GRE over MPLS
Hello people,
im facing problem trying to establish a GRE tunnel over mpls. The topology goes as follows:
(server) ----CE1(6500)-----PE1(6500)----vrf cloud-----CE2(6500)--FW
-server needs to establish a gre tunnel with FW.
-server receives a default route from CE1 via OSPF.
-CE1 has an default static route pointing to the next hop which is an interface VLAN (in a vrf) on PE1.
- PE1 receives a default route generated by CE2 (via mpbgp).
In this situation the GRE tunnel wouldnt come up.The only way i got the GRE to work was replacing the default static route on CE1 with a more specific static route.
On both cases (default AND specific static routes) the connectivity(ping) from end to end was there.
Has anybody seen anything alike?
thanks,
Bruno
You could be looking at some recursive routing throug the GRE interface, so the second it comes up it will try to put the GRE packets through the GRE tunnel, this creating a loop. Are you using a dynamic routing protocol to get network info over the GRE tunnel or a static route if so, how is it setup ?
Similar Messages
-
GRE over MPLS not working...
Hi
I've a GRE tunnel configured between a CE and a PE.
I guess the problem is on the PE side, this is my config:
interface Loopback99
ip vrf forwarding dar
ip address 99.99.99.99 255.255.255.255
interface Tunnel199
ip vrf forwarding dar
ip address 11.11.11.1 255.255.255.252
ip policy route-map dfbit
tunnel source Loopback99
tunnel destination 88.88.88.88
tunnel path-mtu-discovery
Everything is reachable between PE and CE, but on the tunnel interface I wasn't able to find out the "tunnel vrf dar" command...
I've a Cisco 7206VXR (164 ram and 128 flash) and on the software feature navigator I wasn't able to find out an IOS support it..
Can anybody tell me why ?
Tks
RicRiccardo,
This feature is available starting with 12.3(2)T.
Regards -
Hello,
Has anyone here implemented "GRE function over MPLS"?
Would it be possible to point to some links discussing advantages/disadvantages and some design aspects of the same?
Thanks
Cheers,
~sultanHello Harold,
Thanks for replying, actually just thought about it, considering the existing customer (P2M) who's running GRE on IPLC links, they want to continue the same after migrating to MPLS, just curios to know whether this implementation has been implemented by anyone and whether it could be improved further.
Thanks
Cheers,
~sultan -
i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec
Jose,
It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
HTH,
Frank -
With Vignesh R. P.
Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions about concept, configuration and troubleshooting Layer 2 MPLS VPN - Any Transport over MPLS (AToM) with Vignesh R. P.
Cisco Any Transport over MPLS (AToM) is a solution for transporting Layer 2 packets over an MPLS backbone. It enables Service Providers to supply connectivity between customer sites with existing data link layer (Layer 2) networks via a single, integrated, packet-based network infrastructure: a Cisco MPLS network. Instead of using separate networks with network management environments, service providers can deliver Layer 2 connections over an MPLS backbone. AToM provides a common framework to encapsulate and transport supported Layer 2 traffic types over an MPLS network core.
Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
Remember to use the rating system to let Vignesh know if you have received an adequate response.
Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Service Provider sub-community discussion forum shortly after the event. This event lasts through through September 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.Hi Tenaro,
AToM stands for Any Transport over MPLS and it is Cisco's terminology used for Layer 2 MPLS VPN or Virtual Private Wire Service. It is basically a Layer 2 Point-to-Point Service. AToM basically supports various Layer 2 protocols like Ethernet, HDLC, PPP, ATM and Frame Relay.
The customer routers interconnect with the service provider routers at Layer 2. AToM eliminates the need for the legacy network from the service provider carrying these kinds of traffic and integrates this service into the MPLS network that already transports the MPLS VPN traffic.
