GRE over MPLS

Hello people,
im facing  problem trying to establish a GRE tunnel over  mpls. The topology goes as follows:
(server) ----CE1(6500)-----PE1(6500)----vrf cloud-----CE2(6500)--FW
-server needs to establish a gre tunnel with FW.
-server receives a default route from CE1 via OSPF.
-CE1 has an default static route pointing to the next hop which is an interface VLAN (in a vrf)  on PE1.
- PE1 receives a default route generated by CE2 (via mpbgp).
In this situation the GRE tunnel wouldnt come up.The only way i got the GRE to work was replacing the default static route on CE1 with a more specific static route.
On both cases (default AND specific static routes) the connectivity(ping)  from end to end was there.
Has anybody seen anything alike?
thanks,
Bruno

You could be looking at some recursive routing throug the GRE interface, so the second it comes up it will try to put the GRE packets through the GRE tunnel, this creating a loop. Are you using a dynamic routing protocol to get network info over the GRE tunnel or a static route if so, how is it setup ?

Similar Messages

  • GRE over MPLS not working...

    Hi
    I've a GRE tunnel configured between a CE and a PE.
    I guess the problem is on the PE side, this is my config:
    interface Loopback99
    ip vrf forwarding dar
    ip address 99.99.99.99 255.255.255.255
    interface Tunnel199
    ip vrf forwarding dar
    ip address 11.11.11.1 255.255.255.252
    ip policy route-map dfbit
    tunnel source Loopback99
    tunnel destination 88.88.88.88
    tunnel path-mtu-discovery
    Everything is reachable between PE and CE, but on the tunnel interface I wasn't able to find out the "tunnel vrf dar" command...
    I've a Cisco 7206VXR (164 ram and 128 flash) and on the software feature navigator I wasn't able to find out an IOS support it..
    Can anybody tell me why ?
    Tks
    Ric

    Riccardo,
    This feature is available starting with 12.3(2)T.
    Regards

  • GRE function over MPLS

    Hello,
    Has anyone here implemented "GRE function over MPLS"?
    Would it be possible to point to some links discussing advantages/disadvantages and some design aspects of the same?
    Thanks
    Cheers,
    ~sultan

    Hello Harold,
    Thanks for replying, actually just thought about it, considering the existing customer (P2M) who's running GRE on IPLC links, they want to continue the same after migrating to MPLS, just curios to know whether this implementation has been implemented by anyone and whether it could be improved further.
    Thanks
    Cheers,
    ~sultan

  • When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

    i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

    Jose,
    It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
    Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
    HTH,
    Frank

  • Ask the Expert:Concepts, Configuration and Troubleshooting Layer 2 MPLS VPN – Any Transport over MPLS (AToM)

    With Vignesh R. P.
    Welcome to the Cisco Support Community Ask the Expert conversation.This is an opportunity to learn and ask questions about  concept, configuration and troubleshooting Layer 2 MPLS VPN - Any Transport over MPLS (AToM) with Vignesh R. P.
    Cisco Any Transport over MPLS (AToM) is a solution for transporting Layer 2 packets over an MPLS backbone. It enables Service Providers to supply connectivity between customer sites with existing data link layer (Layer 2) networks via a single, integrated, packet-based network infrastructure: a Cisco MPLS network. Instead of using separate networks with network management environments, service providers can deliver Layer 2 connections over an MPLS backbone. AToM provides a common framework to encapsulate and transport supported Layer 2 traffic types over an MPLS network core.
    Vignesh R. P. is a customer support engineer in the Cisco High Touch Technical Support center in Bangalore, India, supporting Cisco's major service provider customers in routing and MPLS technologies. His areas of expertise include routing, switching, and MPLS. Previously at Cisco he worked as a network consulting engineer for enterprise customers. He has been in the networking industry for 8 years and holds CCIE certification in the Routing & Switching and Service Provider tracks.
    Remember to use the rating system to let Vignesh know if you have received an adequate response. 
    Vignesh might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the  Service Provider sub-community discussion forum shortly after the event. This event lasts through through September 21, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

