MPLS over GRE Tunnel
Hi,
Can any one guide me about the benefits of MPLS over GRE Tunnels. Do this serve the purpose of MPLS (except TE, which is suppose is not possible on GRE Tunnels) as Layer-3 is already involved before Label Switching even starts.
thanx and regards,
Shakeel Ahmad
I have a problem with MPLS over GRE. When i try to apply a policy to shape the traffic it seems that the default-class dosent see the mpls packets.
Im trying to shape the traffic to 256k but it seems that the shaping never are activated.
Anyone have any idea how to solve this?
Example:
class-map match-all PING
match access-group 171
policy-map class-default
class PING
bandwidth percent 15
policy-map PING
class class-default
shape average 256000
service-policy class-default
INterfacexx
service-policy output PING
access-list 171 permit icmp any any
Similar Messages
-
HI : Are there any MTU issues of running MPLS over GRE tunnels??
what will be the MTU size ?
thnak youGRE has an overhead of 24 bytes, and can directly interfere with the MPLS overhead. The MTU associated with an MPLS packet is broken down like so:
Ethernet Payload - 1500
802.1q header - 18
AToM Header - 4 (Required for ATM and FR only)
AToM Label - 4
LDP Label - 4
TE Label - 4
MPLS Fast Reroute - 4
Total = 1538
Granted, you may not configure all of those features above into your MPLS network, this is a good baseline to use for the MPLS MTU. You need to configure the core network to accept an MTU of at least 1538 bytes, without GRE.
You need to ensure that your GRE tunnels can support an MTU greater than 1562 if you plan to implement additional MPLS features like TE and AToM. -
MPLS over GRE Support (Platform)
Hello,
I am looking to run MPLS over GRE (over the Public Internet) probably with IPSec for obvious reasons. CFN seems to suggest only the Cat6k with SUP-VS-2T or the Catalyst 6800 is capable of MPLS over GRE functionality...
I currently have 2 x Cisco 7200 VXR platforms (7204 & 7206) with the NPE-G2 processing engine and was wondering if we added the VSA encryption module (C7200-VSA=) would be enough to get a reliable MPLS over GRE tunnel functionality.
The tunnel with Encryption would ideally support up to 500Mbps.
My other alternative is to upgrade/replace the VXRs with ASRs (1002 or similar) but again CFN is unclear if the ASR100x platform is capable of delivering MPLS over GRE + IPSec.
Thanks,MPLS over GRE is not supported in Hardware for sup720. This is a PFC3 hardware limitation. Your options would be to use SPA-400 or Enhanced FlexWan.
-
does sup32 on 7600 router support mpls over gre, my uplinks
to the core are connected via sup32?Hello Atif,
in the following link the datasheet of sup32
http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps5972/product_data_sheet0900aecd801c5cab_ps368_Products_Data_Sheet.html
table1 contains the following:
Hardware-enabled MPLS-Enables use of VPNs and Layer 2 tunneling while improving traffic engineering for QoS and adding multiprotocol support
• Hardware-enabled IPv6-Expands available IP addresses, enabling better address allocation and address aggregation and supporting greater end-to-end connectivity and services
• Hardware-enabled GRE tunnels for IP traffic
be aware that performances are limited in comparison to sup720 as it is shown in table2.
Hope to help
Giuseppe -
MPLS over GRE sample config....
can any body paste a working of MPLS over GRE....
i am looking for tunnel config and any related global config...
thanks
UmarYou can try this link for GRE configuration
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml -
IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination
>>both routers are located in different countries and connected with ISP
>>IPsec over GRE tunnel is configured on both the routers
>>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
>>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
>>ISP is not finding any issue with their end
>>Please guide me how i can fix this issue and what need to be check on this ????
========================
Router_1#sh run int Tunnel20
Building configuration...
Current configuration : 272 bytes
interface Tunnel20
bandwidth 2048
ip address 3.85.129.141 255.255.255.252
ip mtu 1412
ip flow ingress
delay 1
cdp enable
tunnel source GigabitEthernet0/0/3
tunnel destination 109.224.62.26
end
===================
Router_1#sh int Tunnel20
Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
Hardware is Tunnel
Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
Internet address is 3.85.129.141/30
MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 14w4d, output hang never
Last clearing of "show interface" counters 2y5w
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1565172427 packets input, 363833090294 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1778491917 packets output, 1555959948508 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
Packet sent with a source address of 195.27.20.14
Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
Router_1#
============================================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
Router_1#sh clock
15:09:45.421 UTC Thu Dec 25 2014
Router_1#
===================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2
Router_1#sh clock
15:11:36.476 UTC Thu Dec 25 2014
Router_1#
===================
Router_2#sh run int Tu1
Building configuration...
