Gre tunnel over 2 mpls routers

I have 2 sites and the voice server is in site A and Site B are the remote phones . Right now voice vlan go over the DMVPN we are facing some degraded performance and decided to move voice traffic to mpls . 
We need to carry the multicast traffic as well which is not supported over our MPLS circuit. I have no idea why provider is not supporting multicast traffic over mpls circuit.
So we decided to create GRE tunnels to carry multicast traffic over MPLS .We have L3 switches on both sites Site A cisco 4500 and Site B cisco 3850  . and MPLS connectivity is reachable upto L3 core switches. With 3850 we had issue to create tunnels and i have upgraded the IOS after upgrading i came to know no more tunnels are supported on 3850. So cannot have Gre tunnel between our L3 switches over the MPLS.
My Question is can i ask the MPLS provider to setup tunnels on their routers which they are ready to help and point the static routes for voice vlan towards gre tunnels over mpls . 
Can you advise any other solution or does this solution would work.?

Aneesh,
Lost of connectivity between the two PEs would indeed cause the GRE tunnel interface to go down, assuming that you configure tunnel keepalives as follow:
int tu0
keepalive
Regards

Similar Messages

  • Tcp mss adjust calculation for GRE tunnel over DSL line

    hi guys,
    need your advice on this one, as i search on cisco.com and netpro but unable to find the exact info that i required.
    First, can anyone confirm the following calculation to find out MSS size.
    Mss size = MTU size - encapsulation size - tcp header size
    So for normal case;
    MSS = 1500 - 48 (48 is the tcp/ip header)
    so MSS = 1452
    Thus in my case GRE tunnel over DSL connection;
    MSS = 1492 - 24 - 48 (24 is the GRE encap; 48 is the tcp/ip header)
    MSS = 1420
    is this correct?
    Secondly, where should the ip tcp mss-adjust to be implemented. Is it at the Dialer(DSL) interface or at Tunnel interface?

    I don't use the math (it doesn't work for me probably b/c I miss something). Here's how I do it-
    C:\>ping 10.125.0.250 -f -l 1600
    Pinging 10.125.0.250 with 1600 bytes of data:
    Packet needs to be fragmented but DF set.
    Packet needs to be fragmented but DF set.
    Packet needs to be fragmented but DF set.
    Packet needs to be fragmented but DF set.
    Ping statistics for 10.125.0.250:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    C:\>ping 10.125.0.250 -f -l 1500
    Pinging 10.125.0.250 with 1500 bytes of data:
    Packet needs to be fragmented but DF set.
    Packet needs to be fragmented but DF set.
    Packet needs to be fragmented but DF set.
    Packet needs to be fragmented but DF set.
    Ping statistics for 10.125.0.250:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    C:\>ping 10.125.0.250 -f -l 1400
    Pinging 10.125.0.250 with 1400 bytes of data:
    Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
    Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
    Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
    Reply from 10.125.0.250: bytes=1400 time=19ms TTL=251
    Ping statistics for 10.125.0.250:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 19ms, Average = 19ms
    C:\>ping 10.125.0.250 -f -l 1450
    Pinging 10.125.0.250 with 1450 bytes of data:
    Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251
    Reply from 10.125.0.250: bytes=1450 time=20ms TTL=251
    Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251
    Reply from 10.125.0.250: bytes=1450 time=19ms TTL=251
    Ping statistics for 10.125.0.250:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 20ms, Average = 19ms
    C:\>ping 10.125.0.250 -f -l 1475
    Pinging 10.125.0.250 with 1475 bytes of data:
    Packet needs to be fragmented but DF set.
    Packet needs to be fragmented but DF set.
    Packet needs to be fragmented but DF set.
    Packet needs to be fragmented but DF set.
    Ping statistics for 10.125.0.250:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
    C:\>ping 10.125.0.250 -f -l 1470
    Pinging 10.125.0.250 with 1470 bytes of data:
    Reply from 10.125.0.250: bytes=1470 time=19ms TTL=251
    Reply from 10.125.0.250: bytes=1470 time=22ms TTL=251
    Reply from 10.125.0.250: bytes=1470 time=20ms TTL=251
    Reply from 10.125.0.250: bytes=1470 time=19ms TTL=251
    Ping statistics for 10.125.0.250:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 22ms, Average = 20ms
    C:\>
    1470 works and has a little bit of extra room. The tcp mss-adjust should be done on the LAN interface.
    Hope it helps.

  • GRE function over MPLS

    Hello,
    Has anyone here implemented "GRE function over MPLS"?
    Would it be possible to point to some links discussing advantages/disadvantages and some design aspects of the same?
    Thanks
    Cheers,
    ~sultan

    Hello Harold,
    Thanks for replying, actually just thought about it, considering the existing customer (P2M) who's running GRE on IPLC links, they want to continue the same after migrating to MPLS, just curios to know whether this implementation has been implemented by anyone and whether it could be improved further.
    Thanks
    Cheers,
    ~sultan

  • GRE over MPLS

    Hello people,
    im facing  problem trying to establish a GRE tunnel over  mpls. The topology goes as follows:
    (server) ----CE1(6500)-----PE1(6500)----vrf cloud-----CE2(6500)--FW
    -server needs to establish a gre tunnel with FW.
    -server receives a default route from CE1 via OSPF.
    -CE1 has an default static route pointing to the next hop which is an interface VLAN (in a vrf)  on PE1.
    - PE1 receives a default route generated by CE2 (via mpbgp).
    In this situation the GRE tunnel wouldnt come up.The only way i got the GRE to work was replacing the default static route on CE1 with a more specific static route.
    On both cases (default AND specific static routes) the connectivity(ping)  from end to end was there.
    Has anybody seen anything alike?
    thanks,
    Bruno

    You could be looking at some recursive routing throug the GRE interface, so the second it comes up it will try to put the GRE packets through the GRE tunnel, this creating a loop. Are you using a dynamic routing protocol to get network info over the GRE tunnel or a static route if so, how is it setup ?

  • Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel

    Hello,
    We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
    We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
    Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
    Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
    Questions:
    Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
    If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
    In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
    I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
    Please help.
    Thanks in advance,
    Nick

    We have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
    If there are other suggestions, please advise.
    Thanks,
    Nick

  • When do i have to use a gre over ipsec tunnel? i have heard that when i m using a routing protocol and vpn site to site i need a gre tunnel

    i have configured a network with ospf and a vpn site to site without gre tunnel and it works very well. I want to know, when do i have to use gre tunnel over ipsec

    Jose,
    It sounds like you currently have an IPsec Virtual Tunnel Interface (VTI) configured. By this, I mean that you have a Tunnel interface running in "tunnel mode ipsec ipv4" rather than having a crypto map applied to a physical interface. In the days before VTIs, it was necessary to configure GRE over IPsec in order to pass certain types of traffic across an encrypted channel. When using pure IPsec with crypto maps, you cannot pass multicast traffic without implementing GRE over IPsec. Today, IPsec VTIs and GRE over IPsec accomplish what is effectively the same thing with a few exceptions. For example, by using GRE over IPsec, you can configure multiple tunnels between two peers by means of tunnels keys, pass many more types of traffic rather than IP unicast and multicast (such as NHRP as utilized by DMVPN), and you can also configure multipoint GRE tunnels whereas VTIs are point to point.
    Here's a document which discusses VTIs in more depth: http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnips/configuration/xe-3s/sec-sec-for-vpns-w-ipsec-xe-3s-book/sec-ipsec-virt-tunnl.html#GUID-A568DA9D-56CF-47C4-A866-B605804179E1
    HTH,
    Frank

  • How to setup GRE tunnel on a 3005

    Does the vpn3005 support GRE tunnels and how do I configure it? Reference paper will be fine.
    Thanks
    /Bent

    Yes, VPN 3005 concentrator should support GRE tunnels. Here are some configuration examples for the same.
    Configuring a GRE Tunnel over IPSec with OSPF
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml.
    For more such examples please refer to:
    http://www.cisco.com/en/US/tech/tk583/tk372/tech_configuration_examples_list.html

  • L2TPv3 over MPLS

    Hi folks,
    I've to implement two L2TPv3 tunnels over MPLS backbone, primary and backup. I'm thinking about L2 pseudowires, but my question is: with 2 pseudowires, how could I do, if possible, to create a primary and a backup tunnel? Something like FRR?
    I've found in a recent post a configuration for two tunnels:
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=WAN%2C%20Routing%20and%20Switching&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddda49d
    but no idea about how to implement a fault tolerance solution.
    Any advice will be appreciated
    Thanks
    Andrea

    Andrea,
    I think I understand where my confusion comes from. You are using L2TPv3 in a context of VPDN rather than using it as a transport a pseudowire, right?
    In this case the L2TPv3 session could just be routed as IP traffic through the core. Or if you want to use pseudowires through the core, it would certainly be possible to use MPLS for this purpose.
    Let me know if that helps,

