- MPLS Virtual Private Networks
- Multiprotocol BGP MPLS VPN
- MPLS VPN OSPF PE and CE Support
- MPLS VPN Support for EIGRP Between PE and CE
- IPv6 VPN over MPLS
- Assigning an ID Number to an MPLS VPN
- MPLS VPN Half-Duplex VRF
- MPLS VPN Show Running VRF
- MPLS VPN VRF CLI for IPv4 and IPv6 VPNs
- MPLS VPN BGP Local Convergence
- MPLS VPN Route Target Rewrite
- MPLS VPN Per VRF Label
- Multi-VRF Selection Using Policy-Based Routing
- MPLS VPN VRF Selection Using Policy-Based Routing
- VRF Aware System Message Logging
- MPLS VPN 6VPE per VRF Label
- Multi-VRF Support
- BGP Best External
- BGP PIC Edge for IP and MPLS-VPN
- MPLS over GRE
- Dynamic Layer 3 VPNs with Multipoint GRE Tunnels
- MPLS VPN 6VPE Support Over IP Tunnels
Contents
- Dynamic Layer 3 VPNs with Multipoint GRE Tunnels
- Finding Feature Information
- Prerequisites for Dynamic L3 VPNs with mGRE Tunnels
- Restrictions for Dynamic L3 VPNs with mGRE Tunnels
- Information About Dynamic L3 VPNs with mGRE Tunnels
- Overview of Dynamic L3 VPNs with mGRE Tunnels
- Layer 3 mGRE Tunnels
- Interconnecting Provider Edge Devices Within an IP Network
- Packet Transport Between IP and MPLS Networks
- BGP Next Hop Verification
- How to Configure L3 VPN mGRE Tunnels
- Creating the VRF and mGRE Tunnel
- Setting Up BGP VPN Exchange
- Enabling the MPLS VPN over mGRE Tunnels and Configuring an L3VPN Encapsulation Profile
- Defining the Address Space and Specifying Address Resolution for MPLS VPNs over mGRE
- What to Do Next
- Configuration Examples for Dynamic L3 VPNs Support Using mGRE Tunnels
- Configuring Layer 3 VPN mGRE Tunnels Example
- Additional References
- Feature Information for Dynamic L3 VPNs with mGRE Tunnels
Dynamic Layer 3 VPNs with Multipoint GRE Tunnels
The Dynamic Layer 3 VPNs with Multipoint GRE Tunnels feature provides a Layer 3 (L3) transport mechanism based on an enhanced multipoint generic routing encapsulation (mGRE) tunneling technology for use in IP networks. The dynamic Layer 3 tunneling transport can also be used within IP networks to transport Virtual Private Network (VPN) traffic across service provider and enterprise networks, and to provide interoperability for packet transport between IP and Multiprotocol Label Switching (MPLS) VPNs. This feature provides support for RFC 2547, which defines the outsourcing of IP backbone services for enterprise networks.
- Finding Feature Information
- Prerequisites for Dynamic L3 VPNs with mGRE Tunnels
- Restrictions for Dynamic L3 VPNs with mGRE Tunnels
- Information About Dynamic L3 VPNs with mGRE Tunnels
- How to Configure L3 VPN mGRE Tunnels
- Configuration Examples for Dynamic L3 VPNs Support Using mGRE Tunnels
- Additional References
- Feature Information for Dynamic L3 VPNs with mGRE Tunnels
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for Dynamic L3 VPNs with mGRE Tunnels
Ensure that your Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) is configured and working properly.
Restrictions for Dynamic L3 VPNs with mGRE Tunnels
Information About Dynamic L3 VPNs with mGRE Tunnels
Overview of Dynamic L3 VPNs with mGRE Tunnels
You can configure multipoint generic routing encapsulation (mGRE) tunnels to create a multipoint tunnel network that overlays an IP backbone. This overlay connects provider edge (PE) devices to transport Virtual Private Network (VPN) traffic. To deploy L3 VPN mGRE tunnels, you create a virtual routing and forwarding (VRF) instance, create the mGRE tunnel, redirect the VPN IP traffic to the tunnel, and set up the Border Gateway Protocol (BGP) VPNv4 exchange so that updates are filtered through a route map and interesting prefixes are resolved in the VRF table.
