Another alternative to interconnect enterprise MPLS VPN networks over a WAN IP service is to create a mesh of GRE tunnels over the WAN IP cloud and enable label switching on the GRE interfaces. This setup achieves two benefits:
As shown in Figure 7-12, in this scenario, the WAN edge router plays the role of an E-P device. Figure 7-12. MPLS over GREA p2p GRE tunnel is set up between each edge router pair if a full mesh is desired. From a control-plane perspective, the following protocols are expected to be run within the GRE tunnels:
After the GRE tunnels have been established, the configuration of this solution exactly matches that used to deploy MPLS over Layer 2 circuits. The only difference is that instead of enabling label switching on the WAN interfaces, it is enabled on the tunnel interfaces. Therefore, the command-line interface (CLI) should look like this: interface Tunnel0 description GRE tunnel to E-P2 bandwidth 1000 ip address 172.16.100.2 255.255.255.0 ip mtu 1400 tag-switching ip ip ospf network broadcast ip ospf priority 0 tunnel source Loopback0 tunnel destination 10.126.100.254 After the route/label distribution has been completed in the control plane, the enterprise edge device acts like a label switching router (LSR/P) where it treats the GRE interfaces as normal access interfaces. Figure 7-13 shows end-to-end packet flow between campus networks/MANs. Figure 7-13. MPLS over GRE Packet FlowThe figure shows how the MPLS label (LDP2) is maintained constant between the E-P routers. The LDP2 label remains constant because the GRE tunnel overlay makes the two E-P routers appear as directly connected. The figure also shows the encapsulating GRE header used as the packet traverses the service provider cloud. Note that the header is imposed by the E-P routers and that the tunnels are established based on the IP reachability in the provider cloud. The latter is represented by the IP2 portion of the header. The traffic inside the service provider cloud may or may not be MPLS switched, thus the service provider LDP and service provider VPN labels are present only if the service is an MPLS VPN. However, this should be of no concern to the enterprise and is mentioned here only for completeness. Figure 7-14 shows an interesting variation of the use of VPNs over GRE tunnels. In this scenario, the WAN edge devices are also acting as E-PE devices. Note that this is equivalent to having the PE routers connected back to back. Because of PHP, no LDP label or even an LSP is formed between the E-PEs. In other words, no label swapping occurs, and there is no need for a LDP. The only use for labels in this scenario is to identify the VRF for which the traffic in the tunnel is destined. The VPN labels are used for multiplexing and demultiplexing traffic between the tunnel and the appropriate VRFs. Figure 7-14. RFC 2547 VPNs over GRE Packet FlowClearly, this network is not using label switching, nor does it need label switching functionality. However, support for RFC 2547 VPNs is still required. Therefore, this type of overlay model is usually referred to as 2547 over X. In this particular scenario, it would be 2547 over GRE. Note that this differs from MPLS over GRE because no support exists in the solution for label switching. Therefore, if the edge devices support 2547 over GRE but not MPLS over GRE, these cannot be used as label switching P routers. It is not uncommon to find enterprise-grade platforms that can support 2547 over GRE but not support full MPLS over GRE. The difference in functionality, although apparently subtle, is critical to the design of the network. The network architect must clearly understand the type of VPN role required at the WAN edge to make the right choice of hardware. Note At of the time this writing, support for 2547 over X is more common than support for MPLS over X. 2547 over GRE has been superseded by 2547 over mGRE, which incorporates all the flexibility of dynamic multipoint tunnel interfaces. The technical details and configuration of this approach are identical to those of the 2547 over L2TPv3 implementation. The sole difference is the encapsulation being used; all other architectural and configuration details are comparable. Therefore, we defer this discussion to the next section as we discuss 2547 over L2TPv3. Benefits and DrawbacksDeploying MPLS (or RFC 2547) over a mesh of GRE tunnels allows the enterprise to extend their MPLS network over almost any IP network. As always, there are both challenges and benefits with this type of WAN extension. The benefits of deploying MPLS over GRE tunnels include the following:
The drawbacks include the following:
The extension of MPLS VPNs over GRE tunnels is useful in scenarios that require the aggregation of a limited number of sites in a hub-and-spoke logical topology. Any-to-any connectivity for many sites is better addressed by dynamic mechanisms, such as CsC or RFC 2547 over DMVPN. DMVPN-based mechanisms are discussed in some of the following sections. |