Created by - Orhan Ergun
EVPN (Ethernet Virtual Private Network) is a technology that enables organizations to extend their Layer 2 and Layer 3 networks across different networks. EVPN can be deployed over different network infrastructures, such as MPLS (Multiprotocol Label Switching) and VXLAN (Virtual Extensible LAN). In this article, we will compare EVPN over MPLS with EVPN over VXLAN and discuss their benefits and drawbacks. EVPN over MPLS: EVPN over MPLS is a popular deployment option that uses MPLS labels to transport EVPN traffic between different sites. MPLS is a mature technology that has been widely used in service provider networks to provide traffic engineering and VPN services. EVPN over MPLS enables organizations to leverage their existing MPLS infrastructure and extend their Layer 2 and Layer 3 networks across different sites. Benefits of EVPN over MPLS: Efficient use of network resources: MPLS labels enable the efficient use of network resources by enabling traffic engineering and quality of service (QoS) mechanisms. Mature technology: MPLS is a mature technology that has been widely used in service provider networks to provide VPN services. Support for multicast: EVPN over MPLS supports multicast services, which enable organizations to transport multicast traffic across different sites. Fast convergence times: MPLS labels enable fast convergence times by enabling label switching and fast rerouting mechanisms. Drawbacks of EVPN over MPLS: Complexity: MPLS is a complex technology that requires specialized skills and expertise to deploy and manage. Limited scalability: MPLS labels have limited scalability, which can make it difficult to support large-scale networks. Limited flexibility: MPLS labels have limited flexibility, which can make it difficult to support dynamic network topologies and changing business requirements. EVPN over VXLAN: EVPN over VXLAN is a newer deployment option that uses VXLAN encapsulation to transport EVPN traffic between different sites. VXLAN is a virtualization technology that enables the creation of virtual Layer 2 networks over a Layer 3 infrastructure. EVPN over VXLAN enables organizations to leverage their existing Layer 3 infrastructure and extend their Layer 2 and Layer 3 networks across different sites. Benefits of EVPN over VXLAN: Scalability: VXLAN encapsulation enables scalable network virtualization, which can support large-scale networks. Flexibility: VXLAN encapsulation enables flexibility in network topologies and can support dynamic network changes and business requirements. Support for multicast: VXLAN encapsulation supports multicast services, which enable organizations to transport multicast traffic across different sites. Easy to deploy: VXLAN encapsulation is easy to deploy and manage, which can reduce operational costs. Drawbacks of EVPN over VXLAN: Performance: VXLAN encapsulation can add overhead to network traffic, which can impact network performance. Limited support for traffic engineering: VXLAN encapsulation has limited support for traffic engineering, which can impact the efficient use of network resources. Limited support for QoS: VXLAN encapsulation has limited support for QoS mechanisms, which can impact the delivery of high-priority traffic. Conclusion: EVPN over MPLS and EVPN over VXLAN are two popular deployment options that enable organizations to extend their Layer 2 and Layer 3 networks across different sites. EVPN over MPLS offers efficient use of network resources and support for multicast services, but it can be complex and limited in scalability and flexibility. EVPN over VXLAN offers scalability, flexibility, and easy deployment, but it can impact network performance and has limited support for traffic engineering and QoS mechanisms. Organizations should consider their specific business requirements and network infrastructure when selecting an EVPN deployment option.