Current configuration : 269 bytes
interface Tunnel1
bandwidth 2000
ip address 3.85.129.142 255.255.255.252
ip mtu 1412
ip flow ingress
load-interval 30
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination 195.27.20.14
end
Router_2#
=======================
Router_2#sh run | sec cry
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Router_2 address 195.27.20.14
crypto isakmp key Router_2 address 194.9.241.8
crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
mode transport
crypto map <Deleted> 10 ipsec-isakmp
set peer 195.27.20.14
set transform-set ge3vpn
match address Router_2
crypto map <Deleted> 20 ipsec-isakmp
set peer 194.9.241.8
set transform-set ge3vpn
match address Router_1
crypto map <Deleted>
Router_2#
====================================
Router_2#sh cry ip sa pe 195.27.20.14 | in caps
#pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
#pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2
Router_2#sh clock
.15:10:33.296 UTC Thu Dec 25 2014
Router_2#
========================
Router_2#sh int Tu1
Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
Hardware is Tunnel
Internet address is 3.85.129.142/30
MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
1881547260 packets input, 956465296 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1705198723 packets output, 2654132592 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
Packet sent with a source address of 109.224.62.26
Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
Router_2#
=========================Hello.
First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
Please provide full output "show crypto ipsec sa"
from both sides. -
Dear expert,
Currently I have problem running bridging over GRE tunnel.We are using cisco 3640 but somehow under tunnel 0, the is no 'bridge-group 1' command.We are trying to get the IOS that support the command under tunnel 0 but to no avail.Can someone help me ? Thanks
--ranIt's a hidden command. Even do, you might get a warning messasge stating this is obsolete and unsupported, it still technically a valid configuration. Legacy, but works.
Keep in mind there are better solutions for this kind of connections. But you can try it, it's simple anyways.
Host1---Fa0/0--R1-------------GRE------------R2--Fa0/0---Host2
1. Create a Loopback intf. on both routers and ensure L3 connectivity between them.
2. Create bridge:
router(config)#bridge 1 protocol ieee
3. Create a GRE tunnel interface (dont configure IP's):
router(config)# interface tun0
router(config-if)# tun source loopback x
router(config-if)# tun destination <other router loopback ip>
router(config-if)# bridge-group 1
**This is a hidden cmd. You will get a warning message, but ignore it**
3. Attach Physical Interface to Bridge as well:
router(config)# interface Fa0/0
router(config-if)# bridge-group 1
4. Configure the Hosts IP addresses to be on the same IP Segment and validate communication between them.
You can try this on GNS3 as well. I made a diagram and a brief explanation at another thread, but really don't remember how to get to it.
Once again, this is legacy and there are better ways to achieve this. But for small implementations this is valid and easier. It also helps to understand the newer versions/enhancements to this as well.
HTH -
URGENT - tag-switching over gre-tunnel - how ??
hi,
my problem is that i want to connect two pe-router
over a gre-tunnel.
this is because between the two pe´s i unfortunatly have two cisco828 router as modemrouter inbetween which do no tag-switching.
so i decided to use a gre tunnel between the two pe´s to do tag-switching.
but if i want to forward packets greater than 1492 bytes and the df-bit is set - no chance.
here is the figure and config of the two tunnels:
c3640 - c828 -LINE- c828 - c3640
<==========TUNNEL===============>
first c3640:
interface Tunnel65052
description PE-PE Verbdg. Hoersching-Pasching
ip unnumbered Loopback0
ip mtu 1512
load-interval 30
tag-switching mtu 1512
tag-switching ip
keepalive 10 3
tunnel source 10.20.192.3
tunnel destination 10.20.192.6
second c3640:
interface Tunnel65052
description PE-PE Verbdg. Hoersching-Pasching
ip unnumbered Loopback0
ip mtu 1512
load-interval 30
tag-switching mtu 1512
tag-switching ip
keepalive 10 3
tunnel source 10.20.192.6
tunnel destination 10.20.192.3
on the 828 router i did no adjustment of mtu !
if i do a ping:
r-enns1#pi vrf lkg 172.16.169.121 size 1492 df
Type escape sequence to abort.
Sending 5, 1492-byte ICMP Echos to 172.16.169.121, timeout is 2 seconds:
Packet sent with the DF bit set
Success rate is 100 percent (5/5), round-trip min/avg/max = 208/211/212 ms
r-enns1#
r-enns1#
r-enns1#
r-enns1#
r-enns1#pi vrf lkg 172.16.169.121 size 1493 df
Type escape sequence to abort.