AToM is an open standards-based architecture that uses the label switching architecture of MPLS and can be integrated into any network that is running MPLS. The advantage to the customer is that they do not need to change anything. Their routers that are connecting to the service provider routers can still use the same Layer 2 encapsulation type as before and do not need to run an IP routing protocol to the provider edge routers as in the MPLS VPN solution.
The service provider does not need to change anything on the provider (P) routers in the core of the MPLS network. The intelligence to support AToM sits entirely on the PE routers. The core label switching routers (LSRs) only switch labeled packets, whereas the edge LSRs impose and dispose of labels on the Layer 2 frames.
Whereas pseudowire is a connection between the PE routers and emulates a wire that is carrying Layer 2 frames. Pseudowires use tunneling. The Layer 2 frames are encapsulated into a labeled (MPLS) packet. The result is that the specific Layer 2 service—its operation and characteristics—is emulated across a Packet Switched Network.
Another technology that more or less achieves the result of AToM is L2TPV3. In the case of L2TPV3 Layer 2 frames are encapsulated into an IP packet instead of a labelled MPLS packet.
Hope the above explanation helps you. Kindly revert incase of further clarification required.
Thanks & Regards,
Vignesh R P -
DMVPN GRE over IPSEC Packet loss
I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
%VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
%CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
interface Tunnel111
description **DPN VPN**
bandwidth 1000
ip address 172.31.111.107 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1300
ip pim sparse-dense-mode
ip nhrp authentication XXXX
ip nhrp map multicast dynamic
ip nhrp map multicast X.X.X.X
ip nhrp map X.X.X.X X.X.X.X
ip nhrp network-id 100002
ip nhrp holdtime 360
ip nhrp nhs 172.31.111.254
ip route-cache flow
ip tcp adjust-mss 1260
ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
qos pre-classify
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key XXXX
tunnel protection ipsec profile X.X.X.X
interface GigabitEthernet0/0
description **TO DPNVPN**
ip address 10.X.X.X 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip pim sparse-dense-mode
ip virtual-reassembly
duplex full
speed 100
no snmp trap link-status
no mop enabled
Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
BrendenHave you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ? -
How to provied Redundancy for VRF MGMT with help of BGP over MPLS(MPBGP)
Hi,
Please find the Network Topology.
This is One Remote site and mamaged by Mgmt office.
All devices on remote site is accessed by MGMT Office. My organisation seek for Redundancy for Managing devices.
My administration is from MGW to R1. I am new to MPLS.
AS u can see in diagram, R1 have 3 VRF(Voice,Signal and MGMT).Currently i have primary link over whitch we are running MPBGP.
Traffic from these VRF goes to this primary link. Currently Secondary link is not connected.
Now my organisation proposed for the secondary link and they want that only traffic from VRF -- MGMT should go through MPLS RTR R2 (the secondary link ) , when the mgmt routes not learned from MPLS RTR R1 (Connected to the SP1 ).
Current R1 config
There is IBGP betweem R1 to both MPLS RTR.
BGP Config
router bgp 64513
synchronization disable
neighbor 10.36.150.1 remote-as 64513
neighbor 10.36.150.1 activate
neighbor 10.36.150.1 update-source loopback1
address-family ipv4 vrf signalling
redistribute connected
redistribute static
$
address-family ipv4 vrf voice
redistribute connected
redistribute static
$
address-family ipv4 vrf OAM-T
redistribute connected
redistribute static
$
address-family vpnv4
neighbor 10.36.150.1 activate
neighbor 10.36.150.1 send-community
$
!<ospfv2>
router ospf 100
interface gei-3/3
network point-to-point
$
network 10.36.150.49 0.0.0.0 area 0.0.0.0 --- loopback ip (Configured)
network 10.36.149.60 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R1.(Configured)
network 10.36.149.64 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R2. ---------- (till now not configured as secondary link is not connected)
router-id 10.36.150.49
so what configuration need to done at R1 to achiev the redunancy for MGMT vrf ?
if possible please reply with sample configuration.
or
IN MPBGP protocol, where i will apply routing policy to apply as- path prepand so that Route would be secondary to neighbor.