    Hi Tenaro,
    AToM stands for Any Transport over MPLS and it is Cisco's terminology used for Layer 2 MPLS VPN or Virtual Private Wire Service. It is basically a Layer 2 Point-to-Point Service. AToM basically supports various Layer 2 protocols like Ethernet, HDLC, PPP, ATM and Frame Relay.
    The customer routers interconnect with the service provider routers at Layer 2. AToM eliminates the need for the legacy network from the service provider carrying these kinds of traffic and integrates this service into the MPLS network that already transports the MPLS VPN traffic.
    AToM is an open standards-based architecture that uses the label switching architecture of MPLS and can be integrated into any network that is running MPLS. The advantage to the customer is that they do not need to change anything. Their routers that are connecting to the service provider routers can still use the same Layer 2 encapsulation type as before and do not need to run an IP routing protocol to the provider edge routers as in the MPLS VPN solution.
    The service provider does not need to change anything on the provider (P) routers in the core of the MPLS network. The intelligence to support AToM sits entirely on the PE routers. The core label switching routers (LSRs) only switch labeled packets, whereas the edge LSRs impose and dispose of labels on the Layer 2 frames.
    Whereas pseudowire is a connection between the PE routers and emulates a wire that is carrying Layer 2 frames. Pseudowires use tunneling. The Layer 2 frames are encapsulated into a labeled (MPLS) packet. The result is that the specific Layer 2 service—its operation and characteristics—is emulated across a Packet Switched Network.
    Another technology that more or less achieves the result of AToM is L2TPV3. In the case of L2TPV3 Layer 2 frames are encapsulated into an IP packet instead of a labelled MPLS packet.
    Hope the above explanation helps you. Kindly revert incase of further clarification required.
    Thanks & Regards,
    Vignesh R P

  • DMVPN GRE over IPSEC Packet loss

    I have a hub and spoke DMVPN GRE over IPSec topology. We have many sites, over 10, and have a problem on one particular site, just one. First off I want to say that I have replaced the Router and I get the same exact errors. By monitoring the Terminal, I regularly get these messages
    %VPN_HW-1-PACKET_ERROR: slot: 0 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.X.X.X,dstadr=10.X.X.X,size=616,handle=0x581A
    %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=1
    The tunnel is up, passes data, and always stays up. This router is a Spoke router. The routing protocol being used is EIGRP. When I do a
    Show Crypto isakmp sa, it shows the state as being "QM_IDLE" which means it is up.
    When I use the "Show Crypto Engine accelerator stat" this is what I get (Attached File)
    You can see that there are ppq rx errors, authentication errors, invalid packets, and packets dropped. I know this is not due to mis-configuration because the config is the same exact as other sites that I have which never have any problems. Here is the tunnel interface and the tunnel source interface on the Spoke Router
    interface Tunnel111
    description **DPN VPN**
    bandwidth 1000
    ip address 172.31.111.107 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1300
    ip pim sparse-dense-mode
    ip nhrp authentication XXXX
    ip nhrp map multicast dynamic
    ip nhrp map multicast X.X.X.X
    ip nhrp map X.X.X.X X.X.X.X
    ip nhrp network-id 100002
    ip nhrp holdtime 360
    ip nhrp nhs 172.31.111.254
    ip route-cache flow
    ip tcp adjust-mss 1260
    ip summary-address eigrp 100 10.X.X.X 255.255.0.0 5
    qos pre-classify
    tunnel source GigabitEthernet0/0
    tunnel mode gre multipoint
    tunnel key XXXX
    tunnel protection ipsec profile X.X.X.X
    interface GigabitEthernet0/0
    description **TO DPNVPN**
    ip address 10.X.X.X 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nbar protocol-discovery
    ip pim sparse-dense-mode
    ip virtual-reassembly
    duplex full
    speed 100
    no snmp trap link-status
    no mop enabled
    Is there anything that you can think of that may becausing this, do you think this can be a layer one or two issue? Thanks
    Brenden

    Have you try to turn off the hardware encryption (no crypto engine accelerator) just to see if it's better. But be careful, cause your CPU% will run much higher, but you only have 10 spokes sites, so it wont be at 100%.
    It's better to start troubleshooting by layer 1 then layer 2 when it's possible. Have you ask the site's ISP for packet lost on their side ?

