MPLS TE tunnels provide transport for label switching data through an MPLS network using a path, which is constraint-based,
and is not restricted to the IGP shortest cost path. The TE tunnels are usually established over physical links between adjacent
routers. However, some applications require establishing TE tunnels over virtual interfaces such as GRE tunnels. Federal Information
Processing Standard (FIPS) 140-2 compliance mandates that federal customers require traffic encryption throughout their network
infrastructure, which is referred to as Type-I encryption level of security. Type-I encryption environments differentiate
between encrypted and unencrypted networks. The encrypted network is the secure part of the network that is in a secure facility,
where encryption is not required. The unencrypted network is the unsecured part of the network where traffic encryption is
required.
Two common methods of traffic encryption are as follows:
External crypto devices operate in Layer 2 (L2), providing link layer encryption of ATM and SONET traffic. Due to the migration
of L2 networks to IP network, there is an increasing adoption of IP crypto devices and IPsec. This transition requires that
the traffic encryption happens at the IP layer. The IP-based forwarding of service traffic, such as IP or Layer 3 (L3)/L2
VPN MPLS traffic, is implemented only through GRE tunnels.
The following MPLS TE features are supported when enabled over GRE tunnel:
-
MPLS TE over GRE (Tunnel establishment and data traffic)
-
Metrics (admin weight)
-
Attribute flag and affinities
-
Explicit path
-
BFD
-
ECMP without Class Based Tunnel Selection (CBTS)