MPLS over GRE tunnles
HI : Are there any MTU issues of running MPLS over GRE tunnels??
what will be the MTU size ?
thnak you
GRE has an overhead of 24 bytes, and can directly interfere with the MPLS overhead. The MTU associated with an MPLS packet is broken down like so:
Ethernet Payload - 1500
802.1q header - 18
AToM Header - 4 (Required for ATM and FR only)
AToM Label - 4
LDP Label - 4
TE Label - 4
MPLS Fast Reroute - 4
Total = 1538
Granted, you may not configure all of those features above into your MPLS network, this is a good baseline to use for the MPLS MTU. You need to configure the core network to accept an MTU of at least 1538 bytes, without GRE.
You need to ensure that your GRE tunnels can support an MTU greater than 1562 if you plan to implement additional MPLS features like TE and AToM.
Similar Messages
-
Hi,
Can any one guide me about the benefits of MPLS over GRE Tunnels. Do this serve the purpose of MPLS (except TE, which is suppose is not possible on GRE Tunnels) as Layer-3 is already involved before Label Switching even starts.
thanx and regards,
Shakeel AhmadI have a problem with MPLS over GRE. When i try to apply a policy to shape the traffic it seems that the default-class dosent see the mpls packets.
Im trying to shape the traffic to 256k but it seems that the shaping never are activated.
Anyone have any idea how to solve this?
Example:
class-map match-all PING
match access-group 171
policy-map class-default
class PING
bandwidth percent 15
policy-map PING
class class-default
shape average 256000
service-policy class-default
INterfacexx
service-policy output PING
access-list 171 permit icmp any any -
does sup32 on 7600 router support mpls over gre, my uplinks
to the core are connected via sup32?Hello Atif,
in the following link the datasheet of sup32
http://www.cisco.com/en/US/prod/collateral/modules/ps2797/ps5972/product_data_sheet0900aecd801c5cab_ps368_Products_Data_Sheet.html
table1 contains the following:
Hardware-enabled MPLS-Enables use of VPNs and Layer 2 tunneling while improving traffic engineering for QoS and adding multiprotocol support
• Hardware-enabled IPv6-Expands available IP addresses, enabling better address allocation and address aggregation and supporting greater end-to-end connectivity and services
• Hardware-enabled GRE tunnels for IP traffic
be aware that performances are limited in comparison to sup720 as it is shown in table2.
Hope to help
Giuseppe -
MPLS over GRE sample config....
can any body paste a working of MPLS over GRE....
i am looking for tunnel config and any related global config...
thanks
UmarYou can try this link for GRE configuration
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801e1294.shtml -
MPLS over GRE Support (Platform)
Hello,
I am looking to run MPLS over GRE (over the Public Internet) probably with IPSec for obvious reasons. CFN seems to suggest only the Cat6k with SUP-VS-2T or the Catalyst 6800 is capable of MPLS over GRE functionality...
I currently have 2 x Cisco 7200 VXR platforms (7204 & 7206) with the NPE-G2 processing engine and was wondering if we added the VSA encryption module (C7200-VSA=) would be enough to get a reliable MPLS over GRE tunnel functionality.
The tunnel with Encryption would ideally support up to 500Mbps.
My other alternative is to upgrade/replace the VXRs with ASRs (1002 or similar) but again CFN is unclear if the ASR100x platform is capable of delivering MPLS over GRE + IPSec.
Thanks,MPLS over GRE is not supported in Hardware for sup720. This is a PFC3 hardware limitation. Your options would be to use SPA-400 or Enhanced FlexWan.
-
A Chairde,
I am nearly sure the answer is no, but will ask anyway.
I want to connect two private networks over a corporate WAN , and am looking to keep the router traffic (BGP) and routing traffic under control.
I only have control of the two lab routers, the routers in middle are controlled by IT dept. , is there anyway of setting up MPLS with this scenario ???
Any other suggestions ......You could indeed run MPLS over a GRE interface.
If you want to run MPLS VPN, then I would suggest configuring MPLS VPN over l2tpv3. See the following URL for more details:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802b4817.html
Let me know if I answered your question, -
Welcome to the MPLS over ATM Discussion
Welcome to the Cisco Networking Professionals Connection Service Provider Forum. This conversation will provide you the opportunity to discuss issues surrounding MPLS over ATM. We encourage everyone to share their knowledge and start conversations on issues such as Frame-based MPLS networks, multiservice networks, VPN scalability, multiple service classes, multicast, VoIP and any other topic concerning MPLS over ATM.
Remember, just like in the workplace, be courteous to your fellow forum participants. Please refrain from using disparaging or obscene language or posting advertisements.