  • MPLS over GRE Tunnel

    Hi,
    Can any one guide me about the benefits of MPLS over GRE Tunnels. Do this serve the purpose of MPLS (except TE, which is suppose is not possible on GRE Tunnels) as Layer-3 is already involved before Label Switching even starts.
    thanx and regards,
    Shakeel Ahmad

    I have a problem with MPLS over GRE. When i try to apply a policy to shape the traffic it seems that the default-class dosent see the mpls packets.
    Im trying to shape the traffic to 256k but it seems that the shaping never are activated.
    Anyone have any idea how to solve this?
    Example:
    class-map match-all PING
    match access-group 171
    policy-map class-default
    class PING
    bandwidth percent 15
    policy-map PING
    class class-default
    shape average 256000
    service-policy class-default
    INterfacexx
    service-policy output PING
    access-list 171 permit icmp any any

  • IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination

    >>both routers are located in different countries and connected with ISP
    >>IPsec over GRE tunnel is configured on both the routers 
    >>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
    >>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
    >>ISP is not finding any issue with their end 
    >>Please guide me how i can fix this issue and what need to be check on this ????
    ========================
    Router_1#sh run int Tunnel20
    Building configuration...
    Current configuration : 272 bytes
    interface Tunnel20
     bandwidth 2048
     ip address 3.85.129.141 255.255.255.252
     ip mtu 1412
     ip flow ingress
     delay 1
     cdp enable
     tunnel source GigabitEthernet0/0/3
     tunnel destination 109.224.62.26
    end
    ===================
    Router_1#sh int Tunnel20
    Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
      Hardware is Tunnel
      Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
      Internet address is 3.85.129.141/30
      MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation TUNNEL, loopback not set
      Keepalive not set
      Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
       Tunnel Subblocks:
          src-track:
             Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
              Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
      Tunnel protocol/transport GRE/IP
        Key disabled, sequencing disabled
        Checksumming of packets disabled
      Tunnel TTL 255, Fast tunneling enabled
      Tunnel transport MTU 1476 bytes
      Tunnel transmit bandwidth 8000 (kbps)
      Tunnel receive bandwidth 8000 (kbps)
      Last input 1w6d, output 14w4d, output hang never
      Last clearing of "show interface" counters 2y5w
      Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/0 (size/max)
      5 minute input rate 0 bits/sec, 0 packets/sec
      5 minute output rate 0 bits/sec, 0 packets/sec
         1565172427 packets input, 363833090294 bytes, 0 no buffer
         Received 0 broadcasts (0 IP multicasts)
         0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
         1778491917 packets output, 1555959948508 bytes, 0 underruns
         0 output errors, 0 collisions, 0 interface resets
         0 unknown protocol drops
         0 output buffer failures, 0 output buffers swapped out
    =============================
    Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
    Type escape sequence to abort.
    Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
    Packet sent with a source address of 195.27.20.14
    Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
    Router_1#
    ============================================
    Router_1#sh cry ip sa pe 109.224.62.26 | in caps
        #pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
        #pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
    Router_1#sh clock
    15:09:45.421 UTC Thu Dec 25 2014
    Router_1#
    ===================
    Router_1#sh cry ip sa pe 109.224.62.26 | in caps
        #pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
        #pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2 
    Router_1#sh clock
    15:11:36.476 UTC Thu Dec 25 2014
    Router_1#
    ===================
    Router_2#sh run int Tu1
    Building configuration...
    Current configuration : 269 bytes
    interface Tunnel1
     bandwidth 2000
     ip address 3.85.129.142 255.255.255.252
     ip mtu 1412
     ip flow ingress
     load-interval 30
     keepalive 10 3
     cdp enable
     tunnel source GigabitEthernet0/0
     tunnel destination 195.27.20.14
    end
    Router_2#
    =======================
    Router_2#sh run | sec cry
    crypto isakmp policy 10
     authentication pre-share
    crypto isakmp key Router_2 address 195.27.20.14
    crypto isakmp key Router_2 address 194.9.241.8
    crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
     mode transport
    crypto map <Deleted> 10 ipsec-isakmp
     set peer 195.27.20.14
     set transform-set ge3vpn
     match address Router_2
    crypto map <Deleted> 20 ipsec-isakmp
     set peer 194.9.241.8
     set transform-set ge3vpn
     match address Router_1
     crypto map <Deleted>
    Router_2#
    ====================================
    Router_2#sh cry ip sa pe 195.27.20.14 | in caps
        #pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
        #pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2 
    Router_2#sh clock
    .15:10:33.296 UTC Thu Dec 25 2014
    Router_2#
    ========================
    Router_2#sh int Tu1
    Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
      Hardware is Tunnel
      Internet address is 3.85.129.142/30
      MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
         reliability 255/255, txload 1/255, rxload 1/255
      Encapsulation TUNNEL, loopback not set
      Keepalive set (10 sec), retries 3
      Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
       Tunnel Subblocks:
          src-track:
             Tunnel1 source tracking subblock associated with GigabitEthernet0/0
              Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
      Tunnel protocol/transport GRE/IP
        Key disabled, sequencing disabled
        Checksumming of packets disabled
      Tunnel TTL 255, Fast tunneling enabled
      Tunnel transport MTU 1476 bytes
      Tunnel transmit bandwidth 8000 (kbps)
      Tunnel receive bandwidth 8000 (kbps)
      Last input 1w6d, output 00:00:02, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
      Queueing strategy: fifo
      Output queue: 0/0 (size/max)
      30 second input rate 0 bits/sec, 0 packets/sec
      30 second output rate 0 bits/sec, 0 packets/sec
         1881547260 packets input, 956465296 bytes, 0 no buffer
         Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
         1705198723 packets output, 2654132592 bytes, 0 underruns
         0 output errors, 0 collisions, 0 interface resets
         0 unknown protocol drops
         0 output buffer failures, 0 output buffers swapped out
    =============================
    Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
    Type escape sequence to abort.
    Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
    Packet sent with a source address of 109.224.62.26
    Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
    Router_2#
    =========================

