05-19-2015 09:31 AM - edited 03-05-2019 01:29 AM
Does anyone know if it is possible to do EoMPLS in GRE in IPSec in one router? It is for Layer 2 extensibility across DSL with encryption compliance.
Thanks
05-19-2015 12:15 PM
Hi,
Theoretically, it should work but there seems to be an awful lot of local processing before the resulting datagram can be sent out so I am not sure about the performance of the whole thing. As you're saying this is going to run over DSL then I suppose that PPPoE is going to be involved so the overhead will easily exceed 100 bytes.
This is my estimate on the total encapsulation overhead:
PPPoE (8) + IP (20) + IPsec (80) + IP (20) + GRE (4) + MPLS (4) + MPLS (4) + CW (4) + Payload
I am assuming a rough estimate on the IPsec encapsulation to be 80 bytes, plus two MPLS labels (transport label and per-VC label), plus a control word, in total 144 bytes. The entire datagram still must not exceed 1500 bytes to fit into the outer Ethernet frame not shown here, carried over the DSL network. This limits the Payload down to 1500-144=1356. The GRE tunnel's MTU is thus 1356+4+4+4=1368.
The configuration would be akin to this (consider this just a skeleton of how it would look like, I am not striving for a complete configuration):
crypto isakmp policy 1 ! The usual ISAKMP Phase1 stuff crypto isakmp key ... ! crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac ! crypto ipsec profile TunnelProtection set transform-set ESP-AES-SHA ! mpls ip mpls label protocol ldp mpls ldp router-id Dialer0 force ! interface Dialer0 encapsulation ppp dialer pool 1 dialer persistent mtu 1492 ip tcp adjust-mss 1452 ip address negotiated ppp chap hostname ... ppp chap password ... ... ! interface Tunnel0 mtu 1368 tunnel source Dialer0 tunnel destination X.X.X.X mpls ip ip address 10.0.0.1 255.255.255.0 tunnel protection ipsec profile TunnelProtection ! interface FastEthernet0/0 xconnect Y.Y.Y.Y 1 encapsulation mpls ! ip route 0.0.0.0 0.0.0.0 Dialer0 ! Default route ip route X.X.X.X 255.255.255.255 Dialer0 ! Tunnel destination over DSL ip route X.X.X.X 255.255.255.255 Null0 2 ! Prevent recursive routing ip route Y.Y.Y.Y 255.255.255.255 Tunnel0 ! The PW endpoint is behind the tunnel
I strongly recommend doing performance tests before rolling out this configuration to multiple sites.
Best regards,
Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide