Looks like the blueprint for CCIE EI lists: “3.2.b iii” as “MPLS over FlexVPN”. Not finding resources on exactly this configuration: I’m assuming it’s just creating a FlexVPN tunnel on either PE router when configuring MPLS, and then doing your EBGP peering between the tunnel interfaces (vpnv4 address family) on either side?
Or, maybe I’m way off and this is a specific configuration that I’m just not finding…any ideas? Thanks all!
Here’s a good Cisco Live presentation (DGTL-BRKSEC-3054) which covers this exact topic.
For the slides, page 43 is the start of MPLS over Flex VPN.
In the session video, the topic starts at 42:20.
Hope that helps!
+1
I’m going through the same section, haven’t found any good source yet. Only this Network Lessons post.
That sections says Identify use-cases for FlexVPN but that post is mostly about configuration… I’d like to know more about the design aspects.
Excellent - thanks for the response.
I skim through it. What I don’t understand is why not just use MPLS/MBGP? I guess the benefit of using this approach is to avoid LDP all together (and its overhead) while providing encryption/authentication with FlexVPN?
Thanks for the resources!
Use case would be if you have many VRFs using the same VPNs. For example: if you have multiple customers and each are assigned their own VRF. You would then use MPLS over FlexVPN to separate their traffic without having to create individual overlays for each customer.
Good point, blueprint explicitly says “Identify use-cases”, and not necessarily configure it from scratch. But as I’ve heard, being able to configure from scratch will only help you during the exam!
Combing through the slides/video /u/AndrewAegerter posted in another comment. I still don’t quite understand it yet but I’ll get there.
Is the scenario not that the nodes with VPN tunnels are not directly connected to each other? They build IPsec tunnels over an intermediate IP network?
So the issue is not the control plane, it’s the transport. You can’t send a non-IP packet, i.e. an MPLS packet, between the two routers without some sort of tunnel. Which is what FlexVPN provides.
Maybe I’m way off the mark just glanced at this.
I guess that would the reason, yes. Completely missed that obvious case lol.