    Hello.
    First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
    Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
    Please provide full output "show crypto ipsec sa"
     from both sides.

  • Bridging over GRE tunnel

    Dear expert,
    Currently I have problem running bridging over GRE tunnel.We are using cisco 3640 but somehow under tunnel 0, the is no 'bridge-group 1' command.We are trying to get the IOS that support the command under tunnel 0 but to no avail.Can someone help me ? Thanks
    --ran

    It's a hidden command.  Even do, you might get a warning messasge stating this is obsolete and unsupported, it still technically a valid configuration. Legacy, but works.
    Keep in mind there are better solutions for this kind of connections.  But you can try it, it's simple anyways.
    Host1---Fa0/0--R1-------------GRE------------R2--Fa0/0---Host2
    1. Create a Loopback intf. on both routers and ensure L3 connectivity between them.
    2. Create bridge:
    router(config)#bridge 1 protocol ieee
    3. Create a GRE tunnel interface (dont configure IP's):
    router(config)# interface tun0
    router(config-if)# tun source loopback x
    router(config-if)# tun destination <other router loopback ip>
    router(config-if)# bridge-group 1
    **This is a hidden cmd. You will get a warning message, but ignore it**
    3. Attach Physical Interface to Bridge as well:
    router(config)# interface Fa0/0
    router(config-if)# bridge-group 1
    4. Configure the Hosts IP addresses to be on the same IP Segment and validate communication between them.
    You can try this on GNS3 as well.  I made a diagram and a brief explanation at another thread, but really don't remember how to get to it.
    Once again, this is legacy and there are better ways to achieve this. But for small implementations this is valid and easier.  It also helps to understand the newer versions/enhancements to this as well. 
    HTH

  • URGENT - tag-switching over gre-tunnel - how ??

    hi,
    my problem is that i want to connect two pe-router
    over a gre-tunnel.
    this is because between the two pe´s i unfortunatly have two cisco828 router as modemrouter inbetween which do no tag-switching.
    so i decided to use a gre tunnel between the two pe´s to do tag-switching.
    but if i want to forward packets greater than 1492 bytes and the df-bit is set - no chance.
    here is the figure and config of the two tunnels:
    c3640 - c828 -LINE- c828 - c3640
    <==========TUNNEL===============>
    first c3640:
    interface Tunnel65052
    description PE-PE Verbdg. Hoersching-Pasching
    ip unnumbered Loopback0
    ip mtu 1512
    load-interval 30
    tag-switching mtu 1512
    tag-switching ip
    keepalive 10 3
    tunnel source 10.20.192.3
    tunnel destination 10.20.192.6
    second c3640:
    interface Tunnel65052
    description PE-PE Verbdg. Hoersching-Pasching
    ip unnumbered Loopback0
    ip mtu 1512
    load-interval 30
    tag-switching mtu 1512
    tag-switching ip
    keepalive 10 3
    tunnel source 10.20.192.6
    tunnel destination 10.20.192.3
    on the 828 router i did no adjustment of mtu !
    if i do a ping:
    r-enns1#pi vrf lkg 172.16.169.121 size 1492 df
    Type escape sequence to abort.
    Sending 5, 1492-byte ICMP Echos to 172.16.169.121, timeout is 2 seconds:
    Packet sent with the DF bit set
    Success rate is 100 percent (5/5), round-trip min/avg/max = 208/211/212 ms
    r-enns1#
    r-enns1#
    r-enns1#
    r-enns1#
    r-enns1#pi vrf lkg 172.16.169.121 size 1493 df
    Type escape sequence to abort.
    Sending 5, 1493-byte ICMP Echos to 172.16.169.121, timeout is 2 seconds:
    Packet sent with the DF bit set
    M.M.M
    Success rate is 0 percent (0/5)
    r-enns1#
    please help - thanks

