MPLS over GRE sample config....

Similar Messages

• MPLS over GRE Tunnel

  Hi,
  Can any one guide me about the benefits of MPLS over GRE Tunnels. Do this serve the purpose of MPLS (except TE, which is suppose is not possible on GRE Tunnels) as Layer-3 is already involved before Label Switching even starts.
  thanx and regards,
  Shakeel Ahmad

  I have a problem with MPLS over GRE. When i try to apply a policy to shape the traffic it seems that the default-class dosent see the mpls packets.
  Im trying to shape the traffic to 256k but it seems that the shaping never are activated.
  Anyone have any idea how to solve this?
  Example:
  class-map match-all PING
  match access-group 171
  policy-map class-default
  class PING
  bandwidth percent 15
  policy-map PING
  class class-default
  shape average 256000
  service-policy class-default
  INterfacexx
  service-policy output PING
  access-list 171 permit icmp any any

• Sup32 and mpls over gre

  does sup32 on 7600 router support mpls over gre, my uplinks
  to the core are connected via sup32?

  Hello Atif,
  in the following link the datasheet of sup32
  http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps5972/product_data_sheet0900aecd801c5cab_ps368_Products_Data_Sheet.html
  table1 contains the following:
  Hardware-enabled MPLS-Enables use of VPNs and Layer 2 tunneling while improving traffic engineering for QoS and adding multiprotocol support
  • Hardware-enabled IPv6-Expands available IP addresses, enabling better address allocation and address aggregation and supporting greater end-to-end connectivity and services
  • Hardware-enabled GRE tunnels for IP traffic
  be aware that performances are limited in comparison to sup720 as it is shown in table2.
  Hope to help
  Giuseppe

• MPLS over GRE tunnles

  HI : Are there any MTU issues of running MPLS over GRE tunnels??
  what will be the MTU size ?
  thnak you

  GRE has an overhead of 24 bytes, and can directly interfere with the MPLS overhead. The MTU associated with an MPLS packet is broken down like so:
  Ethernet Payload - 1500
  802.1q header - 18
  AToM Header - 4 (Required for ATM and FR only)
  AToM Label - 4
  LDP Label - 4
  TE Label - 4
  MPLS Fast Reroute - 4
  Total = 1538
  Granted, you may not configure all of those features above into your MPLS network, this is a good baseline to use for the MPLS MTU. You need to configure the core network to accept an MTU of at least 1538 bytes, without GRE.
  You need to ensure that your GRE tunnels can support an MTU greater than 1562 if you plan to implement additional MPLS features like TE and AToM.

• MPLS over GRE Support (Platform)

  Hello,
  I am looking to run MPLS over GRE (over the Public Internet) probably with IPSec for obvious reasons. CFN seems to suggest only the Cat6k with SUP-VS-2T or the Catalyst 6800 is capable of MPLS over GRE functionality... 
  I currently have 2 x Cisco 7200 VXR platforms (7204 & 7206) with the NPE-G2 processing engine and was wondering if we added the VSA encryption module (C7200-VSA=) would be enough to get a reliable MPLS over GRE tunnel functionality. 
  The tunnel with Encryption would ideally support up to 500Mbps. 
  My other alternative is to upgrade/replace the VXRs with ASRs (1002 or similar) but again CFN is unclear if the ASR100x platform is capable of delivering MPLS over GRE + IPSec.
  Thanks,

  MPLS over GRE is not supported in Hardware for sup720. This is a PFC3 hardware limitation. Your options would be to use SPA-400 or Enhanced FlexWan.

• MPLS over non-MPLS network

  A Chairde,
  I am nearly sure the answer is no, but will ask anyway.
  I want to connect two private networks over a corporate WAN , and am looking to keep the router traffic (BGP) and routing traffic under control.
  I only have control of the two lab routers, the routers in middle are controlled by IT dept. , is there anyway of setting up MPLS with this scenario ???
  Any other suggestions ......

