GRE Tunnel or VLAN in VLAN tagging

[Charles]

Recently I've been looking at possible ways of passing multiple vlan's across a metro ethernet connection I have to three remote locations.  However my service provider (only one available for my area) gives me only one vlan tag I can send across for the entire metro ethernet connection.  After doing some research I've been looking at either doing a GRE Tunnel between these sites or possibly doing VLAN Stacking so I can segment out some of the network traffic between these sites.  I'm a complete Nortel/Avaya shop with a ERS 8610 with 8695SF sitting at my core and on the edge I have 5632's acting as edge routing equipment.  For the 8610 I'm running v5 on the software and on the 5632's I'm running 6.2.4 code.  Has anyone attempted to setup either of these methods to pass multiple vlan's across such a connection or have had any luck with a different method.  Any suggestions that anyone may have would be greatly appreciated.

[Telair]

I did something similar, but for different reasons.  The company I worked for didn't trust the carrier to not snoop on their traffic for good reasons as they had been caught in the past.  This was years ago, so at the time we put a Nortel Contivity 2600 on the main office and ran encrypted IPSec VPN tunnels out to the branches that had Contivity 1100's.  Treated the carrier network like an untrusted Internet connection.  Worked like a charm for many, many years.  I suppose now you would use SR 3120's w/ IPSec VPN module to do the same thing if you didn't want to get some old Contivity units off e-Bay.

[Michael McNamara]

Hi Charles and welcome to the forums!

If you have ERS 8600/8800s v7.1 (w/Premiere License) at each side of the connection you can run an IP VPN from the ERS 8600s.

http://support.avaya.com/css/P8/documents/100128506

You can also accomplished the same with a pair of Secure Routers as suggested by @Telair.

I've recently noticed that a number of MPLS providers now support 802.1q tagging across their networks (they are essentially wrapping the entire 802.1q tagged frame in their own sVLAN or other implementation. Are you sure you can't pass 802.1q tagged packets?

I would probably suggest a Secure Router or similar device with IP VPN support (license).

Good Luck!

[Charles]

Thank you for replying, I've been on the phone for the past couple days trying to explain to the telco provider what was needing to be done and I think they finally understand about doing the svlan.  One of their engineers is suppose to call me next week to start testing some changes they are going to make on their edge equipment.  As a backup I'm going to take a look at the secure routers and see if my sales rep can send me two demo units to give a try.

I would like to say I'm very grateful that this forum exist, I just found it a few days ago and have already found a wealth of information on it.

[Michael McNamara]

Please let us know how you make out and thanks for the kind words.

The work here is really a collaboration among current and former Nortel/Avaya customers.

If you have the time feel free to share your own knowledge with the community.

Cheers!

[Dominik]

Hi Charles,

with all three methods:

-IPSEC VPN Tunnels
-MPLS Tunnels
-SVLAN Tag in Tag

you have to be aware of that the actual payload of your packets are smaller in fact of the addtional
header lenght. Keep that in mind , if e.g. the MTU Path Discovery doesnīt work the result can be a slow
network performance.

Good Luck