Published - 4 Days Ago
Created by - Orhan Ergun
Introduction: Ethernet Virtual Private Network (EVPN) is an advanced and efficient way of extending layer 2 and layer 3 connectivity across different networks. It is used in data center environments, cloud computing, and service provider networks. In this article, we will explore EVPN, its benefits, how it works, and its use cases. What is EVPN? EVPN is a network technology that provides a way to extend layer 2 and layer 3 connectivity across different networks. It is based on the BGP protocol and uses a new address family, the Ethernet VPN (EVPN) address family, to advertise MAC addresses and IP prefixes. EVPN can be used in a wide range of network scenarios, including data center networks, service provider networks, and cloud computing environments. Benefits of EVPN: EVPN offers several benefits over traditional layer 2 and layer 3 VPN technologies. These benefits include: Scalability: EVPN can scale to support large numbers of endpoints and can be used to provide connectivity across multiple data centers or cloud environments. Efficient use of network resources: EVPN uses a single control plane, which reduces the amount of overhead required to manage the network and enables more efficient use of network resources. Fast convergence: EVPN supports fast convergence times, which is critical in environments where high availability is required. Easy configuration: EVPN is easy to configure, especially when compared to traditional layer 2 and layer 3 VPN technologies. Support for layer 2 and layer 3 connectivity: EVPN provides a way to extend layer 2 and layer 3 connectivity across different networks, enabling organizations to simplify their network infrastructure and reduce costs. How does EVPN work? EVPN is based on the BGP protocol and uses a new address family, the Ethernet VPN (EVPN) address family, to advertise MAC addresses and IP prefixes. In EVPN, each endpoint, such as a server or a switch, is assigned a unique MAC address. These MAC addresses are then advertised across the network using BGP, allowing endpoints to be discovered and located. EVPN also uses a new type of route, called an Ethernet Segment (ES) route, to advertise information about the endpoints. ES routes carry information about the endpoints, including their MAC addresses, their associated VLANs, and the physical location of the endpoints. By using ES routes, EVPN provides a way to extend layer 2 connectivity across different networks. EVPN also supports layer 3 connectivity, which allows organizations to extend IP connectivity across different networks. In EVPN, IP prefixes are advertised using BGP, just like in traditional layer 3 VPNs. However, EVPN provides a more efficient way of advertising IP prefixes by using a new type of route, called an IP Prefix route. Use cases for EVPN: EVPN can be used in a wide range of network scenarios, including: Data center networks: EVPN is well-suited for data center networks, where it can be used to provide layer 2 and layer 3 connectivity between servers, storage devices, and other network resources. EVPN can also be used to provide connectivity between different data centers, allowing organizations to create geographically dispersed data center environments. Service provider networks: EVPN is ideal for service provider networks, where it can be used to provide layer 2 and layer 3 VPN services to customers. EVPN can be used to provide VPN services across different data centers and cloud environments, enabling service providers to offer highly flexible and scalable VPN services. Cloud computing environments: EVPN can be used in cloud computing environments to provide layer 2 and layer 3 connectivity between different cloud environments. EVPN can be used to connect different cloud environments, allowing organizations to create hybrid cloud environments that EVPN vs. VPLS EVPN (Ethernet Virtual Private Network) and VPLS (Virtual Private LAN Service) are two technologies that are used for extending Layer 2 connectivity between different networks. While both technologies have similar goals, they differ in their approach and the features they offer. In this article, we will compare EVPN and VPLS and highlight their differences. EVPN: EVPN is a technology that uses BGP (Border Gateway Protocol) to extend Layer 2 and Layer 3 connectivity across different networks. EVPN is based on the Ethernet VPN address family, which is used to advertise MAC addresses and IP prefixes. EVPN uses a single control plane to manage the network, which reduces the overhead required for network management and enables efficient use of network resources. EVPN provides several benefits over traditional Layer 2 VPN technologies, such as VPLS. EVPN offers efficient use of network resources, fast convergence times, and easy configuration. Additionally, EVPN supports both Layer 2 and Layer 3 connectivity, which enables organizations to simplify their network infrastructure and reduce costs. VPLS: VPLS is a Layer 2 VPN technology that is used to extend Ethernet-based LANs across different networks. VPLS creates a virtual LAN (VLAN) between different sites, which allows Ethernet frames to be transported across the network. VPLS uses a single control plane to manage the network, which makes it easy to configure and manage. VPLS provides several benefits over traditional WAN technologies, such as Frame Relay and ATM. VPLS offers efficient use of network resources, easy configuration, and the ability to transport all types of Ethernet traffic, including multicast and broadcast traffic. Additionally, VPLS provides end-to-end Ethernet connectivity, which enables organizations to extend their LANs across different sites without the need for complex routing configurations. Comparison: EVPN and VPLS have similar