Sending 5, 1493-byte ICMP Echos to 172.16.169.121, timeout is 2 seconds:
Packet sent with the DF bit set
M.M.M
Success rate is 0 percent (0/5)
r-enns1#
please help - thanksHere's at least two options you could try:
1) Lower the MTU on the tunnel-interface and let PMTU on the endpoints take care of the fragmentation. This could have some serious implications all depending on the systems and applications/protocols used on the network, but in most cases it'll work just fine.
2) Simply remove the DF-bit on incoming packets to the router and lower the MTU on the tunnel-interface and let the router do fragmentation regardless of what the endpoints says. Since you have a 3640 on each end and 828's in the middle, I think it should be capable of this..
You should do a MSS-modification as well in both cases.
Change the MTU like this:
interface Tunnel65052
ip mtu 1488
tag-switching mtu 1500
Then you have set all IP-packets to maximum 1488 bytes (including headers) and let there be room for 3 MPLS labels...
At least I think it should behave like this... please don't kill me if i'm wrong.. :)
Remove the DF-bit with route-map's on the inside interfaces:
interface FastEthernet1/0.100
description inside interface
ip policy route-map clear-df
ip tcp adjust-mss 1424
route-map clear-df permit 10
set ip df 0 -
Is it possible?.
Configure SNA tunnel over GRE tunnelTo my knowledge, no, but it would sure work for me if it was possible. DLSW has always worked like a charm for me to route SNA over an IP network.
-
Noise in call over GRE Multipoint tunnel
Hi all,
we have a setup connecting home office to head office over GRE tunnel.
we connected ip phone at Home office side which gets registered to call manager at head office, data traffic is fine but when we call head office to home office or vice versa, we are getting noise in the call heared at head office side , when i did mute the home office phone i am not hearing the noise.
i doubt the voice traffic getting effeted over tunnel.but unable to troubleshoot, please can anyone help me....
the call flow is like
IP phoen 1----->cucm----->gateway------>wan------->home office router--------->ip phone 2
attaching the router configs for gateway and home officeHi all,
we have a setup connecting home office to head office over GRE tunnel.
we connected ip phone at Home office side which gets registered to call manager at head office, data traffic is fine but when we call head office to home office or vice versa, we are getting noise in the call heared at head office side , when i did mute the home office phone i am not hearing the noise.
i doubt the voice traffic getting effeted over tunnel.but unable to troubleshoot, please can anyone help me....
the call flow is like
IP phoen 1----->cucm----->gateway------>wan------->home office router--------->ip phone 2
attaching the router configs for gateway and home office -
MPLS over ATM - VP Tunnel (cell) or VC (frame)?
Does anybody use the MPLS over VP tunnel with the Cisco 8540 ATM MPLS core? Is it a stable solution or one should better leave the ATM MPLS cell mode and convert to frame mode over ATM?
Both Cell mode and frame mode are stable solutions. But the scenario where we use them are different. I see that Cisco 8540 ATM MPLS Core is used. In this case, I would say that cell mode MPLS is a better solution for the following reason(s); In normal (non-MPLS) ATM core the L2 topology might be different from L3 topology. Say for example, a destination IP (a.b.c.d) might be shown as 3 hops (routers) away but there can be even 10 or more ATM switches in between. In this case the L2 topology might not be an optimal path. Hence we go for cell mode operation, where we form a full mesh topology and hence an optimal path.
-
Please i want to know if the GRE tunnel has limitation for traffic passes over it depend only on physical media.
Example:if i want 5GIG traffic to pass over GRE tunnel and physical media have BW 10 GIG ,GRE tunnel can handle this amount of traffic or not.it's depends on you equipment. if you have something like asr1000 on both sides (or other device which handle gre in hardware), you can achieve speed more than 5gbps.
-
Hi ,
Who can tell me how to config ipsec over GRE tunnel when remote side useing dynamic ip !
Thanks!Cisco has introduced a feature designed to do exactly what you are asking. You can configure an IPSec VPN over GRE tunnel where the remote has dynamic IP using the feature of Dynamic Multipoint VPN (DMVPN).
The key concept here is that the remote side must initiate the tunnel to the central side. In the message requesting the tunnel the remote indicates what address the central should use as the tunnel destination.
I have configured it in the lab and it worked pretty well. I have not yet used it in a production environment.
