assuming you configure "mpls mtu xx", where xx is greater than 1500 (1524 would allow for 6 labels), the ethernet frame would be 4 bytes more.
    2- The ethernet frame would be 8 more bytes (4 bytes per label).
    3- It depends. Some switches support baby giants (frame slightly larger than 1500 bytes) by default, some others have to be explicitly configured for it and some other don't support it at all.
    4- As mentioned above, each mpls label requires 4 additional bytes so "mpls mtu 1524" allows for 6 labels.
    5- Why do you want to do MPLS over GRE?
    6- If you configure "mpls mtu" and that all switches in your MPLS core support baby giants, you will not have fragmentation. Fragmentation is not good and you probably not want to see in your core.
    7- see 6.
    Hope this helps,

  • MPLS over GRE Tunnel

    Hi,
    Can any one guide me about the benefits of MPLS over GRE Tunnels. Do this serve the purpose of MPLS (except TE, which is suppose is not possible on GRE Tunnels) as Layer-3 is already involved before Label Switching even starts.
    thanx and regards,
    Shakeel Ahmad

    I have a problem with MPLS over GRE. When i try to apply a policy to shape the traffic it seems that the default-class dosent see the mpls packets.
    Im trying to shape the traffic to 256k but it seems that the shaping never are activated.
    Anyone have any idea how to solve this?
    Example:
    class-map match-all PING
    match access-group 171
    policy-map class-default
    class PING
    bandwidth percent 15
    policy-map PING
    class class-default
    shape average 256000
    service-policy class-default
    INterfacexx
    service-policy output PING
    access-list 171 permit icmp any any

  • MPLS over GRE sample config....

    can any body paste a working of MPLS over GRE....
    i am looking for tunnel config and any related global config...
    thanks
    Umar

    You can try this link for GRE configuration
    http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml

  • MPLS over GRE tunnles

    HI : Are there any MTU issues of running MPLS over GRE tunnels??
    what will be the MTU size ?
    thnak you

    GRE has an overhead of 24 bytes, and can directly interfere with the MPLS overhead. The MTU associated with an MPLS packet is broken down like so:
    Ethernet Payload - 1500
    802.1q header - 18
    AToM Header - 4 (Required for ATM and FR only)
    AToM Label - 4
    LDP Label - 4
    TE Label - 4
    MPLS Fast Reroute - 4
    Total = 1538
    Granted, you may not configure all of those features above into your MPLS network, this is a good baseline to use for the MPLS MTU. You need to configure the core network to accept an MTU of at least 1538 bytes, without GRE.
    You need to ensure that your GRE tunnels can support an MTU greater than 1562 if you plan to implement additional MPLS features like TE and AToM.

  • MPLS over GRE Support (Platform)

    Hello,
    I am looking to run MPLS over GRE (over the Public Internet) probably with IPSec for obvious reasons. CFN seems to suggest only the Cat6k with SUP-VS-2T or the Catalyst 6800 is capable of MPLS over GRE functionality... 
    I currently have 2 x Cisco 7200 VXR platforms (7204 & 7206) with the NPE-G2 processing engine and was wondering if we added the VSA encryption module (C7200-VSA=) would be enough to get a reliable MPLS over GRE tunnel functionality. 
    The tunnel with Encryption would ideally support up to 500Mbps. 
    My other alternative is to upgrade/replace the VXRs with ASRs (1002 or similar) but again CFN is unclear if the ASR100x platform is capable of delivering MPLS over GRE + IPSec.
    Thanks,

    MPLS over GRE is not supported in Hardware for sup720. This is a PFC3 hardware limitation. Your options would be to use SPA-400 or Enhanced FlexWan.