goals, but they differ in their approach and the features they offer. Here are some of the main differences between EVPN and VPLS: Control plane: EVPN uses BGP as its control plane, while VPLS uses LDP (Label Distribution Protocol) or RSVP-TE (Resource Reservation Protocol-Traffic Engineering) as its control plane. BGP provides more efficient use of network resources and faster convergence times than LDP or RSVP-TE. Scalability: EVPN can scale to support large numbers of endpoints, making it suitable for data center networks and cloud computing environments. VPLS can also scale, but it may not be as efficient for large-scale deployments. Configuration: EVPN is easy to configure, especially when compared to VPLS. EVPN requires minimal configuration, and it can be deployed quickly and easily. VPLS requires more configuration, especially when it comes to managing the control plane. Layer 3 connectivity: EVPN supports both Layer 2 and Layer 3 connectivity, while VPLS only supports Layer 2 connectivity. This means that EVPN can be used to extend IP connectivity across different networks, which is useful for organizations that need to connect different sites or data centers. EVPN and VPLS are both technologies that are used for extending Layer 2 connectivity between different networks. While both technologies have their benefits and drawbacks, EVPN is generally considered to be a more efficient and scalable solution, especially for large-scale deployments. EVPN offers fast convergence times, efficient use of network resources, and easy configuration, making it a popular choice for data center networks, cloud computing environments, and service provider networks. VPLS, on the other hand, is a well-established technology that offers easy configuration and the ability to transport all types of Ethernet traffic. EVPN Services EVPN (Ethernet Virtual Private Network) is a technology that provides Layer 2 and Layer 3 connectivity between different networks. EVPN enables organizations to extend their LANs (Local Area Networks) across different sites, data centers, and cloud computing environments. EVPN offers several services that make it a popular choice for organizations that need to connect different networks. In this article, we will discuss the different EVPN services and their benefits. Ethernet Services: EVPN provides several Ethernet services, such as Ethernet over MPLS (Multiprotocol Label Switching), Ethernet over VXLAN (Virtual Extensible LAN), and Ethernet over IP. These services enable organizations to extend their Ethernet-based LANs across different networks, regardless of the underlying network infrastructure. EVPN also supports different Ethernet service types, such as E-Line and E-LAN, which offer point-to-point and point-to-multipoint connectivity, respectively. Virtual Private LAN Service (VPLS): EVPN can also be used to provide VPLS, which is a Layer 2 VPN technology that enables organizations to extend their LANs across different networks. VPLS creates a virtual LAN between different sites, which allows Ethernet frames to be transported across the network. VPLS is a popular service that is widely used in service provider networks to offer Layer 2 connectivity to their customers. Multicast Services: EVPN provides multicast services that enable organizations to transport multicast traffic across different networks. EVPN supports both multicast VPN (MVPN) and ingress replication models for multicast traffic. MVPN enables organizations to transport multicast traffic across different sites, while ingress replication enables organizations to replicate multicast traffic at the ingress router and send it to the appropriate egress routers. IP Services: EVPN supports Layer 3 IP services, such as IP VPN and IP transport. IP VPN enables organizations to extend their IP networks across different networks, while IP transport enables organizations to transport IP traffic across different networks without the need for a VPN. EVPN also supports different IP service types, such as L3VPN and VRF (Virtual Routing and Forwarding), which enable organizations to isolate their IP networks and control the flow of traffic between them. Network Virtualization: EVPN supports network virtualization services, such as Virtual Network Identifier (VNI) and Virtual Routing and Forwarding (VRF). VNI enables organizations to create multiple virtual networks on a single physical network infrastructure, which enables them to isolate different types of traffic and control the flow of traffic between them. VRF enables organizations to create virtual routers on a single physical router, which enables them to isolate different IP networks and control the flow of traffic between them. Benefits of EVPN Services: EVPN services offer several benefits to organizations that need to extend their LANs across different networks. EVPN enables organizations to simplify their network infrastructure, reduce costs, and improve network performance. EVPN also provides fast convergence times, efficient use of network resources, and easy configuration, which make it a popular choice for data center networks, cloud computing environments, and service provider networks. Conclusion: EVPN provides several services that enable organizations to extend their LANs across different networks. EVPN services include Ethernet services, VPLS, multicast services, IP services, and network virtualization. EVPN services offer several benefits, such as simplified network infrastructure, reduced costs, improved network performance, fast convergence times, efficient use of network resources, and easy configuration. EVPN is a popular choice for organizations that need to connect different networks, and it is widely used in data center networks, cloud computing environments, and service provider networks.