This URL should help you get started with this:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html
HTH
Rick -
IPsec over GRE in ASR 1000 with VRF
Hi
I´m trying to configure IPsec over GRE tunnel between Cisco 819G remote router and ASR 1002 central router using crypto maps. Currently ASR router has two vrf´s (management vrf and EXTERNOS2 vrf) and in the future we are going to deploy different "virtual" routers from this box. I don´t know why it doesn´t work, tunnel interface doesn´t go up. Taking a view to debugs obtained from ASR router (debug crypto isakmp and debug crypto ipsecI see the following errors:
Oct 3 13:11:33: IPSEC(validate_proposal_request): proposal part #1
Oct 3 13:11:33: IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 10.255.68.246:0, remote= 10.200.25.106:0,
local_proxy= 10.255.68.246/255.255.255.255/256/0,
remote_proxy= 10.200.25.106/255.255.255.255/256/0,
protocol= ESP, transform= NONE (Transport),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Oct 3 13:11:33: Crypto mapdb : proxy_match
src addr : 10.255.68.246
dst addr : 10.200.25.106
protocol : 0
src port : 0
dst port : 0
Oct 3 13:11:33: map_db_check_isakmp_profile profile did not match
Oct 3 13:11:33: Crypto mapdb : proxy_match
src addr : 10.255.68.246
dst addr : 10.200.25.106
protocol : 0
src port : 0
dst port : 0
Oct 3 13:11:33: map_db_check_isakmp_profile profile did not match
Oct 3 13:11:33: map_db_find_best did not find matching map
Oct 3 13:11:33: IPSEC(ipsec_process_proposal): proxy identities not supported
Oct 3 13:11:33: ISAKMP:(35001): IPSec policy invalidated proposal with error 32
Oct 3 13:11:33: ISAKMP:(35001): phase 2 SA policy not acceptable! (local 10.255.68.246 remote 10.200.25.106)
anybody could help me to troubleshoot why it doesn´t work?
I post you involved configuration sections from ASR and 819G routers
B.R.Ops!! I forgot to paste involved routes from both devices.
ASR router
ip route vrf EXTERNOS2 10.200.24.0 255.255.248.0 10.255.68.245 tag 6
ip route vrf EXTERNOS2 185.1.1.0 255.255.255.0 Tunnel21 tag 6 <--- c819G LAN network
Cisco 819G
ip route 0.0.0.0 0.0.0.0 Tunnel1
ip route 10.255.68.246 255.255.255.255 Cellular0
B.R. -
Gre tunnel over 2 mpls routers
I have 2 sites and the voice server is in site A and Site B are the remote phones . Right now voice vlan go over the DMVPN we are facing some degraded performance and decided to move voice traffic to mpls .
We need to carry the multicast traffic as well which is not supported over our MPLS circuit. I have no idea why provider is not supporting multicast traffic over mpls circuit.
So we decided to create GRE tunnels to carry multicast traffic over MPLS .We have L3 switches on both sites Site A cisco 4500 and Site B cisco 3850 . and MPLS connectivity is reachable upto L3 core switches. With 3850 we had issue to create tunnels and i have upgraded the IOS after upgrading i came to know no more tunnels are supported on 3850. So cannot have Gre tunnel between our L3 switches over the MPLS.
My Question is can i ask the MPLS provider to setup tunnels on their routers which they are ready to help and point the static routes for voice vlan towards gre tunnels over mpls .
Can you advise any other solution or does this solution would work.?Aneesh,
Lost of connectivity between the two PEs would indeed cause the GRE tunnel interface to go down, assuming that you configure tunnel keepalives as follow:
int tu0
keepalive
Regards
Maybe you are looking for
-
My iPhone 5 dies at 20-24% it doesn't go all the way to 0%. Will apple replace my phone or fix my phone for free since its hardware problem and I have no money. This is my second iphone 5 replacement. I have no apple care so I'm worried. My phone has
-
How do I set up my iPad so that I can recieve the emails from my Outlook Express account
How do I set up my iPad so that I can recieve the emails from my Outlook Express account
-
How to create a inbound IDOC from flat file in Application server
HI All Our requirement is to create the Inbound idocs from a flat file from application server with in R/3 Could any body please let me know the steps required for this. Thanks Malli
-
How can I share numbers documents with my coworkers?
In our office we are used to share excel sheets. Now we are trying to do the same with numbers. But... When one of my coworkers opens the document at the same time and makes changes, the person saving last, overwrites the previous changes without get
-
LMS 3.2.1 netconfig error
Hi, I am using LMS 3.2.1, and while deploying the configuration to the device via Netconfig job, I receive below error message. All commands deploy successfully but Netconfig job status always failed because of below error message; Command(s) failed