IGP-OSPF and BGP over MPLS is running.
on Which address-familiy nbr,should i apply, is it in VPNV4 or IPV4 or IPV4 VRF ?
if i want 10.36.128.0/26 prefix should go to Neigbhor MPLS R2, what should i use access-list or Prefix list?
please provide the reply with its config .
thanks in advance,
Regards,
Ajay
Message was edited by: Ajaykumar yadavHi,
Please find the Network Topology.
This is One Remote site and mamaged by Mgmt office.
All devices on remote site is accessed by MGMT Office. My organisation seek for Redundancy for Managing devices.
My administration is from MGW to R1. I am new to MPLS.
AS u can see in diagram, R1 have 3 VRF(Voice,Signal and MGMT).Currently i have primary link over whitch we are running MPBGP.
Traffic from these VRF goes to this primary link. Currently Secondary link is not connected.
Now my organisation proposed for the secondary link and they want that only traffic from VRF -- MGMT should go through MPLS RTR R2 (the secondary link ) , when the mgmt routes not learned from MPLS RTR R1 (Connected to the SP1 ).
Current R1 config
There is IBGP betweem R1 to both MPLS RTR.
BGP Config
router bgp 64513
synchronization disable
neighbor 10.36.150.1 remote-as 64513
neighbor 10.36.150.1 activate
neighbor 10.36.150.1 update-source loopback1
address-family ipv4 vrf signalling
redistribute connected
redistribute static
$
address-family ipv4 vrf voice
redistribute connected
redistribute static
$
address-family ipv4 vrf OAM-T
redistribute connected
redistribute static
$
address-family vpnv4
neighbor 10.36.150.1 activate
neighbor 10.36.150.1 send-community
$
!<ospfv2>
router ospf 100
interface gei-3/3
network point-to-point
$
network 10.36.150.49 0.0.0.0 area 0.0.0.0 --- loopback ip (Configured)
network 10.36.149.60 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R1.(Configured)
network 10.36.149.64 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R2. ---------- (till now not configured as secondary link is not connected)
router-id 10.36.150.49
so what configuration need to done at R1 to achiev the redunancy for MGMT vrf ?
if possible please reply with sample configuration.
or
IN MPBGP protocol, where i will apply routing policy to apply as- path prepand so that Route would be secondary to neighbor.
IGP-OSPF and BGP over MPLS is running.
on Which address-familiy nbr,should i apply, is it in VPNV4 or IPV4 or IPV4 VRF ?
if i want 10.36.128.0/26 prefix should go to Neigbhor MPLS R2, what should i use access-list or Prefix list?
please provide the reply with its config .
thanks in advance,
Regards,
Ajay
Message was edited by: Ajaykumar yadav -
Point to Mulipoint L2VPN trunks over MPLS
Can we have trunk between more than 2 CE over MPLS in short we are looking for the point to multipoint MPLS L2 VPN where more than 2 CE will share the common ethernet segment over MPLS to share the vlan database
Let me give more info @ solution which we are trying find out
CE1,CE2,CE3 & CE4 are the core switches at respective location, we are looking for the same vlan database between these core switches over the MPLS
CE1 will be connected to PE1
CE2 will be connected to PE2
CE3 will be connected to PE3
CE4 will be connected to PE4
so can we have the L2 vpn between CE1,CE2,CE3 & CE4 where the interface connected to respective PE's will be TRUNK ?hi
thanks for the pdf, I had tried the VPLS earlier. the circuit are coming up but I am not able to ping between CE's Vlan ip address although VC are up
PE end config
interface GigabitEthernet1/35
description L2 Connectivity to KBL039SW1 (TEMP)
switchport
switchport access vlan 100
switchport mode dot1q-tunnel
l2protocol-tunnel cdp
CE-1 end config
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport mode trunk
end
int vlan 100
ip address 10.10.10.1 255.255.255.0
other end vlan 100 ip address is 10.10.10.2 but not able to ping this ip address from CE-1
any guess what cpuld be the problem? -
Dears,
hope you support me understtanding the following:
i have the following topology:
now i need CE1 and CE2 communicate to CE3 ( CE3 connected to mpls through ethernet) over MPLS cloud and be aware that mpls cloud working perfectly but my head stund at how to make CE1 and CE2 connect to customer VRF on PE router through FR switch .