  • How to provied Redundancy for VRF MGMT with help of BGP over MPLS(MPBGP)

    Hi,
    Please find the Network Topology.
    This is One Remote site and mamaged by Mgmt office.
    All devices on remote site is accessed by MGMT Office. My organisation seek for Redundancy for Managing devices.
    My administration is from MGW to R1. I am new to MPLS.
    AS u can see in diagram, R1 have 3 VRF(Voice,Signal and MGMT).Currently i have primary link over whitch we are running MPBGP.
    Traffic from these VRF goes to this primary link. Currently Secondary link is not connected.
    Now my organisation proposed for  the  secondary  link  and they want that only traffic from VRF -- MGMT should go through MPLS RTR R2 (the secondary link ) , when the mgmt routes  not learned from MPLS  RTR R1 (Connected to the SP1 ).
    Current  R1 config
    There is IBGP betweem R1 to both MPLS RTR.
    BGP Config
    router bgp 64513
      synchronization disable
      neighbor 10.36.150.1 remote-as 64513
      neighbor 10.36.150.1 activate
      neighbor 10.36.150.1 update-source loopback1
      address-family ipv4 vrf signalling
        redistribute connected
        redistribute static
      $
      address-family ipv4 vrf voice
        redistribute connected
        redistribute static
      $
      address-family ipv4 vrf OAM-T
        redistribute connected
        redistribute static
      $
      address-family vpnv4
        neighbor 10.36.150.1 activate
        neighbor 10.36.150.1 send-community
      $
    !<ospfv2>
    router ospf 100
      interface gei-3/3
        network point-to-point
      $
      network 10.36.150.49 0.0.0.0 area 0.0.0.0  --- loopback ip (Configured)
      network 10.36.149.60 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R1.(Configured)
    network 10.36.149.64 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R2. ----------  (till now not configured as secondary link is not connected)
    router-id 10.36.150.49
    so what configuration need to done at R1  to achiev the redunancy for MGMT vrf ?
    if possible please reply with sample configuration.
    or
    IN MPBGP protocol, where i will apply routing policy to apply  as- path prepand    so that Route  would be secondary to  neighbor.
    IGP-OSPF and BGP over MPLS is running.
    on Which  address-familiy nbr,should i apply, is it in VPNV4 or IPV4 or IPV4  VRF ?
    if i want 10.36.128.0/26 prefix should go to Neigbhor MPLS R2, what should i use access-list or Prefix list?
    please provide the reply with its config .
    thanks in advance,
    Regards,
    Ajay
    Message was edited by: Ajaykumar yadav

    Hi,
    Please find the Network Topology.
    This is One Remote site and mamaged by Mgmt office.
    All devices on remote site is accessed by MGMT Office. My organisation seek for Redundancy for Managing devices.
    My administration is from MGW to R1. I am new to MPLS.
    AS u can see in diagram, R1 have 3 VRF(Voice,Signal and MGMT).Currently i have primary link over whitch we are running MPBGP.
    Traffic from these VRF goes to this primary link. Currently Secondary link is not connected.
    Now my organisation proposed for  the  secondary  link  and they want that only traffic from VRF -- MGMT should go through MPLS RTR R2 (the secondary link ) , when the mgmt routes  not learned from MPLS  RTR R1 (Connected to the SP1 ).
    Current  R1 config
    There is IBGP betweem R1 to both MPLS RTR.
    BGP Config
    router bgp 64513
      synchronization disable
      neighbor 10.36.150.1 remote-as 64513
      neighbor 10.36.150.1 activate
      neighbor 10.36.150.1 update-source loopback1
      address-family ipv4 vrf signalling
        redistribute connected
        redistribute static
      $
      address-family ipv4 vrf voice
        redistribute connected
        redistribute static
      $
      address-family ipv4 vrf OAM-T
        redistribute connected
        redistribute static
      $
      address-family vpnv4
        neighbor 10.36.150.1 activate
        neighbor 10.36.150.1 send-community
      $
    !<ospfv2>
    router ospf 100
      interface gei-3/3
        network point-to-point
      $
      network 10.36.150.49 0.0.0.0 area 0.0.0.0  --- loopback ip (Configured)
      network 10.36.149.60 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R1.(Configured)
    network 10.36.149.64 0.0.0.3 area 0.0.0.0 ---- p2p ip bet R1 and MPLS R2. ----------  (till now not configured as secondary link is not connected)
    router-id 10.36.150.49
    so what configuration need to done at R1  to achiev the redunancy for MGMT vrf ?
    if possible please reply with sample configuration.
    or
    IN MPBGP protocol, where i will apply routing policy to apply  as- path prepand    so that Route  would be secondary to  neighbor.
    IGP-OSPF and BGP over MPLS is running.
    on Which  address-familiy nbr,should i apply, is it in VPNV4 or IPV4 or IPV4  VRF ?
    if i want 10.36.128.0/26 prefix should go to Neigbhor MPLS R2, what should i use access-list or Prefix list?
    please provide the reply with its config .
    thanks in advance,
    Regards,
    Ajay
    Message was edited by: Ajaykumar yadav