We encourage you to tell your fellow networking professionals about the site. If you would like us to send them a personal invitation simply send their names and e-mail addresses along with your name to us at [email protected]This is easily done with dial peer statements . The dial peer in your originating router must route the calls to the terminating router first. That would look like :
dial-peer voice xxxxx voip ( the xxxxx is just a tag)
destination-pattern 45... (that would route any 5-digit calls beginning with 45)
session-target ipv4:xxx.xxx.xxx.xxx (ip address of the terminating router)
If digitones are to be dialed after the connection is established, use the statement:
dtmf-relay-h.245-alphanumeric
You could also use a statement to specify the codec to be used:
codec g711ulaw
You would need multiple voip dial peers if the calls were going to different routers based on the dialed digits. If all calls are sent to the same terminating router, use all wild cards in the dest-pattern statement.
At the terminating router configure pots dial peers:
dial-peer voice xxxxx pots
dest-pattern 45...
port x/x (whichever port the call is to be terminated on)
prefix 45 (this re-inserts matched digits which are stripped off by the pots dp)
Repeat for other ports which will receive calls.
Paul -
Hello Friend,
Need ur help on MPLS over-relay setup encryption.
I have 10sites across world which will connect via MPLS, were ISP will participate in customer routing they will do the optimized routing.
CE routers are managed my ISP, i need to encrypt the data before entering into the MPLS cloud and decrypt the data when its entering the other end LAN.
Basically looking for encryption between CE to CE is there is any way to do this?????
Regards,
NarenHello Naren,
CE to CE encryption is not a problem.
As discussed in a recent thread you can use DMVPN or GETVPN to implement a mesh of encrypted communication tunnels between different CE sites.
For DMVPN you can refer to the solution reference network design
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/DMVPDG.html
another design guide for enterprise using MPLS L3 VPN services
http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/ngwane.html
I've tested DMVPN over an MPLS L3 VPN and it works well.
GETVPN is a more recent security framework that can be considered too
Hope to help
Giuseppe -
IPsec over GRE tunnel's line protocol is down but able to ping the tunnel destination
>>both routers are located in different countries and connected with ISP
>>IPsec over GRE tunnel is configured on both the routers
>>tunnel's line protocol is down for both the ends but able to reach the tunnel destination with tunnel source
>>Packet is not receiving on the router_1 and but could see packets are getting encrypting on the Router_2
>>ISP is not finding any issue with their end
>>Please guide me how i can fix this issue and what need to be check on this ????
========================
Router_1#sh run int Tunnel20
Building configuration...
Current configuration : 272 bytes
interface Tunnel20
bandwidth 2048
ip address 3.85.129.141 255.255.255.252
ip mtu 1412
ip flow ingress
delay 1
cdp enable
tunnel source GigabitEthernet0/0/3
tunnel destination 109.224.62.26
end
===================
Router_1#sh int Tunnel20
Tunnel20 is up, line protocol is up>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Keepalive is not set
Hardware is Tunnel
Description: *To CRPrgEIQbaghd01 - 2Mb GRE over Shared ISP Gateway*
Internet address is 3.85.129.141/30
MTU 17916 bytes, BW 2048 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 195.27.20.14 (GigabitEthernet0/0/3), destination 109.224.62.26
Tunnel Subblocks:
src-track:
Tunnel20 source tracking subblock associated with GigabitEthernet0/0/3
Set of tunnels with source GigabitEthernet0/0/3, 32 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 14w4d, output hang never
Last clearing of "show interface" counters 2y5w
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
1565172427 packets input, 363833090294 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1778491917 packets output, 1555959948508 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_1#ping 109.224.62.26 re 100 sou 195.27.20.14
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 109.224.62.26, timeout is 2 seconds:
Packet sent with a source address of 195.27.20.14
Success rate is 92 percent (92/100), round-trip min/avg/max = 139/142/162 ms
Router_1#
============================================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987306, #pkts encrypt: 831987306, #pkts digest: 831987306
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611
Router_1#sh clock
15:09:45.421 UTC Thu Dec 25 2014
Router_1#
===================
Router_1#sh cry ip sa pe 109.224.62.26 | in caps
#pkts encaps: 831987339, #pkts encrypt: 831987339, #pkts digest: 831987339
#pkts decaps: 736012611, #pkts decrypt: 736012611, #pkts verify: 736012611>>>>>>>>>>>>>>>>>>>>Traffic is not receiving from Router 2
Router_1#sh clock
15:11:36.476 UTC Thu Dec 25 2014
Router_1#
===================
Router_2#sh run int Tu1
Building configuration...