    Here's at least two options you could try:
    1) Lower the MTU on the tunnel-interface and let PMTU on the endpoints take care of the fragmentation. This could have some serious implications all depending on the systems and applications/protocols used on the network, but in most cases it'll work just fine.
    2) Simply remove the DF-bit on incoming packets to the router and lower the MTU on the tunnel-interface and let the router do fragmentation regardless of what the endpoints says. Since you have a 3640 on each end and 828's in the middle, I think it should be capable of this..
    You should do a MSS-modification as well in both cases.
    Change the MTU like this:
    interface Tunnel65052
    ip mtu 1488
    tag-switching mtu 1500
    Then you have set all IP-packets to maximum 1488 bytes (including headers) and let there be room for 3 MPLS labels...
    At least I think it should behave like this... please don't kill me if i'm wrong.. :)
    Remove the DF-bit with route-map's on the inside interfaces:
    interface FastEthernet1/0.100
    description inside interface
    ip policy route-map clear-df
    ip tcp adjust-mss 1424
    route-map clear-df permit 10
    set ip df 0

  • SNA tunnel over GRE tunnel

    Is it possible?.
    Configure SNA tunnel over GRE tunnel

    To my knowledge, no, but it would sure work for me if it was possible. DLSW has always worked like a charm for me to route SNA over an IP network.

  • GRE over MPLS not working...

    Hi
    I've a GRE tunnel configured between a CE and a PE.
    I guess the problem is on the PE side, this is my config:
    interface Loopback99
    ip vrf forwarding dar
    ip address 99.99.99.99 255.255.255.255
    interface Tunnel199
    ip vrf forwarding dar
    ip address 11.11.11.1 255.255.255.252
    ip policy route-map dfbit
    tunnel source Loopback99
    tunnel destination 88.88.88.88
    tunnel path-mtu-discovery
    Everything is reachable between PE and CE, but on the tunnel interface I wasn't able to find out the "tunnel vrf dar" command...
    I've a Cisco 7206VXR (164 ram and 128 flash) and on the software feature navigator I wasn't able to find out an IOS support it..
    Can anybody tell me why ?
    Tks
    Ric

    Riccardo,
    This feature is available starting with 12.3(2)T.
    Regards

  • FlexVPN over MPLS with NAT

    HI There,
    I was wondering if an expert on FlexVPN would be able to comment on this..
    I am looking to use FlexVPN hub and spoke deployment using the FLEXoMPLS feature... So I will have hub routers connected to remote routers via IPSec/GRE tunnels. This enables VRFs at hub and spokes to be joined via MPLS point-to-point link.
    Can someone please confirm if it would be possible to NAT at the remote site with the VRF interface being on the inside and the IPSec/GRE tunnel in the global VRF on the outside??
    Thanks in advance.
    Lee.

    Well thanks for all the help but I am not going to be able to use this method, I am not going to be able to connect a cable at all the sites, I don't know If I can just wire an RJ-45 as a loopback plug maybe but still not a good method. Also when I reconfigure my linux box with both the networks it does not add the second network and I loose ASDM, I guess I shouldnt have changed the management interface. Is there any other method, what I was wondering does it send the syslog with the asa outside interface IP to the remote syslog IP, if so can or would a NAT static with the orig. working on the outside with the asa IP and the dest of the syslog translating to a single IP on the VPN network back on the outside interface... seems like a simple thing to ask to do, I kind of understand what is going on but seems there needs to be a check box to say this syslog server is over a vpn and it takes care of all the magic.

Maybe you are looking for