Published - 4 Days Ago
Created by - Stanley Avery
VPN technology is becoming more and more popular every day. Businesses are using VPNs to connect remote offices, and people are using VPNs to protect online privacy. In this blog post, we will explain what FlexVPN is and how it differs from DMVPN. What is FlexVPN? FlexVPN is a type of virtual private network (VPN) solution that allows for simplified configuration and deployment. It utilizes IKEv2 as the key exchange protocol and combines aspects of multiple VPN configurations, such as traditional site-to-site, remote access, and DMVPN protocols. The result is a flexible and scalable VPN solution that can be easily adapted to fit various network needs. It can also support a variety of encryption methods, including AES and 3DES. What is IKEv2? IKEv2, also known as Internet Key Exchange version 2, is a security protocol designed for remotely connecting devices over a public network. It offers high speed and reliability, making it particularly suitable for mobile devices that may frequently switch networks. IKEv2 also offers strong encryption to protect any exchanged data and supports advanced features such as VPN server failover and split tunneling. What are the Benefits of FlexVPN? The FlexVPN solution offers a variety of benefits to businesses and organizations. One major advantage is its flexibility, as it allows for a combination of remote access and site-to-site connectivity using a variety of protocols. This also streamlines management and installation as it uses a feature called "smart features." It also offers enhanced security through the use of encryption and authentication protocols, ensuring that sensitive data remains protected. Additionally, it allows for easy scalability to accommodate growing business needs. You can find more detailed information on FlexVPN and other networking solutions in our course here. FlexVPN vs DMVPN When it comes to VPN technology, there are a variety of options available. Two of the more commonly used types are FlexVPN and DMVPN. FlexVPN is Cisco's unified VPN solution that can support a variety of protocols and uses the Internet Key Exchange version 2 for key management. On the other hand, DMVPN (Dynamic Multipoint Virtual Private Network) is a solution that allows for the dynamic creation and deletion of tunnels as well as support for multiple spoke devices. Both options offer advantages based on specific needs and requirements. Here Are a Few Fundamental Differences Between the Two Solutions: IPSec: One key difference between FlexVPN and default Dynamic Multipoint VPN (DMVPN) is the protocol used for negotiating IPsec Security Associations (SAs). While DMVPN defaults to using Internet Key Exchange version 1 (IKEv1), FlexVPN utilizes IKEv2. This offers several benefits, including support for EAP authentication methods and improved efficiency in rekeying and integrating with third-party devices. GRE: While DMVPN primarily uses static multipoint GRE interfaces, FlexVPN utilizes both static and dynamic point-to-point interfaces. This allows for greater flexibility and the ability to adapt to changing network environments. NHRP: In FlexVPN, NHRP (Next Hop Resolution Protocol) serves as the primary means of communication between spokes. Unlike traditional hub-and-spoke VPNs, spokes in a FlexVPN do not register with the hub. Instead, they utilize NHRP to communicate directly with each other and establish VPN tunnels. This simplifies configuration and increases network efficiency by reducing reliance on a central hub. Routing: Both solutions utilize dynamic routing protocols, but FlexVPN takes this one step further by also including the option to use IPsec to introduce routing information. This added feature allows for even greater flexibility and opportunities for customization in network setup. Final Words FlexVPN is a relatively new and more advanced network solution that can provide your business with added security, performance, and flexibility. While there are many VPN solutions around, it offers several advantages that make it worth considering for your organization. We highly recommend that you take the time to explore all this technology offers and see if it might be a good fit for your needs.