Current configuration : 269 bytes
interface Tunnel1
bandwidth 2000
ip address 3.85.129.142 255.255.255.252
ip mtu 1412
ip flow ingress
load-interval 30
keepalive 10 3
cdp enable
tunnel source GigabitEthernet0/0
tunnel destination 195.27.20.14
end
Router_2#
=======================
Router_2#sh run | sec cry
crypto isakmp policy 10
authentication pre-share
crypto isakmp key Router_2 address 195.27.20.14
crypto isakmp key Router_2 address 194.9.241.8
crypto ipsec transform-set ge3vpn esp-3des esp-sha-hmac
mode transport
crypto map <Deleted> 10 ipsec-isakmp
set peer 195.27.20.14
set transform-set ge3vpn
match address Router_2
crypto map <Deleted> 20 ipsec-isakmp
set peer 194.9.241.8
set transform-set ge3vpn
match address Router_1
crypto map <Deleted>
Router_2#
====================================
Router_2#sh cry ip sa pe 195.27.20.14 | in caps
#pkts encaps: 737092521, #pkts encrypt: 737092521, #pkts digest: 737092521
#pkts decaps: 828154572, #pkts decrypt: 828154572, #pkts verify: 828154572>>>>>>>>>>>>Traffic is getting encrypting from router 2
Router_2#sh clock
.15:10:33.296 UTC Thu Dec 25 2014
Router_2#
========================
Router_2#sh int Tu1
Tunnel1 is up, line protocol is down>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Down
Hardware is Tunnel
Internet address is 3.85.129.142/30
MTU 17916 bytes, BW 2000 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive set (10 sec), retries 3
Tunnel source 109.224.62.26 (GigabitEthernet0/0), destination 195.27.20.14
Tunnel Subblocks:
src-track:
Tunnel1 source tracking subblock associated with GigabitEthernet0/0
Set of tunnels with source GigabitEthernet0/0, 2 members (includes iterators), on interface <OK>
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 1w6d, output 00:00:02, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 14843
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
1881547260 packets input, 956465296 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1705198723 packets output, 2654132592 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
=============================
Router_2#ping 195.27.20.14 re 100 sou 109.224.62.26
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 195.27.20.14, timeout is 2 seconds:
Packet sent with a source address of 109.224.62.26
Success rate is 94 percent (94/100), round-trip min/avg/max = 136/143/164 ms
Router_2#
=========================Hello.
First of all, try to reset IPSec (clear crypto isakmp sa ..., clear crypto session ...).
Configure inbound ACL on the router to match esp protocol and check if the packets arrive.
Please provide full output "show crypto ipsec sa"
from both sides. -
Noise in call over GRE Multipoint tunnel
Hi all,
we have a setup connecting home office to head office over GRE tunnel.
we connected ip phone at Home office side which gets registered to call manager at head office, data traffic is fine but when we call head office to home office or vice versa, we are getting noise in the call heared at head office side , when i did mute the home office phone i am not hearing the noise.
i doubt the voice traffic getting effeted over tunnel.but unable to troubleshoot, please can anyone help me....
the call flow is like
IP phoen 1----->cucm----->gateway------>wan------->home office router--------->ip phone 2
attaching the router configs for gateway and home officeHi all,
we have a setup connecting home office to head office over GRE tunnel.
we connected ip phone at Home office side which gets registered to call manager at head office, data traffic is fine but when we call head office to home office or vice versa, we are getting noise in the call heared at head office side , when i did mute the home office phone i am not hearing the noise.
i doubt the voice traffic getting effeted over tunnel.but unable to troubleshoot, please can anyone help me....
the call flow is like
IP phoen 1----->cucm----->gateway------>wan------->home office router--------->ip phone 2
attaching the router configs for gateway and home office -
Is it possible?.
Configure SNA tunnel over GRE tunnelTo my knowledge, no, but it would sure work for me if it was possible. DLSW has always worked like a charm for me to route SNA over an IP network.
-
Dear expert,
Currently I have problem running bridging over GRE tunnel.We are using cisco 3640 but somehow under tunnel 0, the is no 'bridge-group 1' command.We are trying to get the IOS that support the command under tunnel 0 but to no avail.Can someone help me ? Thanks
--ranIt's a hidden command. Even do, you might get a warning messasge stating this is obsolete and unsupported, it still technically a valid configuration. Legacy, but works.
Keep in mind there are better solutions for this kind of connections. But you can try it, it's simple anyways.