  • Point to Mulipoint L2VPN trunks over MPLS

    Can we have trunk between more than 2 CE over MPLS in short we are looking for the point to multipoint MPLS L2 VPN where more than 2 CE will share the common ethernet segment over MPLS  to share the vlan database
    Let me give more info @ solution which we are trying find out
    CE1,CE2,CE3 & CE4 are the core switches at respective location, we are looking for the same vlan database between these core switches over the MPLS
    CE1 will be connected to PE1
    CE2 will be connected to PE2
    CE3 will be connected to PE3
    CE4 will be connected to PE4
    so can we have the L2 vpn between CE1,CE2,CE3 & CE4 where the interface connected to respective PE's will be TRUNK ?

    hi
    thanks for the pdf, I had tried the VPLS earlier. the circuit are coming up but I am not able to ping between CE's Vlan ip address although VC are up
    PE end config
    interface GigabitEthernet1/35
    description L2 Connectivity to KBL039SW1 (TEMP)
    switchport
    switchport access vlan 100
    switchport mode dot1q-tunnel
    l2protocol-tunnel cdp
    CE-1 end config
    interface FastEthernet1/0/48
    switchport trunk encapsulation dot1q
    switchport mode trunk
    end
    int vlan 100
    ip address 10.10.10.1 255.255.255.0
    other end vlan 100 ip address is 10.10.10.2 but not able to ping this ip address from CE-1
    any guess what cpuld be the problem?

  • FR over MPLS

    Dears,
    hope you support me understtanding the following:
    i have the following topology:
    now i need CE1 and CE2 communicate to CE3 ( CE3 connected to mpls through ethernet)  over MPLS cloud  and be aware that mpls cloud working perfectly but my head stund at how to make CE1 and CE2 connect to customer VRF  on PE router through FR switch .
    please i need your support.
    thanks in advance             

    Check whether you have enabled IP CEF .
    ip cef distributed !
    CEF switching is pre-requisite for label Switching frame-relay switching
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_configuration_guide_chapter09186a00800ca6ce.html

  • GRE over EasyVPN

    I have a PIX 501 connecting to a VPN Concentrator via EasyVPN. That connection works fine, now I want to add a router running GRE.
    I cannot get my GRE tunnels to come up. I have added the fixup pptp command and a static translation, translating the Easy VPN obtain address to the router's inside address however nothing seems to be working… Any suggestions can any one confirm that you can run GRE over Easy VPN?

    I think if you are doing NEM mode then you should be able to do GRE over Ipsec.
    But when EasyVPn is "client mode" , all networks from remote site gets PAT'ed before they are sent through IPsec.Therefore it may not work.
    GRE tunnel destination should be reachable for GRE tunnel to work , therefore , in client mode the PAT can hide the tunnel source address of remote site .
    Check what mode of EasyVPN is ?
    HTH
    Saju
    Pls rate helpful posts

  • VoIP, Video Polycom over MPLS

    Hi
    Any one using Vidoe polycom and VoIP over MPLS? We have around 5 offices and they want to use Video Polycom over MPLS. If someone can provide Pro and Con for that and any document or link much appreciate it. Thanks in advance.
    Sai

    i havnt done polycom over mpls
    but i would like to give u hints to consider it
    the first think u need to know from the ISP what COS they put in as priorty and how many COS they provide u based on SLA and how match max traffic then they start to drop traffic
    the other think is to know how the polycom mark the traffic and u need to calssifiy it and put it in proper calss based on the classes provided by the mpls ISP
    good luck
    and hope this helpful