Published - Sun, 06 Nov 2022
Created by - Stanley Avery
If you're interested in the IT world, there's a good chance you've heard of DMVPN. But what is it? What is it used for? In this blog post, we'll take a look at DMVPN and explain what it is and how it works. So if you're interested in learning more about this critical networking technology, keep reading! What is DMVPN? A virtual private network, or VPN, is a way for individuals or businesses to maintain internet privacy and security. It does this by creating an encrypted connection between a user's device and the website they're accessing. This means that any third party intercepting information being exchanged will not be able to decipher it. VPNs can also change a user's perceived location by routing their internet traffic through a different server, allowing them to access geographically restricted content. Now, let's talk about DMVPN in particular. It combines traditional VPN technology and dynamically addressed networks like mGRE (Multipoint GRE) tunnels. It allows for easier setup and management of multiple sites connecting to each other through VPN tunnels, making it particularly useful for larger businesses with multiple offices. By leveraging mGRE tunnels, DMVPN also allows for more efficient use of network resources as compared to static addressing methods. For further information on DMVPN, you can take a look at our course at orhanergun.net. What is DMVPN Used For? A DMVPN is a networking solution that allows for secure communication between multiple sites as well as remote users. This type of network offers more flexibility and scalability than traditional VPNs, as it doesn't require pre-configured connections or static IP addresses. Additionally, it allows for dynamic routing and support for multicast traffic to optimize network performance. As such, it is often used by companies with multiple offices or a mobile workforce that need efficient and secure communication capabilities. It can also connect multiple campuses or locations in educational settings or government institutions. How Does a DMVPN Work? A DMVPN uses tunneling protocols and encrypted security measures to create virtual connections, or tunnels, between sites. These tunnels are dynamically created as needed, making them both efficient and cost-effective. A central component of a DMVPN network is a Multipoint Control Protocol (MPCP) enabled device, such as a router, which facilitates the creation and management of the tunnels. By using MPCP in conjunction with other protocol standards, such as Internet Protocol security (IPSec) and next-hop resolution protocols (NHRP), DMVPNs provide scalable and reliable communication for organizations with multiple branch offices or remote workers. Here is a data sheet for more in-depth information on Dynamic Multipoint VPNs by Cisco. Components of a DMVPN DMVPN comprises four main components: Multipoint GRE tunnels Next Hop Resolution Protocol (NHRP) IPsec encryption and routing protocols. Multipoint GRE Multipoint GRE is a component of DMVPN (Dynamic Multipoint Virtual Private Network) that allows for multiple endpoints to connect to a central hub over the internet. mGRE essentially acts as a tunnel interface, allowing traffic to flow through it securely. Unlike traditional point-to-point VPNs, mGRE allows for more flexibility and scalability regarding network connections. Additionally, mGRE can dynamically adapt to changes in the network, making it an efficient and reliable option for businesses and organizations with complex networking needs. Next Hop Resolution Protocol (NHRP) The Next Hop Resolution Protocol is a component that helps to simplify routing within a VPN network by providing dynamic mapping and resolution of next-hop IP addresses. NHRP allows for efficient use of network resources, as it eliminates the need for static configuration or periodic manual updates. It also helps improve security, as it enables dynamically-assigned IP addresses to create more anonymous connections. IPsec Encryption The IPsec Encryption component of DMVPN acts as a secure tunnel for data transmission. When enabled, it encrypts all traffic before it is sent over the Internet, ensuring that it cannot be intercepted or read by unauthorized parties. This added layer of protection is essential for sensitive information like financial transactions or personal records. In addition to encryption, IPsec also provides authentication to verify the identity of network devices and prevent man-in-the-middle attacks. Along with other components such as dynamic routing and NHRP, IPsec Encryption helps to make DMVPN a highly effective and secure networking solution. Routing Protocols Routing protocols are a vital component in a DMVPN network. These protocols enable dynamic routing, which automatically adapts as network changes occur. They also allow for redundancy and failover, ensuring that data can still be transmitted even if a portion of the network goes down. Two standard routing protocols used in DMVPNs are OSPF and EIGRP. Both provide fast convergence and support for IPv4 and IPv6 addresses, making them versatile options for networking environments. Summary DMVPN is a critical networking technology that has many applications in the business world. By understanding what it is and how it works, you can see how it could be used in your organization. Are you ready to implement a DMVPN network? Let's check our network certification courses and learn DMVPN and more!
