Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MPLS over GRE #3354

Closed
2 tasks done
adam-kulagowski opened this issue Nov 16, 2018 · 3 comments
Closed
2 tasks done

MPLS over GRE #3354

adam-kulagowski opened this issue Nov 16, 2018 · 3 comments
Assignees
@rwestphal
Labels
enhancement

Comments

@adam-kulagowski
Copy link

adam-kulagowski commented Nov 16, 2018
edited
Loading

  • Did you check if this is a duplicate issue?
  • Did you test it on the latest FRRouting/frr master branch?

Description

Is scenario when MPLS over GRE is used to set up l3VPN supported?
I'm trying to peer w/ Juniper VMX as described in
https://www.juniper.net/documentation/en_US/junos/topics/example/example-next-hop-based-dynamic-gre-tunnel-configuring.html

Expected behavior:
In lack of lldp peer, MPLS over GRE encapsulation should be used

Actual behavior:
MPLS is sent via physical interface

Components

[bgpd, ospfd, staticd, zebra]

Versions

  • OS: alpine:edge (in docker)
  • Kernel: 4.15.0-39-generic
  • FRR: 6.1-dev_git1042702486119
@rwestphal
Copy link
Member

Hi @adam-kulagowski,

I've managed to make L3VPN work over GRE using this test topology: https://gist.github.com/rwestphal/931f070240ffffebc2213f5d5fbefcb7

Here you can see the MPLS VPN label and the CE payload being carried in the GRE tunnel:
l3vpn-gre

The solution I found was to enable LDP on the GRE interfaces (and MPLS forwarding as well) and create a static route in each PE pointing to the other one through the GRE tunnel. This way LDP will advertise implicit-null labels to the PE loopback routes, and zebra will have labeled routes to the BGP nexthop of the VPNv4 routes, making them eligible to be installed in the kernel.

One thing to keep in mind is that you need to specify a fixed TTL (e.g. 64) when creating the GRE interfaces, otherwise the GRE packets will inherit the TTL of the encapsulated packets. Since LDP sends multicast packets with a TTL of 1, the default TTL inheritance behavior prevents LDP from working over GRE tunnels.

The only problem I see in this solution is that all traffic between the PEs goes through the GRE tunnels, and not only the VPN traffic as one might desire. But this should be fixable using a few PBR commands.

Other possibility would be to change the FRR code as follows:

  • Make zebra parse the attributes of GRE interfaces from the kernel to detect the tunnel endpoints;
  • Change the nexthop resolution code to consider GRE/L2TPv3 tunnels as valid alternatives for VPN routes and pseudowires, without the need to create routes pointing to them.

This however might be a bit tricky to implement and I'm not sure if it would be the right thing to do. We need to do some research on this area.

@adam-kulagowski
Copy link
Author

Many thanks :)

I think I failed to explain our situation. I'm aware that this can be done using LDP over GRE but I'm aiming to avoid LDP/RSVP at all:

Lets take a look at Cisco/Juniper:

https://www.juniper.net/documentation/en_US/junos/topics/example/example-next-hop-based-dynamic-gre-tunnel-configuring.html

When a Juniper Networks routing platform receives a VPN route that resolves over a BGP next hop that does not have an MPLS path, a generic routing encapsulation (GRE) tunnel can be created dynamically, allowing the VPN traffic to be forwarded to that route.

On Juniper You need to add:

[edit routing-options]
user@PE1# set dynamic-tunnels gre next-hop-based-tunnel
user@PE1# set dynamic-tunnels gre-dyn-tunnel-to-pe2 source-address 127.0.0.2
user@PE1# set dynamic-tunnels gre-dyn-tunnel-to-pe2 gre
user@PE1# set dynamic-tunnels gre-dyn-tunnel-to-pe2 destination-networks 55.66.77.0/24

On Cisco:
https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/layer-3-vpns-l3vpn/116725-configure-mgre-00.html

On Cisco relevant config:

l3vpn encapsulation ip MGRE
transport ipv4 source Loopback0

route-map MGRE-NEXT-HOP permit 10
set ip next-hop encapsulate l3vpn MGRE

router bgp 65534
 !
address-family vpnv4
neighbor 192.168.2.2 route-map MGRE-NEXT-HOP in

So basically there is standard (cannot pinpoint the RFC) to automatically encapsulate MPLS over GRE/UDP in case where is no LDP/RSVP running. So am I correct that this requires some changes in FRR source code?

If I missed something in Your example/explanation please let me know :)

Best regards,
Adam

@rwestphal
Copy link
Member

rwestphal commented Dec 18, 2018
edited
Loading

@adam-kulagowski thanks for the detailed explanation.

So am I correct that this requires some changes in FRR source code?

Yes, FRR doesn't support resolving VPN routes through GRE tunnels as of now (without the implicit-null label hack), let alone create GRE tunnels automatically when necessary.

Since I can't commit to implement this right now, I've added MPLS over GRE to the Features Request wiki page.

@pguibert6WIND pguibert6WIND mentioned this issue Sep 20, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwestphal rwestphal

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rwestphal @qlyoung @adam-kulagowski