please i need your support.
thanks in advanceCheck whether you have enabled IP CEF .
ip cef distributed !
CEF switching is pre-requisite for label Switching frame-relay switching
http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800ca6ce.html -
I have a PIX 501 connecting to a VPN Concentrator via EasyVPN. That connection works fine, now I want to add a router running GRE.
I cannot get my GRE tunnels to come up. I have added the fixup pptp command and a static translation, translating the Easy VPN obtain address to the router's inside address however nothing seems to be working⦠Any suggestions can any one confirm that you can run GRE over Easy VPN?I think if you are doing NEM mode then you should be able to do GRE over Ipsec.
But when EasyVPn is "client mode" , all networks from remote site gets PAT'ed before they are sent through IPsec.Therefore it may not work.
GRE tunnel destination should be reachable for GRE tunnel to work , therefore , in client mode the PAT can hide the tunnel source address of remote site .
Check what mode of EasyVPN is ?
HTH
Saju
Pls rate helpful posts -
VoIP, Video Polycom over MPLS
Hi
Any one using Vidoe polycom and VoIP over MPLS? We have around 5 offices and they want to use Video Polycom over MPLS. If someone can provide Pro and Con for that and any document or link much appreciate it. Thanks in advance.
Saii havnt done polycom over mpls
but i would like to give u hints to consider it
the first think u need to know from the ISP what COS they put in as priorty and how many COS they provide u based on SLA and how match max traffic then they start to drop traffic
the other think is to know how the polycom mark the traffic and u need to calssifiy it and put it in proper calss based on the classes provided by the mpls ISP
good luck
and hope this helpful -
Cell-relay over MPLS using MGX 8850
we have existing ATM network using TDM links between MGX 8850 & have PVCs for voice & data traffic. We are planning to migrate the same over MPLS network
following is the setup.
MGX1----> PE1 ------>MPLS Cloud ------> PE2 ---->MGX2
As per this plan we will terminate existing TDM trunks to PE routers at both the end & map VPI/VCI values at PE routers for virtual ATM pvcs over MPLS cloud.We are using cell-relay over MPLS with VC mode. My query is, can we enable MPLS L3 & L2 on the same last mile in this scenario? We want to have one IP over ATM interface on same ATM interface at PE router & make that part of VRF & enable L3 MPLS VPN between all the sites for any to any data transfer. For data we don't want to use L2 MPLS as its any to any & it will end up with too many ATM PVCs.
In this setup PE router & MGX will be configured in NNI-NNI at both end. If we want to create one sub-interface at same ATM interface at PE router end, then that port need to be in UNI. Is it possible to use same ATM trunk port as NNI & UNI?
In MGX 8850 we have RPM,AXSM & VISM modules.the following document should give you some idea,
http://www.cisco.com/en/US/products/hw/modules/ps2797/products_module_installation_guide_chapter09186a0080086f9a.html -
My company has IPT in our HQ. We have a secondary mfg location in the next town that is connected via a point-2-point T1, and we run VoIP over it. We have a PRI for PSTN access at the HQ. The 2nd location had POTS access until someone canceled them feeling they were unnecessary (pros and cons for that) At both locations we have SRST on a 1760-V.
Our location in CA (HQ is in WI) currently has its own PBX which is dying. I wish to roll out VoIP to it over MPLS, which I would then replace the P2P T1 and put it in the MPLS cloud too. I plan NOT to add a voice gateway at the CA location and just put a switch out there and route all calls through WI (Leaving a POTS line for fax and 911).