In addition, when Multiprotocol Label Switching (MPLS) VPNs are configured over mGRE, you can deploy L3 PE-based VPN services using a standards-based IP core. This allows you to provision the VPN services without using the overlay method. When an MPLS VPN over mGRE is configured, the system uses IPv4-based mGRE tunnels to encapsulate VPN-labeled IPv4 and IPv6 packets between PEs.
Layer 3 mGRE Tunnels
By configuring multipoint generic routing encapsulation (mGRE) tunnels, you create a multipoint tunnel network as an overlay to the IP backbone. This overlay interconnects the provider edge (PE) devices to transport Virtual Private Network (VPN) traffic through the backbone. This multipoint tunnel network uses Border Gateway Protocol (BGP) to distribute VPNv4 routing information between PE devices, maintaining the peer relationship between the service provider or enterprise network and customer sites. The advertised next hop in BGP VPNv4 triggers tunnel endpoint discovery. This feature provides the ability for multiple service providers to cooperate and offer a joint VPN service with traffic tunneled directly from the ingress PE device at one service provider directly to the egress PE device at a different service provider site.
In addition to providing the VPN transport capability, the mGRE tunnels create a full-mesh topology and reduce the administrative and operational overhead previously associated with a full mesh of point-to-point tunnels used to interconnect multiple customer sites. The configuration requirements are greatly reduced and enable the network to grow with minimal additional configuration.
Dynamic L3 tunnels provide for better scaling when creating partial-mesh or full-mesh VPNs. Adding new remote VPN peers is simplified because only the new device needs to be configured. The new address is learned dynamically and propagated to the nodes in the network. The dynamic routing capability dramatically reduces the size of configuration needed on all devices in the VPN, such that with the use of multipoint tunnels, only one tunnel interface needs to be configured on a PE that services many VPNs. The L3 mGRE tunnels need to be configured only on the PE device. Features available with GRE are still available with mGRE, including dynamic IP routing and IP multicast and Cisco Express Forwarding switching of mGRE/Next Hop Routing Protocol (NHRP) tunnel traffic.
The following sections describe how the mGRE tunnels are used:
- Interconnecting Provider Edge Devices Within an IP Network
- Packet Transport Between IP and MPLS Networks
- BGP Next Hop Verification
Interconnecting Provider Edge Devices Within an IP Network
The Dynamic Layer 3 VPNs with Multipoint GRE Tunnels feature allows you to create a multiaccess tunnel network to interconnect the provider edge (PE) devices that service your IP network. This tunnel network transports IP Virtual Private Network (VPN) traffic to all of the PE devices. The figure below illustrates the tunnel overlay network used in an IP network to transport VPN traffic between the PE devices.
The multiaccess tunnel overlay network provides full connectivity between PE devices. The PE devices exchange VPN routes by using the Border Gateway Protocol (BGP) as defined in RFC 2547. IP traffic is redirected through the multipoint tunnel overlay network using distinct IP address spaces for the overlay and transport networks and by changing the address space instead of changing the numerical value of the address.
Packet Transport Between IP and MPLS Networks
Layer 3 multipoint generic routing encapsulation (mGRE) tunnels can be used as a packet transport mechanism between IP and Multiprotocol Label Switching (MPLS) networks. To enable the packet transport between the two different protocols, one provider edge (PE) device on one side of the connection between the two networks must run MPLS. The figure below shows how mGRE tunnels can be used to transport Virtual Private Network (VPN) traffic between PE devices.
For the packet transport to occur between the IP and MPLS network, the MPLS VPN label is mapped to the GRE key. The mapping takes place on the device where both mGRE and MPLS are configured. In the figure above the mapping of the label to the key occurs on Device M, which sits on the MPLS network.
BGP Next Hop Verification
The Border Gateway Protocol (BGP) performs the BGP path selection, or next hop verification, at the provider edge (PE). For a BGP path to a network to be considered in the path selection process, the next hop for the path must be reachable in the Interior Gateway Protocol (IGP). When an IP prefix is received and advertised as the next hop IP address, the IP traffic is tunneled from the source to the destination by switching the address space of the next hop.