  • ISR G2 and GRE fragmentation/reassembly

    Hi,
    We plan to use GRE tunnels between CPE (ISR G2 if we stick to Cisco routers) and LNS (ASR1006 - L2TP and GRE aggregation), above PPP.
    PPP MTU is 1500 bytes, and the GRE tunnel will set its MTU to 1476 bytes.
    Subscribers link could range from 1M SDSL lines to 16M SDSL/EFM lines.
    Using ip tcp_mss_adjust on the tunnel interface will prevent ip fragmentation from happening for TCP traffic.
    But we could still see ip fragmentation for non TCP traffic (UDP, IPSEC...) with packets > 1476 Bytes.
    For these fragmented datagrams, reassembly will be handled by the destinations hosts.
    We are investigating a solution where ip fragmentation/reassembly would be done only between CPE and LNS.
    Usually, in the situation that i have described above,  the end-user ip datagrams entering the CPE from a LAN interface and sent through the GRE tunnel are  fragmented, then the 2 resulting fragments are encapsulated into 2 GRE packets and sent toward the tunnel destination (the LNS). There, the 2 IP fragments are popped out of the GRE packets and sent toward their ip destination. The destination host have to reassemble the 2 fragments.
    The idea would be to configure an IP MTU = 1500 at the GRE interface level, so that the end-user IP datagram will not be fragmented. The CPE will create a 1524 bytes GRE datagram, and fragment the GRE datagram (not the end-user datagram encapsulated within). The 2 fragments will be sent to the GRE tunnel destination (the ASR1006), and the ASR will reassemble the initial GRE packet, and pop the end-user IP datagram from it.
    => the end-user systems won't see any fragmentation of their traffic,
    => most of the traffic is TCP and will never be fragmented thanks to mss_adjust, so this mecanism will only be triggered by non TCP packets > 1476B,
    => the CPE and LNS will have to handle IP GRE reassembly for non TCP traffic, for packets > 1476 bytes.
    At LNS side, this process is handled on QFP (with hardware acceleration), and maybe we will ask for a CPOC to check ASR performance with ESP40 and ESP100.
    At CPE side, it is more than likely done in process switching. Anyway, in worst case scenario, 16Mb/s full duplex needs only 2666 packets per second to fill the line both ways (1333 pps downstream, 1333 upstream).
    Is 2666 pps (== 5333 fragments per seconds) something that a ISRG2 CPE (cisco898/lantic, c1941 and above) can handle without CPU exhaustion ?

    isclaimer
    The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
    Liability Disclaimer
    In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
    Posting
    What you're doing, being somewhat unusual, you'll probably not find performance documentation for it.
    If if you had process switching performance values, I suspect fragmentation processing might be even worst.
    About a year ago, had a case of a pair of 2800s take a huge jump in CPU usage.  These routers were using GRE tunnels, and were configured with mss-adjust.  However, remote site added a few security cameras which sent their video via UDP, and as you noted, mss-adjust did not help those streams.
    Our "cure" was usage of jumbo Ethernet on VPN backside which avoided the need to fragment any 1477..1500 sized packets.  CPU utilization hugely dropped for the same volume of traffic.
    So, at least on the 2800 series, fragmentation was very CPU intensive.  BTW, it didn't show as process CPU; it was part of interrupt CPU.
    Unfortunately, we didn't bother trying to analyze how "costly" the fragmentation was relative to PPS, but for traffic before vs. after, with and without fragmentation, CPU hit was huge (something like 20% vs. 80%).

  • MPLs and ATM configuration

    Please i need some information about configuring MPLS and ATM and the addcon command
    thanks

    Please look at the following documents and let me know if they address the questions you have.
    Integrating MPLS with IP and ATM :
    http://www.cisco.com/en/US/partner/products/sw/ps2346/ps99/products_configuration_guide_chapter09186a00800ee108.html
    Configuring MPLS with the BPX Switch and the 6400/7200/7500 Routers:
    http://www.cisco.com/en/US/partner/products/sw/ps2346/ps99/products_configuration_guide_chapter09186a00800ee112.html
    Designing MPLS for ATM:
    http://www.cisco.com/en/US/partner/products/sw/ps2346/ps99/products_configuration_guide_chapter09186a00800ee110.html
    Let me know if this helps,

  • Difference between organizarion and GRE

    Hi All,
    I would like to know what is the difference between an Organization and GRE?
    Thanks
    Anil

    Organization is a generic term and can be of any classification (Business Group, HR-Organization, Legal-Entity a.k.a GRE etc..)
    Where as a GRE is an organization with classification as GRE, a.k.a Legal Entity / Legal EMployer / Tax Unit.
    If you're referring to the organization on the Person-Assignment screen, it is the HR-Organization.
    Cheers,
    VB

  • Load balance between MPLS and VPN

    Dear All
    There are two locations, site A and site B. I am confused with it. Any one can help to understand it? The site A and B are connected with two paths. One is MPLS and another is VPN over internet. we want MPLS as primary path and L2L VPN as backup. Only when primary path is down, VPN can be used. How can we configure it ? Can you give me suggestion ? or a link. Thank you.

    Hello yangfrank,
    You can set this with a floating static using tracking with ip sla.
    Your primary route will be via MPLS
    ip route 0.0.0.0 0.0.0.0 x.x.x.x track 1 (via MPLS)
    ip route 0.0.0.0 0.0.0.0 y.y.y.y 10 (via VPN)
    ip sla 1
    icmp-echo z.z.z.z source interface gix/x (MPLS interface)
    ip sla schedule 1 life forever start-time now
    track 1 ip sla 1 reachability
    here are examples:
    http://networklessons.com/ip-routing/reliable-static-routing-with-ip-sla/
    http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html
    hope this helps

  • OSI and IPSEC and Gre

    Guys which OSI layer IPSEC AND GRE sits in??? which layer they belong to.....