Published - Sun, 06 Nov 2022
Created by - Orhan Ergun
This question comes from not only from my students but also the companies which I provide consultancy. I will not go through the OTV details, how it works, design recommendations etc. But let me remind you what is OTV and why OTV is used , Where it makes sense very briefly. OTV (Overlay Transport Virtualization) is a tunnelling mechanism which provides to carry Layer 2 ethernet frame in IP. (As I indicated in other articles, when I say MAC in IP, it is the same thing with MAC over IP). So, OTV is Layer 2 in Layer 3 tunnelling mechanism. You can hear it is an encapsulation mechanism as well, which is true although there is small difference. You don't need to have MPLS underlay to create OTV tunnels. It uses IS-IS for the MAC address reachability and stops layer 2 protocol PDUs at the OTV Edge device where encapsulation happens. This is good because, you don't want to extend Layer 2 protocol PDUs such as Spanning Tree if you have multiple datacenters. Failure stays and affects only one datacenter, not all. (Failure domain boundary concept) Another datacenter interconnect requirement is ARP proxy. Not a mandatory but it is good that your tunnelling mechanism (I should say Layer 2 extension mechanism probably) provides a way to reply ARP messages locally. OTV provides this functionality as well. Should I use Cisco OTV for the Datacenter Interconnect ? There are some problems and I will highlight two most obvious ones and especially one of them might stop many networks to use OTV. Since MAC reachability information is carried through IS-IS, you can have scalability problems to carry MAC addresses through IS-IS. BGP allows to scale up to millions MAC or IP prefixes. (EVPN, PBB-EVPN) Also I think there are some implementation limit for OTV. Up to some amount of locations can participate in overlay. But here we should be fair and say that although VPLS doesn't have this limitation, it doesn't make sense to use VPLS for 10 or more datacenter interconnection due to data plane learning and we all know the problems of data plane learning I guess. By the way 10 is not a calculated number at all, I just used as an example. If the number of MAC addresses are more per datacenter probably even less number of datacenter interconnection can cause a problem. So, OTV and IS-IS, for the large number of MAC addresses per datacenter can be a problem but definitely this is not the case for many networks today. If we are talking about Massive Scale Datacenters, they don't use layer 2 extension, and in fact they don't use layer 2 protocol inside the datacenter either. (BGP, specifically EBGP they use and there are many reasons for it, let's talk about them in a separate article) Another problem with OTV of course is it is Cisco Preparatory. If you want to use different devices at the DC-Edge of your network, you cannot. OTV is not interoperable with the other overlay technologies. You cannot use OTV together with VPLS for example. I intentionally compared VPLS with OTV throughout the post, because VPLS is one of the most commonly used Datacenter interconnect mechanism in today networks. Again, let's think the real networks. Do you really care using multiple vendors ? Or if Cisco gives you better price, better support and good documentation, most importantly best sales engineers ( ?? ), do you still consider not to be vendor lock-in ? Or do you think decision is taken for the political reasons in your company. Let me hear your thoughts in the comment section below. To have a great understanding of SP Networks, you can check my new published Service Provider Networks Design and Perspective Book.
Published - Tue, 26 Nov 2019
Created by - Orhan Ergun
Introduction to VPN (Virtual Private Network) Let’s start with the definition. VPN is a logical network and created over shared physical infrastructure. Shared infrastructure can be private such as MPLS VPN of a Service Provider or over the Public infrastructure such as Internet. There are many concepts to understand VPN in detail but in this article I will cover the definition, common design considerations, and some not well known concepts about it. We can group VPNs into two categories. WAN and the Datacenter VPN Technologies. WAN VPN Technologies 1.GRE 2.mGRE (Multipoint GRE) 3. IPSEC 4. DMVPN 5.GETVPN 6.L2TPV3 7.LISP 8. MPLS L3 VPN Datacenter VPN Technologies 1.EoMPLS (Ethernet over MPLS (a.k.a VPWS) 2. VPLS (Virtual Private Lan Service) 3. OTV (Overlay Transport Virtualization) 4. EVPN 5. PBB-EVPN 6. VXLAN (And other host based overlays such as NVGRE, STT, GENEVE) Of course this is not the complete list. Please note that some of the technologies which I grouped into WAN technologies can be used in the Datacenter and vice versa. For example LISP can be used in Datacenter as well and VPWS and VPLS can be used on the Wide Area Network as well. I am going to cover each of these technologies in the individual article so please stay tuned and follow the website by subscribing the email list. Also please know that there is a video lesson which I explain all these technologies in my Self Paced CCDE Course in