Management only worry is if the phones go out at the HQ, CA will be stranded. I said SRST would kick in and maintain call processing, until the batteries ran out. Only THEN everything would be down. (The other scenario would be the HQ building is compromised somehow).
Is it possible if a DR plan is in place that if an extended power loss occurs, or the HQ building is destroyed, that call routing could be established through our secondary location; since everything is connected via MPLS? I know POTS lines would need to be reestablished, but could the second WI location run SRST for the CA site?I am not asking how to do it, just if it is possible down the road some time. This could sell the plan to management if it is possible.
-
Sample Configuration For Ethernet over MPLS.
I am looking for a sample configuration and scenario for the Ethernet over MPLS.I would appreciate if I get some explaination with it.How the LDP is configured for the directed sessions (as per Martini draft) and the auto discovery (as per kompella draft) with respect to Ethernet over MPLS.Cam anyone help me in this ?
Here's a sample EoMPLS configuration on the PE routers:
R1:
interface Loopback0
ip address 1.1.1.1 255.255.255.255
interface Ethernet0/0.10
encapsulation dot1Q 10
! 10 = vcid must match the vcid configured on the other side
mpls l2transport route 2.2.2.2 10
R2:
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface Ethernet0/0.10
encapsulation dot1Q 10
mpls l2transport route 1.1.1.1 10
The LDP directed session will be setup automatically by the router when the xconnect statement is configured.
Cisco IOS doesn't support the Kompella Draft.
For more information, see the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/atomt/ftatomtb.htm
Hope this helps, -
Hi,
I would appreciate if you answer my following questions :
- As you know EoMPLS is based on physical port, but how about VPLS?
- Could you tell me minimum router which supports VPLS?
- Any other solutions for transfer ethernet frames over MPLS except VPLS and EoMPLS?
- I think VPLS is better EoMPLS because it supports multipoint to multipoint ,is it true? could you please tell me VPLS advantage and disadvatage?
Regards,
M.Arshad radEhlo ,
1)EoMPLS is available in port and vlan mode.Since VPLS
is actually using martini encapsulations ( both lasserre and kompella ) it is possible to use raw and tagged modes.
2)IMHO only Cisco router that supports VPLS now is 7600.Additionaly VFI can be only assigned to SVI.
3)Juniper CCC ( RSVP based ) - but obviously you won't use it since it's proprietary ( nevertherless it has nice feature like lsp-stiching ) and IOS couldn't signall it .
4) VPLS is designed to support p-to-mp and therefore
it's more complex.IF you don't need its features you can stick with raw p2p martini , which is relatively simple and widely implemented ( no problem for example to configure it between ios and junos boxes ).
pm
Maybe you are looking for
-
1.) Just tried reloading the toolbar for profile song. I now have two and not sure how to get rid or uninstall one of them. 2.) Profile Song used to load within my FB page itself when I logged in and now it doesnt show at all there.
-
From one ipod to another... isnt working
i purchased an ipod mini a few years back, and tonight i purchased a 30 gig ipod. when i plugged the new one into my computer it did not respond, but when i plug the old one in it works fine, what is going wrong? and yes its for windows.
-
Safari crashes on launch after Lion reinstall
This is on a friend's mid 2010 Macbook Pro running Lion 10.7.5. The user had Safari on her desktop and I trashed it mistakenly thinking there was another copy in Applications. There was not. To get Safari back, I reinstalled Lion. This gave us Safari
-
Display panel query values in horizontal
hi how can i display value in panel query horizontal have one line my panel query <af:panelHeader text="Users" id="ph2" inlineStyle="width:946px;"> <af:query id="qryId1" headerText="Search" disclosed=
-
Is there any function to get baseline date
Dear all, Is there any function to get baseline date according to the payment terms? Thank you in advance.