    Hi,
    GRE adds another layer3 to the existing layer3 packet.
    IPSec transport mode adds a layer that sits between layer3 and layer4, to encrypt data within the layer4 PDU.
    IPSec tunnel mode encapsulates existing layer3 packet in a new layer for encryption, then adds a new layer3.
    So generally speaking, IPSec and GRE are said to be layer3 protocols.
    Cheers:
    Istvan

  • ASA5510 Failover MPLS and DLL

    Hello All,
    I would just like to ask if it is possible for the ASA5510 to do failover?
    Our Client is using a single ASA5510 and currently their WAN link is using a dedicated leased line connection and now they are going to use an mpls connection and they would like to make the existing leased line connection to be their backup line.
    How would I go about doing this? Would I just do some routing changes and add metrics to it? Do I need to have a heartbeat so that the failover would take place?
    Or doing a failover with two wan links (MPLS and DLL) on a single ASA would not work?
    Thank you for your reply! Have a nice day!
    lawrence

    If I understand correctly, your company will migrate to MPLS with a new circuit, and their existing internet link they will like to keep it, company want to use old circuit as a backup while the MPLS link would be their primary, if this is correct you can try this link..if new MPLS is one ISP provider and old lease line is different ISP.
    http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

  • C2600xm MPLS and QinQ support

    Does anybody know an IOS version that supports both MPLS and QinQ support.  Nearly all advance enterprise services 12.4 support QinQ and some 12.3T, but i believe that later versions of IOS 12.3 and onwards removed MPLS support.  I could really do with finding both these features in the same IOS as it would greatly help me study.  IOS selector is hard to trust as it doesnt appear to label MPLS support under some IOS which i know have the commands.  Also certain 12.3T ios have been deferred which makes getting them to try hard to begin with.
    So far i have tried the below.
    c2600-adventerprisek9-mz.123-11.T.bin <-- QinQ no mpls
    c2600-adventerprisek9-mz.123-26.bin <-- no QinQ
    c2600-advipservicesk9-mz.123-4.T6.bin <--no QinQ
    c2600-telco-mz.123-26.bin <-- MPLS but no QinQ
    c2600-telco-mz.124-7.bin <- no MPLS
    All the 12.4 IOS have had the tag-switching/MPLS commands removed.
    Any help will be most appreciated!

    Hi,
    If your CE at both ends are routers, then you can configure both CE's with a Sub interface on the trunk link that is going towards PE. On this Sub interface of CEs you can configure IP address and also, if CEF is enabled on router and the interface then you can use mpls ip command on this sub interface and form LDP neighborship between both CEs over this l2 circuit.
    Yes MTU size will have to be capable of supporting this increased packet size.
    Regards,
    Shailendra

  • CSS 11501 and GRE

    Greetings:
    I have a 3550-48 EMI switch sitting behind a CSS and I need to establish a GRE tunnel to another switch on the other side of the CSS. In the end configuration it will not be possible to bypass the CSS to establish the tunnel.
    I have successfully established the GRE tunnel between the two switches around the CSS in my lab environment, so I know the basic configuration is correct.
    I have a feeling that the problem lies in the layer-3 translation at the CSS (since GRE uses a different protocol ID than IP).

    I actually have been attempting to NAT. Unfortunately, in my configuration the systems on the "unauthorized" side of the CSS don't know about the internal address of the 3550.
    Can you send me the configuration you used in your lab?
    We currently use the same technique using a PIX as the edge device and it works fine (and I know that the CSS performs a different type of service and is not a firewall by nature).

Maybe you are looking for

  • Issue with fast refresh on a materialized view

    Hi, Oracle DB version is 10.2.0.3 We have a matierialized view created using this script. We have materialized view logs on these six tables. By default, it is set to ON COMMIT . When a batch job is run every morning (usually 100-200 records) we set

  • Adobe premiere elements 9 not editing

    This is my second attempt to post (my last one a little while ago didn't appear). I have bought the above package mainly to edit some club videos.  It is driving me mad. I have a Sony Viao Vista Home Premium Service pack 2 Intel Core DUO CPU 2.00 GB

  • Will slowness and lack of service be improved?

    Here is a list which I copied from mac.com ... System status (last 30 days) 07/20/2006 EMail was unavailable for 2 hour(s) for some .Mac Members. 07/18/2006 EMail was unavailable for 45 minute(s) to some .Mac Members. 07/18/2006 EMail was unavailable

  • Trying to set colum to be '*A'+ID+'*'

    Hello, I am trying to update subdescription2 to be *A(number from ID column)* But when I run the below I get, Conversion failed when converting the varchar value '*' to data type int. Update Item Set Subdescription2 = '*A'+ID+'*' Thank you

  • Open Help File

    Hi - I am trying to determine if the Help closes with the application in both WebHelp and HTML help. We are trying to determine which layout best suits our new web application and there is concern that if we produce WebHelp and a new web page is open