How to Configure L3 VPN mGRE Tunnels
- Creating the VRF and mGRE Tunnel
- Setting Up BGP VPN Exchange
- Enabling the MPLS VPN over mGRE Tunnels and Configuring an L3VPN Encapsulation Profile
- Defining the Address Space and Specifying Address Resolution for MPLS VPNs over mGRE
Creating the VRF and mGRE Tunnel
The tunnel that transports the VPN traffic across the service provider network resides in its own address space. A special virtual routing and forwarding (VRF) instance must be created called Resolve in VRF (RiV). This section describes how to create the VRF and GRE tunnel.
The IP address on the interface should be the same as that of the source interface specified in the configuration. The source interface specified should match that used by the Border Gateway Protocol (BGP) as a source for the Virtual Private Network Version 4 (VPNv4) update.
 Note | Tunnel mode IPSec is not supported on Multiprotocol Label Switching (MPLS) over generic routing encapsulation (GRE) tunnel. |
1.
enable
2.
configure
terminal
3.
ip
vrf
vrf-name
4.
rd
1:1
5.
exit
6.
interface
tunnel
tunnel-name
7.
ip
address
ip-address
subnet-id
8.
tunnel
source
loopback
n
9.
tunnel
mode
gre
multipoint
l3vpn
10.
tunnel
key
gre-ke
y
11.
end
DETAILED STEPS
Setting Up BGP VPN Exchange
The configuration task described in this section sets up the Border Gateway Protocol (BGP) Virtual Private Network for IPv4 (VPNv4) exchange so that the updates are filtered through a route map and interesting prefixes are resolved in the virtual routing and forwarding (VRF) table.
1.
enable
2.
configure
terminal
3.
interface
tunnel
tunnel-name
4.
ip
route
vrf
riv-vrf-name
ip-address
subnet-
mask
tunnel
n
5.
exit
6.
router
bgp
as-number
7.
network
network-id
8.
neighbor
{ip-address |
peer-group-name}
remote-as
as-number
9.
neighbor
{ip-address |
peer-group-name}
update-source
interface-type
10.
address-family
vpnv4
[unicast]
11.
neighbor
{ip-address |
peer-group-name}
activate
12.
neighbor
{ip-address |
peer-group-name}
route-map
map-name {in |
out}
13.
set
ip
next-hop
resolve-in-vrf
vrf-name
14.
end
DETAILED STEPS
Enabling the MPLS VPN over mGRE Tunnels and Configuring an L3VPN Encapsulation Profile
This section describes how to define the VRF, enable MPLS VPN over mGRE, and configure an L3VPN encapsulation profile.
Note | Transport protocols such as IPv6, MPLS, IP, and Layer 2 Tunneling Protocol version 3 (L2TPv3) can also be used in this configuration. |
To enable and configure Multiprotocol Label Switching (MPLS) Virtual Private Network (VPN) over multipoint generic routing encapsulation (mGRE) , you must first define the virtual routing and forwarding (VRF) instance for tunnel encapsulation and enable L3VPN encapsulation in the system.
1.
enable
2.
configure
terminal
3.
vrf
definition
vrf-name
4.
rd 1:1
5.
exit
6.
ip cef
7.
ipv6
unicast-routing
8.
ipv6 cef
9.
l3vpn encapsulation ip
profile-name
10.
transport ipv4 source
interface n
11.
protocol gre
[key
gre-key]
12.
exit
13.
interface
type number
14.
ip address
ip-address mask
15.
ip router isis
16.
end
DETAILED STEPS
Defining the Address Space and Specifying Address Resolution for MPLS VPNs over mGRE
This section describes how to define the address space and specify the address resolution for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) over generic routing encapsulation (mGRE). The following steps also enable you to link the route map to the application template and set up the Border Gateway Protocol (BGP) VPNv4 and VPNv6 exchange so that updates are filtered through the route map.