  • Cell-relay over MPLS using MGX 8850

    we have existing ATM network using TDM links between MGX 8850 & have PVCs for voice & data traffic. We are planning to migrate the same over MPLS network
    following is the setup.
    MGX1----> PE1 ------>MPLS Cloud ------> PE2 ---->MGX2
    As per this plan we will terminate existing TDM trunks to PE routers at both the end & map VPI/VCI values at PE routers for virtual ATM pvcs over MPLS cloud.We are using cell-relay over MPLS with VC mode. My query is, can we enable MPLS L3 & L2 on the same last mile in this scenario? We want to have one IP over ATM interface on same ATM interface at PE router & make that part of VRF & enable L3 MPLS VPN between all the sites for any to any data transfer. For data we don't want to use L2 MPLS as its any to any & it will end up with too many ATM PVCs.
    In this setup PE router & MGX will be configured in NNI-NNI at both end. If we want to create one sub-interface at same ATM interface at PE router end, then that port need to be in UNI. Is it possible to use same ATM trunk port as NNI & UNI?
    In MGX 8850 we have RPM,AXSM & VISM modules.

    the following document should give you some idea,
    http://www.cisco.com/en/US/products/hw/modules/ps2797/products_module_installation_guide_chapter09186a0080086f9a.html

  • Secondary Site SRST over MPLS

    My company has IPT in our HQ. We have a secondary mfg location in the next town that is connected via a point-2-point T1, and we run VoIP over it. We have a PRI for PSTN access at the HQ. The 2nd location had POTS access until someone canceled them feeling they were unnecessary (pros and cons for that) At both locations we have SRST on a 1760-V.
    Our location in CA (HQ is in WI) currently has its own PBX which is dying. I wish to roll out VoIP to it over MPLS, which I would then replace the P2P T1 and put it in the MPLS cloud too. I plan NOT to add a voice gateway at the CA location and just put a switch out there and route all calls through WI (Leaving a POTS line for fax and 911).
    Management only worry is if the phones go out at the HQ, CA will be stranded. I said SRST would kick in and maintain call processing, until the batteries ran out. Only THEN everything would be down. (The other scenario would be the HQ building is compromised somehow).
    Is it possible if a DR plan is in place that if an extended power loss occurs, or the HQ building is destroyed, that call routing could be established through our secondary location; since everything is connected via MPLS? I know POTS lines would need to be reestablished, but could the second WI location run SRST for the CA site?

    I am not asking how to do it, just if it is possible down the road some time. This could sell the plan to management if it is possible.

  • Sample Configuration For Ethernet over MPLS.

    I am looking for a sample configuration and scenario for the Ethernet over MPLS.I would appreciate if I get some explaination with it.How the LDP is configured for the directed sessions (as per Martini draft) and the auto discovery (as per kompella draft) with respect to Ethernet over MPLS.Cam anyone help me in this ?

    Here's a sample EoMPLS configuration on the PE routers:
    R1:
    interface Loopback0
    ip address 1.1.1.1 255.255.255.255
    interface Ethernet0/0.10
    encapsulation dot1Q 10
    ! 10 = vcid must match the vcid configured on the other side
    mpls l2transport route 2.2.2.2 10
    R2:
    interface Loopback0
    ip address 2.2.2.2 255.255.255.255
    interface Ethernet0/0.10
    encapsulation dot1Q 10
    mpls l2transport route 1.1.1.1 10
    The LDP directed session will be setup automatically by the router when the xconnect statement is configured.
    Cisco IOS doesn't support the Kompella Draft.
    For more information, see the following URL:
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/atomt/ftatomtb.htm
    Hope this helps,

  • Ethernet over MPLS/VPLS

    Hi,
    I would appreciate if you answer my following questions :
    - As you know EoMPLS is based on physical port, but how about VPLS?
    - Could you tell me minimum router which supports VPLS?
    - Any other solutions for transfer ethernet frames over MPLS except VPLS and EoMPLS?
    - I think VPLS is better EoMPLS because it supports multipoint to multipoint ,is it true? could you please tell me VPLS advantage and disadvatage?
    Regards,
    M.Arshad rad

    Ehlo ,
    1)EoMPLS is available in port and vlan mode.Since VPLS
    is actually using martini encapsulations ( both lasserre and kompella ) it is possible to use raw and tagged modes.
    2)IMHO only Cisco router that supports VPLS now is 7600.Additionaly VFI can be only assigned to SVI.
    3)Juniper CCC ( RSVP based ) - but obviously you won't use it since it's proprietary ( nevertherless it has nice feature like lsp-stiching ) and IOS couldn't signall it .
    4) VPLS is designed to support p-to-mp and therefore
    it's more complex.IF you don't need its features you can stick with raw p2p martini , which is relatively simple and widely implemented ( no problem for example to configure it between ios and junos boxes ).
    pm

Maybe you are looking for