  You could indeed run MPLS over a GRE interface.
  If you want to run MPLS VPN, then I would suggest configuring MPLS VPN over l2tpv3. See the following URL for more details:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802b4817.html
  Let me know if I answered your question,

• Noise in call over GRE Multipoint tunnel

  Hi all,
  we have a setup connecting home office to head office over GRE tunnel.
  we connected ip phone at Home office side which gets registered to call manager at head office, data traffic is fine but when we call head office to home office or vice versa, we are getting noise in the call heared at head office side , when i did mute the home office phone i am not hearing the noise.
  i doubt the voice traffic getting effeted over tunnel.but unable to troubleshoot, please can anyone help me....
  the call flow is like
  IP phoen 1----->cucm----->gateway------>wan------->home office router--------->ip phone 2
  attaching the router configs for gateway and home office

  Hi all,
  we have a setup connecting home office to head office over GRE tunnel.
  we connected ip phone at Home office side which gets registered to call manager at head office, data traffic is fine but when we call head office to home office or vice versa, we are getting noise in the call heared at head office side , when i did mute the home office phone i am not hearing the noise.
  i doubt the voice traffic getting effeted over tunnel.but unable to troubleshoot, please can anyone help me....
  the call flow is like
  IP phoen 1----->cucm----->gateway------>wan------->home office router--------->ip phone 2
  attaching the router configs for gateway and home office

• Bridging over GRE tunnel

  Dear expert,
  Currently I have problem running bridging over GRE tunnel.We are using cisco 3640 but somehow under tunnel 0, the is no 'bridge-group 1' command.We are trying to get the IOS that support the command under tunnel 0 but to no avail.Can someone help me ? Thanks
  --ran

  It's a hidden command.  Even do, you might get a warning messasge stating this is obsolete and unsupported, it still technically a valid configuration. Legacy, but works.
  Keep in mind there are better solutions for this kind of connections.  But you can try it, it's simple anyways.
  Host1---Fa0/0--R1-------------GRE------------R2--Fa0/0---Host2
  1. Create a Loopback intf. on both routers and ensure L3 connectivity between them.
  2. Create bridge:
  router(config)#bridge 1 protocol ieee
  3. Create a GRE tunnel interface (dont configure IP's):
  router(config)# interface tun0
  router(config-if)# tun source loopback x
  router(config-if)# tun destination <other router loopback ip>
  router(config-if)# bridge-group 1
  **This is a hidden cmd. You will get a warning message, but ignore it**
  3. Attach Physical Interface to Bridge as well:
  router(config)# interface Fa0/0
  router(config-if)# bridge-group 1
  4. Configure the Hosts IP addresses to be on the same IP Segment and validate communication between them.
  You can try this on GNS3 as well.  I made a diagram and a brief explanation at another thread, but really don't remember how to get to it.
  Once again, this is legacy and there are better ways to achieve this. But for small implementations this is valid and easier.  It also helps to understand the newer versions/enhancements to this as well. 
  HTH

• Sample config

  So I have been trying to setup trunking (got that done and tested) on a pair of CSS 11503's and now i would like to setup ASR, vr and vip redudnacy to failover between them. Does anyone have any samples of how to do this with all public ips, all the cisco docs are for nat'd configuration which we do not run, everything would be public.
  right now management of the css is done over vlan100 but the servers are in vlan150, different subnet's obviously however what is messing me up is the docs are all saying to use outside public ips and inside for the servers. I only have public ips and don't have time to change anything to a nat...any help would be great

  actually let me append my previous comment with a question..
  since I am trunking up (to my 6509s) and down (to various switches)...what should my default route be on the CSS's
  i have 2 vlan's right now
  vlan 10
  ip address 192.168.10.10 255.255.255.240
  vlan 20
  ip address 192.168.11.11 255.255.255.224
  in my global however I am using
  ip route 0.0.0.0 0.0.0.0 192.168.10.1 1
  10.1 btw is a virtual (HSRP address) on my 6509's
  11.1 would be the virtual (HSRP address) on my 6509's for vlan20 etc..
  so yes my previous statement about the gateways for my web servers pointing to the CSS is true (redudant int), however if I have other servers on my switches that are not in the lb's groups and I point it those servers to my HSRP virtual for vlan20's 11.1 i cannot ping it... so what are my options cause I would rather not change gateways on some of the other machines that won't be load balancing.
  I noticed in the trunking sample config the global had no route, but when i removed it, i couldn't get to anything (of course).
  thanks again

• Difrence between ... MPLS over Frame-Relay ATM

  Hai all,
  Sorry to ask very basic quiestion ..can some one tell what is the difrnce and advantage of MPLS over ATM and Frame-Relay ......pls provide me a better link ..for refrnce
  Thanks in advance
  Lijesh