1.
enable
2.
configure terminal
3.
router bgp
as-number
4.
bgp log-neighbor-changes
5.
neighbor
ip-address
remote-as
as-number
6.
neighbor
ip-address
update-source
interface-type
interface-name
7.
address-family vpnv4
8.
no synchronization
9.
redistribute connected
10.
neighbor
ip-address
activate
11.
no auto-summary
12.
exit
13.
address-family vpnv4
14.
neighbor
ip-address
activate
15.
neighbor
ip-address
send-community both
16.
neighbor
ip-address
route-map
map-name
in
17.
exit
18.
address-family vpnv6
19.
neighbor
ip-address
activate
20.
neighbor
ip-address
send-community both
21.
neighbor
ip-address
route-map
ip-address
in
22.
exit
23.
route-map
map-tag
permit
position
24.
set ip next-hop encapsulate l3vpn
tunnel encap
25.
set ipv6 next-hop encapsulate l3vpn
profile name
26.
end
DETAILED STEPS
What to Do Next
You can perform the following to make sure that the configuration is working properly.
Check the VRF Prefix
Verify that the specified virtual routing and forwarding (VRF) prefix has been received by the Border Gateway Protocol (BGP). The BGP table entry should show that the route map has worked and that the next hop is showing in the Resolve in VRF (RiV). Use the show ip bgp vpnv4 command as shown in this example.
Device# show ip bgp vpnv4 vrf customer 209.165.200.250
BGP routing table entry for 100:1:209.165.200.250/24, version 12
Paths: (1 available, best #1)
Not advertised to any peer
Local
209.165.200.251 in "my riv" from 209.165.200.251 (209.165.200.251)
Origin incomplete, metric 0, localpref 100, valid, internal, best
Extended Community: RT:100:1
Confirm that the same information has been propagated to the routing table:
Device# show ip route vrf customer 209.165.200.250
Routing entry for 209.165.200.250
/24
Known via "bgp 100", distance 200, metric 0, type internal
Last update from 209.165.200.251 00:23:07 ago
Routing Descriptor Blocks:
* 209.165.200.251 (my riv), from 209.165.200.251, 00:23:07 ago
Route metric is 0, traffic share count is 1
AS Hops 0
Cisco Express Forwarding Switching
You can also verify that Cisco Express Forwarding switching is working as expected:
Device# show ip cef vrf customer 209.165.200.250
/24, version 6, epoch 0
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
fast tag rewrite with Tu1, 123.1.1.2, tags imposed: {17}
via 209.165.200.251, 0 dependencies, recursive
next hop 209.165.200.251, Tunnel1 via 209.165.200.251/32 (my riv)
valid adjacency
tag rewrite with Tu1, 209.165.200.251, tags imposed: {17}
Endpoint Creation
Note that in this example display the tunnel endpoint has been created correctly:
Device# show tunnel endpoint tunnel 1 Tunnel1 running in multi-GRE/IP mode RFC2547/L3VPN Tunnel endpoint discovery is active on Tu1 Transporting l3vpn traffic to all routes recursing through "my riv" Endpoint 209.165.200.251 via destination 209.165.200.251 Endpoint 209.165.200.254 via destination 209.165.200.254
Adjacency
Confirm that the corresponding adjacency has been created.
Device# show adjacency Tunnel 1 interface
Protocol Interface Address
TAG Tunnel1 209.165.200.251(4)
15 packets, 1980 bytes
4500000000000000FF2FC3C77B010103
7B01010200008847
Epoch: 0
Fast adjacency disabled
IP redirect disabled
IP mtu 1472 (0x0)
Fixup enabled (0x2)
GRE tunnel
Adjacency pointer 0x624A1580, refCount 4
Connection Id 0x0
Bucket 121
Note that because Multiprotocol Label Switching (MPLS) is being transported over multipoint generic routing encapsulation (mGRE), the LINK_TAG adjacency is the relevant adjacency. The MTU reported in the adjacency is the payload length (including the MPLS label) that the packet will accept. The MAC string shown in the adjacency display can be interpreted as follows:
45000000 -> Beginning of IP Header (Partially populated, tl & chksum 00000000 are fixed up per packet) FF2FC3C7 7B010103 -> Source IP Address in transport network 209.165.200.253 7B010102 -> Destination IP address in transport network 209.165.200.252 00008847 -> GRE Header
You can use the show l3vpn encapsulation profile-name command to get information on the basic state of the application. The output of this command provides you details on the references to the tunnel and VRF.
