Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
309
Views
5
Helpful
1
Replies

EoMPLS

bimckenz
Level 1
Level 1

‎05-19-2015 09:31 AM - edited ‎03-05-2019 01:29 AM

Does anyone know if it is possible to do EoMPLS in GRE in IPSec in one router? It is for Layer 2 extensibility across DSL with encryption compliance.

 

Thanks

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Peter Paluch
Cisco Employee
Cisco Employee

‎05-19-2015 12:15 PM

Hi,

Theoretically, it should work but there seems to be an awful lot of local processing before the resulting datagram can be sent out so I am not sure about the performance of the whole thing. As you're saying this is going to run over DSL then I suppose that PPPoE is going to be involved so the overhead will easily exceed 100 bytes.

This is my estimate on the total encapsulation overhead:

PPPoE (8) + IP (20) + IPsec (80) + IP (20) + GRE (4) + MPLS (4) + MPLS (4) + CW (4) + Payload

I am assuming a rough estimate on the IPsec encapsulation to be 80 bytes, plus two MPLS labels (transport label and per-VC label), plus a control word, in total 144 bytes. The entire datagram still must not exceed 1500 bytes to fit into the outer Ethernet frame not shown here, carried over the DSL network. This limits the Payload down to 1500-144=1356. The GRE tunnel's MTU is thus 1356+4+4+4=1368.

The configuration would be akin to this (consider this just a skeleton of how it would look like, I am not striving for a complete configuration):

 

crypto isakmp policy 1
 ! The usual ISAKMP Phase1 stuff
crypto isakmp key ...
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile TunnelProtection
 set transform-set ESP-AES-SHA
!
mpls ip
mpls label protocol ldp
mpls ldp router-id Dialer0 force
!
interface Dialer0
 encapsulation ppp
 dialer pool 1
 dialer persistent
 mtu 1492
 ip tcp adjust-mss 1452
 ip address negotiated
 ppp chap hostname ...
 ppp chap password ...
 ...
!
interface Tunnel0
 mtu 1368
 tunnel source Dialer0
 tunnel destination X.X.X.X
 mpls ip
 ip address 10.0.0.1 255.255.255.0
 tunnel protection ipsec profile TunnelProtection
!
interface FastEthernet0/0
 xconnect Y.Y.Y.Y 1 encapsulation mpls
!
ip route 0.0.0.0 0.0.0.0 Dialer0 ! Default route
ip route X.X.X.X 255.255.255.255 Dialer0 ! Tunnel destination over DSL
ip route X.X.X.X 255.255.255.255 Null0 2 ! Prevent recursive routing
ip route Y.Y.Y.Y 255.255.255.255 Tunnel0 ! The PW endpoint is behind the tunnel

 

I strongly recommend doing performance tests before rolling out this configuration to multiple sites.

Best regards,
Peter

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card