  MPLS over ATM or MPLS over Frame-Relay it's not good idea, because if you use cell-mode labeling, you find someone limitation at this technology. DLCI and VPI/VCI value at this protocols it's not have large space. If you know how operate cell-mode, try to look at just for sample bits length with DLCI value at Frame-Relay protocol or VPI/VCI value at ATM protocol… Of course you can use same cheat like VCI-merge, but I think it's not very good idea.
  Building new network infrastructure at this protocols it's not good idea… It's good idea to fast implement MPLS technology in old network infrastructure build with this protocols (just for sample, you can linked ATM forwarding plane and MPLS forwarding plane (in this situation you can abandon to use fixed configuration VPI/VCI for IP network and can use benefits offered ATM technology with MPLS)), but not for new network infrastructure. If you need to offer services with this protocols, you can use Any Transport Over MPLS technology.
  For more information look at this page - http://www.cisco.com/en/US/tech/tk436/tk798/tsd_technology_support_protocol_home.html

• Welcome to the MPLS over ATM Discussion

  Welcome to the Cisco Networking Professionals Connection Service Provider Forum. This conversation will provide you the opportunity to discuss issues surrounding MPLS over ATM. We encourage everyone to share their knowledge and start conversations on issues such as Frame-based MPLS networks, multiservice networks, VPN scalability, multiple service classes, multicast, VoIP and any other topic concerning MPLS over ATM.
  Remember, just like in the workplace, be courteous to your fellow forum participants. Please refrain from using disparaging or obscene language or posting advertisements.
  We encourage you to tell your fellow networking professionals about the site. If you would like us to send them a personal invitation simply send their names and e-mail addresses along with your name to us at [email protected]

  This is easily done with dial peer statements . The dial peer in your originating router must route the calls to the terminating router first. That would look like :
  dial-peer voice xxxxx voip ( the xxxxx is just a tag)
  destination-pattern 45... (that would route any 5-digit calls beginning with 45)
  session-target ipv4:xxx.xxx.xxx.xxx (ip address of the terminating router)
  If digitones are to be dialed after the connection is established, use the statement:
  dtmf-relay-h.245-alphanumeric
  You could also use a statement to specify the codec to be used:
  codec g711ulaw
  You would need multiple voip dial peers if the calls were going to different routers based on the dialed digits. If all calls are sent to the same terminating router, use all wild cards in the dest-pattern statement.
  At the terminating router configure pots dial peers:
  dial-peer voice xxxxx pots
  dest-pattern 45...
  port x/x (whichever port the call is to be terminated on)
  prefix 45 (this re-inserts matched digits which are stripped off by the pots dp)
  Repeat for other ports which will receive calls.
  Paul

• [svn:bz-trunk] 13477: Bug: BLZ-455 - Document client-load-balancing property in the sample config

  Revision: 13477
  Revision: 13477
  Author:   [email protected]
  Date:     2010-01-13 05:17:10 -0800 (Wed, 13 Jan 2010)
  Log Message:
  Bug: BLZ-455 - Document client-load-balancing property in the sample config
  QA: No
  Doc: No
  Ticket Links:
      http://bugs.adobe.com/jira/browse/BLZ-455
  Modified Paths:
      blazeds/trunk/resources/config/services-config.xml

• MPLS over encryption

  Hello Friend,
  Need ur help on MPLS over-relay setup encryption.
  I have 10sites across world which will connect via MPLS, were ISP will participate in customer routing they will do the optimized routing.
  CE routers are managed my ISP, i need to encrypt the data before entering into the MPLS cloud and decrypt the data when its entering the other end LAN.
  Basically looking for encryption between CE to CE is there is any way to do this?????
  Regards,
  Naren

  Hello Naren,
  CE to CE encryption is not a problem.
  As discussed in a recent thread you can use DMVPN or GETVPN to implement a mesh of encrypted communication tunnels between different CE sites.
  For DMVPN you can refer to the solution reference network design
  http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG.html
  another design guide for enterprise using MPLS L3 VPN services
  http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/ngwane.html
  I've tested DMVPN over an MPLS L3 VPN and it works well.
  GETVPN is a more recent security framework that can be considered too
  Hope to help
  Giuseppe

• IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination

  >>both routers are located in different countries and connected with ISP
  >>IPsec over GRE tunnel is configured on both the routers 
  >>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
  >>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
  >>ISP is not finding any issue with their end 
  >>Please guide me how i can fix this issue and what need to be check on this ????
  ========================
  Router_1#sh run int Tunnel20
  Building configuration...
  Current configuration : 272 bytes
  interface Tunnel20
   bandwidth 2048
   ip address 3.85.129.141 255.255.255.252
   ip mtu 1412
   ip flow ingress
   delay 1
   cdp enable
   tunnel source GigabitEthernet0/0/3
   tunnel destination 109.224.62.26
  end
  ===================
  Router_1#sh int Tunnel20
  Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
    Hardware is Tunnel
    Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
    Internet address is 3.85.129.141/30
    MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive not set
    Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
     Tunnel Subblocks:
        src-track:
           Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
            Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
    Tunnel protocol/transport GRE/IP
      Key disabled, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1476 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Last input 1w6d, output 14w4d, output hang never
    Last clearing of "show interface" counters 2y5w
    Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    5 minute input rate 0 bits/sec, 0 packets/sec
    5 minute output rate 0 bits/sec, 0 packets/sec
       1565172427 packets input, 363833090294 bytes, 0 no buffer
       Received 0 broadcasts (0 IP multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       1778491917 packets output, 1555959948508 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  =============================
  Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
  Type escape sequence to abort.
  Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
  Packet sent with a source address of 195.27.20.14
  Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
  Router_1#
  ============================================
  Router_1#sh cry ip sa pe 109.224.62.26 | in caps
      #pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
      #pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
  Router_1#sh clock
  15:09:45.421 UTC Thu Dec 25 2014
  Router_1#
  ===================
  Router_1#sh cry ip sa pe 109.224.62.26 | in caps
      #pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
      #pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2 
  Router_1#sh clock
  15:11:36.476 UTC Thu Dec 25 2014
  Router_1#
  ===================
  Router_2#sh run int Tu1
  Building configuration...
  Current configuration : 269 bytes
  interface Tunnel1
   bandwidth 2000
   ip address 3.85.129.142 255.255.255.252
   ip mtu 1412
   ip flow ingress
   load-interval 30
   keepalive 10 3
   cdp enable
   tunnel source GigabitEthernet0/0
   tunnel destination 195.27.20.14
  end
  Router_2#
  =======================
  Router_2#sh run | sec cry
  crypto isakmp policy 10
   authentication pre-share
  crypto isakmp key Router_2 address 195.27.20.14
  crypto isakmp key Router_2 address 194.9.241.8
  crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
   mode transport
  crypto map <Deleted> 10 ipsec-isakmp
   set peer 195.27.20.14
   set transform-set ge3vpn
   match address Router_2
  crypto map <Deleted> 20 ipsec-isakmp
   set peer 194.9.241.8
   set transform-set ge3vpn
   match address Router_1
   crypto map <Deleted>
  Router_2#
  ====================================
  Router_2#sh cry ip sa pe 195.27.20.14 | in caps
      #pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
      #pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2 
  Router_2#sh clock
  .15:10:33.296 UTC Thu Dec 25 2014
  Router_2#
  ========================
  Router_2#sh int Tu1
  Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
    Hardware is Tunnel
    Internet address is 3.85.129.142/30
    MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
       reliability 255/255, txload 1/255, rxload 1/255
    Encapsulation TUNNEL, loopback not set
    Keepalive set (10 sec), retries 3
    Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
     Tunnel Subblocks:
        src-track:
           Tunnel1 source tracking subblock associated with GigabitEthernet0/0
            Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
    Tunnel protocol/transport GRE/IP
      Key disabled, sequencing disabled
      Checksumming of packets disabled
    Tunnel TTL 255, Fast tunneling enabled
    Tunnel transport MTU 1476 bytes
    Tunnel transmit bandwidth 8000 (kbps)
    Tunnel receive bandwidth 8000 (kbps)
    Last input 1w6d, output 00:00:02, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
    Queueing strategy: fifo
    Output queue: 0/0 (size/max)
    30 second input rate 0 bits/sec, 0 packets/sec
    30 second output rate 0 bits/sec, 0 packets/sec
       1881547260 packets input, 956465296 bytes, 0 no buffer
       Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
       1705198723 packets output, 2654132592 bytes, 0 underruns
       0 output errors, 0 collisions, 0 interface resets
       0 unknown protocol drops
       0 output buffer failures, 0 output buffers swapped out
  =============================
  Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
  Type escape sequence to abort.
  Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
  Packet sent with a source address of 109.224.62.26
  Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
  Router_2#
  =========================

  Hello.
  First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
  Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
  Please provide full output "show crypto ipsec sa"
   from both sides.

• SNA tunnel over GRE tunnel

  Is it possible?.
  Configure SNA tunnel over GRE tunnel

  To my knowledge, no, but it would sure work for me if it was possible. DLSW has always worked like a charm for me to route SNA over an IP network.