detail. VPN Design Considerations VPNs can be further categorised as Overlay and Peer to Peer. Overlay VPNs is what I described above. Private network is created over the shared physical infrastructure. For better illustration, imagine customer is receiving a Layer 2 MPLS VPN service from the Service Provider. In Overlay VPN model, endpoints are the customer devices, which is called as CE (Customer Equipment). MPLS Layer 3 VPN is a Peer to Peer technology. In Peer to Peer model, customer has a routing neighborship with the Service Provider. Endpoints are not the customer sites in this model. One side of the VPN is a customer device (CE) and remote end is Service Provider device (PE). All of the above technologies add extra information to the packet or frame which increases the overall MTU.Network links should accommodated to handle bigger MTU. For example GRE adds extra 24 byte. (GRE header is 4 byte and new IP header is 20byte. mGRE adds 28 bytes and so on.) VPNs work based on encapsulation and decapsulation. For example in GRE, mGRE or DMVPN encapsulate IP packets into another IP packet and VPLS or EVPN encapsulates Layer 2 frame into an MPLS packets. Some VPNs require tunnel as well. For example although I didn’t include in the list above but MPLS Traffic Engineering is used as a VPN mechanism and requires a tunnel. This doesn’t mean that there is no encapsulation and decapsulation in MPLS Traffic Engineering, of course there is, but it requires tunnel as well. Or GRE requires a tunnel and encapsulation (IP header is encapsulated in GRE header). Some of the above technologies support routing protocol, some don’t.In order to run routing protocols over tunnel, tunnel endpoints should be aware from each other.In other words, tunnel should be bidirectional tunnel and co-associated. For example MPLS Traffic Engineer tunnels don’t support routing protocol,since the MPLS-TE LSPs (Label Switch Paths) are unidirectional which mean Head-end and Tail-end routers are not associated and not bidirectional. All WAN technologies except IPSEC and LISP in our list supports routing protocols. Some VPN technologies cannot run over Internet. For example GETVPN, due to IP header preservation, cannot run over public Internet. But by building private infrastructure over Internet with GRE for example, GET VPN can run over GRE over Internet. VPN Choice Check List Will you use it over Private or Public infrastructure ? How many locations will be connected? (Some has scalability challenges) Will you run a routing protocol on top of it ? What is the security requirement ? (Do you need to encrypt the data?) Which one do you know best ? Do you need to carry IP traffic only or do you need to carry non-IP as well ? So what is the payload? Do you need Multicast, QoS and IPv6 support ? (Some of them don’t support, some of them are very poor) Do your device hardware and software support the protocol which you choose ? Do you have a budget problem ? (Some VPN services are more expensive than others) Is there any Layer 8 and above issue ?
Published - Tue, 26 Nov 2019
Created by - Orhan Ergun
GRE tunnels are by far most common tunnelling technology. Very easy to setup, troubleshoot and operate. But in large scale deployment, configuring GRE tunnels become cumbersome, because GRE tunnel is a point to point tunnel. GRE Tunnel Characteristics GRE tunnels are manual point to point tunnels. Tunnel end points are not automatically derived. Network operator needs to configure the tunnel end points manually. Supports routing protocols to run over. You can run any routing protocols on top of GRE tunnels. IPv4 and IPv6 can be transported over GRE. Some VPN technologies may not support IPv6 or IPv6 routing protocols. Non-IP protocols such as IPX, SNA etc. can be carried over GRE tunnel as well. Most of the tunnelling technologies cannot carry Non- IP traffic. For example, IPSEC tunnel cannot carry Non-IP Traffic. If there are too many sites that need to communicate with each other, GRE is not scalable. But in Hub and Spoke topologies it can be used since whenever new spoke site is added, only new site and hub should be revisited. Not all the spokes need configuration. Even though in Hub and Spoke topologies, the configuration can be too long on the Hub site. mGRE (Multipoint GRE) version of GRE tunnel reduces the configuration on the Hub site greatly. GRE tunnel adds 24 bytes to the IP Packet. 4 byte GRE header and 20 bytes new IP header is added; this increases MTU size of the IP packet. Careful planning on the interface MTU is necessary. GRE doesn't come by default with encryption so in order to encrypt the packet; IPSEC should be enabled over GRE tunnel. GRE Tunnel Uses Cases Classical use cases of GRE tunnel is over Internet with IPSEC, VRF- lite to carry different VPN information separately in the Campus, WAN or datacenter and IPv6 tunnelling over IPv4 transport. GRE is used mostly together with IPSEC to support the traffic that is not supported by IPSEC by default. For example IPSEC tunnels don't support Multicast by default but together with GRE, GRE over IPSEC supports multicast traffic.
Published - Tue, 26 Nov 2019