Host1---Fa0/0--R1-------------GRE------------R2--Fa0/0---Host2
1. Create a Loopback intf. on both routers and ensure L3 connectivity between them.
2. Create bridge:
router(config)#bridge 1 protocol ieee
3. Create a GRE tunnel interface (dont configure IP's):
router(config)# interface tun0
router(config-if)# tun source loopback x
router(config-if)# tun destination <other router loopback ip>
router(config-if)# bridge-group 1
**This is a hidden cmd. You will get a warning message, but ignore it**
3. Attach Physical Interface to Bridge as well:
router(config)# interface Fa0/0
router(config-if)# bridge-group 1
4. Configure the Hosts IP addresses to be on the same IP Segment and validate communication between them.
You can try this on GNS3 as well. I made a diagram and a brief explanation at another thread, but really don't remember how to get to it.
Once again, this is legacy and there are better ways to achieve this. But for small implementations this is valid and easier. It also helps to understand the newer versions/enhancements to this as well.
HTH -
Difrence between ... MPLS over Frame-Relay ATM
Hai all,
Sorry to ask very basic quiestion ..can some one tell what is the difrnce and advantage of MPLS over ATM and Frame-Relay ......pls provide me a better link ..for refrnce
Thanks in advance
LijeshMPLS over ATM or MPLS over Frame-Relay it's not good idea, because if you use cell-mode labeling, you find someone limitation at this technology. DLCI and VPI/VCI value at this protocols it's not have large space. If you know how operate cell-mode, try to look at just for sample bits length with DLCI value at Frame-Relay protocol or VPI/VCI value at ATM protocol⦠Of course you can use same cheat like VCI-merge, but I think it's not very good idea.
Building new network infrastructure at this protocols it's not good idea⦠It's good idea to fast implement MPLS technology in old network infrastructure build with this protocols (just for sample, you can linked ATM forwarding plane and MPLS forwarding plane (in this situation you can abandon to use fixed configuration VPI/VCI for IP network and can use benefits offered ATM technology with MPLS)), but not for new network infrastructure. If you need to offer services with this protocols, you can use Any Transport Over MPLS technology.
For more information look at this page - http://www.cisco.com/en/US/tech/tk436/tk798/tsd_technology_support_protocol_home.html -
I've heard IPv6 over MPLS lots of times, but never heard of MPLS over IPv6.
Is it possible to employ MPLS over pre-exist IPv6 network? If not currently, any research?I have heard too much going on in this field. Any particular interest?
-
Hi,
Does cisco support mpls over atm-ppp-llc
per RFC 2354(PPP over AAL5).
Something like a scenario if Cisco acts as a PE and it gets frames with mpls over atm-ppp-llc from a connected CE ,is it supported in cisco , or it will drop the frames ?
Running mpls over ce-pe link is mandatory for the specific scenario.
Thanks
Thanks in advanceHello,
The MPLS should be supported also on PPP over AAL5. Simply use the "mpls ip" command on the Virtual-Template or the Dialer interface you are using on top of the ATM VC to set up the PPP interface.
The 3640 with proper IOS can support the PE functions. The Enterprise feature sets should be equipped with all features necessary to provide a PE router functionality - basically, the VRF, MPLS, LDP, MPLS VPN support, BGP, BGP VPNv4 support, IGP protocols with VRF support and that should be sufficient.
Best regards,
Peter
Maybe you are looking for
-
Error when opening =any= PDF with Reader
Hi! Since installing the new Reader software, I keep getting the same error message whenever I try to open =any= PDF, from those on my system for some time to those just downloaded. The error message says: Attempt to access invalid address I can ope
-
1G Shuffle not recognised on iMac
Hello and thanks for looking at my question; I'm sure it's an easy one for you gurus. I recently bought a 1Gb 1G Shuffle on the refurb store for £39. The first time I used it I connected it to my TiBook (10.4.8 & 7.0.2) and loaded it up with some Po
-
The profile manager has disappeared. How do we get it back so that we can access both profiles. My profile is ESBrody my husband's is MWBrody. When I open Firefox only my profile comes up. We are operating on Mac OS X.
-
Tags in Enhanced Rich text or Rich text is disappearing in Plain Text
Hi I have facing an issue with Rich text field in share point. I have Two columns (Enhanced Rich Text and Rich text in my list). I have entered a text like ( if date > days or size < 20 contact user ). If I change the enhanced rich text to plain text
-
Can't print from any application in OS X Snow Leopard??
Before the print dialog box comes up, the spinning beachball wheel comes up. I then have to force quit the application. I have tried resetting the print system but no joy. I have done a complete wipe and time machine restore and the problem is still