Configuration Examples for Dynamic L3 VPNs Support Using mGRE Tunnels
Configuring Layer 3 VPN mGRE Tunnels Example
This example shows the configuration sequence for creating multipoint generic routing encapsulation (mGRE) tunnels. It includes the definition of the special virtual routing and forwarding (VRF) instance.
ip vrf my riv rd 1:1 interface Tunnel1 ip vrf forwarding my_riv ip address 209.165.200.250 255.255.255.224 tunnel source Loopback0 tunnel mode gre multipoint l3vpn tunnel key 123 end ip route vrf my riv ip address subnet mask Tunnel1 router bgp 100 network 209.165.200.251 neighbor 209.165.200.250 remote-as 100 neighbor 209.165.200.250 update-source Loopback0 ! address-family vpnv4 neighbor 209.165.200.250 activate neighbor 209.165.200.250 route-map SELECT_UPDATES_FOR_L3VPN_OVER_MGRE in ! route-map SELECT UPDATES FOR L3VPN OVER MGRE permit 10 set ip next-hop in-vrf my riv
This example shows the configuration to link a route map to the application:
vrf definition Customer A rd 100:110 route-target export 100:1000 route-target import 100:1000 ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! vrf definition tunnel encap rd 1:1 ! address-family ipv4 exit-address-family ! address-family ipv6 exit-address-family ! ! ip cef ! ipv6 unicast-routing ipv6 cef ! ! l3vpn encapsulation ip profile name transport source loopback 0 protocol gre key 1234 ! ! interface Loopback0 ip address 209.165.200.252 255.255.255.224 ip router isis ! interface Serial2/0 vrf forwarding Customer A ip address 209.165.200.253 255.255.255.224 ipv6 address 3FFE:1001::/64 eui-64 no fair-queue serial restart-delay 0 ! router bgp 100 bgp log-neighbor-changes neighbor 209.165.200.254 remote-as 100 neighbor 209.165.200.254 update-source Loopback0 ! address-family ipv4 no synchronization redistribute connected neighbor 209.165.200.254 activate no auto-summary exit-address-family ! address-family vpnv4 neighbor 209.165.200.254 activate neighbor 209.165.200.254 send-community both neighbor 209.165.200.254 route-map SELECT UPDATE FOR L3VPN in exit-address-family ! address-family vpnv6 neighbor 209.165.200.254 activate neighbor 209.165.200.254 send-community both neighbor 209.165.200.254 route-map SELECT UPDATE FOR L3VPN in exit-address-family ! address-family ipv4 vrf Customer A no synchronization redistribute connected exit-address-family ! address-family ipv6 vrf Customer A redistribute connected no synchronization exit-address-family ! ! route-map SELECT UPDATE FOR L3VPN permit 10 set ip next-hop encapulate <profile_name> set ipv6 next-hop encapsulate <profile_name>
Additional References
Related Documents
Related Topic |
Document Title |
|---|---|
|
Cisco IOS commands |
|
|
MPLS and MPLS applications commands |
|
|
Configuring MPLS Layer 3 VPNs |
MPLS: Layer 3 VPNs Configuration Guide |
|
MPLS VPN Over mGRE |
Interface and Hardware Component Configuration Guide |
|
Cisco Express Forwarding |
IP Switching Configuration Guide |
|
Generic Routing Encapsulation |
Interface and Hardware Component Configuration Guide |
Standards and RFCs
Standard/RFC |
Title |
|---|---|
|
RFC 2547 |
BGP/MPLS VPNs |
|
RFC 2784 |
Generic Routing Encapsulation (GRE) |
|
RFC 2890 |
Key Sequence Number Extensions to GRE |
|
RFC 4023 |
Encapsulating MPLS in IP or Generic Routing Encapsulation |
|
RFC 4364 |
BGP/MPLS IP Virtual Private Networks (VPNs) |
MIBs
MIB |
MIBs Link |
|---|---|
|
IETF-PPVPN-MPLS-VPN-MIB |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Technical Assistance
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Dynamic L3 VPNs with mGRE Tunnels
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
|
Feature Name |
Releases |
Feature Information |
|---|---|---|
|
Dynamic Layer 3 VPNs with Multipoint GRE Tunnels |
12.0(23)S |
This feature provides an L3 transport mechanism based on an enhanced mGRE tunneling technology for use in IP networks. |