Trying to shutdown GRE tunnels based on status of BGP peer
has anyone tried to detect a eBGP peer failure and take action based on the failure? -I am trying to shutdown a couple of GRE tunnels on
a router if it detects failure of a eBGP peer.... -thanks for any/all pointers....
I don't know why you're using multiple events here. I was thinking:
event manager environment q "
event manager applet bgp-up
event system pattern "BGP.*neighbor 10.0.0.114 Up"
action 001 cli command "enable"
action 002 cli command "config t"
action 003 cli command "event manager applet bgp-up-timer"
action 004 cli command "event timer countdown time 900"
action 005 cli command "action 1.0 cli command enable"
action 006 cli command "action 2.0 cli command $q config t$q"
action 007 cli command "action 3.0 cli command $q router bgp 1$q"
action 008 cli command "action 4.0 cli command $q redistribute ospf 1$q"
action 009 cli command "action 5.0 cli command end"
action 010 cli command "end"
event manager applet bgp-down
event syslog pattern "BGP.*neighbor 10.0.0.114 Down"
action 1.0 cli command "enable"
action 2.0 cli command "config t"
action 3.0 cli command "no event manager applet bgp-up-timer"
action 4.0 cli command "router bgp 1"
action 5.0 cli command "no redistribute ospf 1"
action 6.0 cli command "end"
Similar Messages
-
Windows Replication RPC Problems with IPSec GRE Tunnel
We have been having significant issue in troubleshooting random RPC errors with our directory controllers (MS AD 2008R2) and our distributed file shares. Both services will randomly stop working, throwing RPC errors as the resulting cause. We have been all over both Cisco and Microsoft forums in trying to troubleshoot this problem. I'm trying to the Cisco forums first to see if anyone has any network layer thoughts as to best practices or ways to configure the tunnel.
Our network is simple: two small branch offices connected to each other with two Cisco 2901 ISRs. An IPSec GRE tunnel exists between both offices. Interoffice bandwidth is approximately 10mbps. Pings between offices work, remote desktop works most of the time, file transfers work, and DNS lookups work across both locations. We really don't have a complicated environment, I'd think it wouldn't be too hard to set up. But this just seems to be escaping me. I can't think of anything at the network layer that would be causing problems but I was curious whether anyone else out there with knowledge of small office VPNs might be able to render some thoughts on the matter.
Please let me know if there is anything further people need to see. My next step is MS forums but I wanted to eliminate layer 3 first.
Tunnel Config:
crypto map outside_crypto 10 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-SHA
match address 102
crypto ipsec df-bit clear
interface Tunnel0
bandwidth 10240
ip address x.x.x.x x.x.x.x
no ip redirects
ip mtu 1420
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1375
tunnel source GigabitEthernet0/0
tunnel destination x.x.x.x
crypto ipsec df-bit clear
endHi,
Based on the third-party article below, you can setup VPN connection between Windows VPN client and Cisco firewall:
Step By Step Guide To Setup Windows 7/Vista VPN Client to Remote Access Cisco ASA5500 Firewall
What is the Windows server 2008 R2 for, a RADIUS server? If yes, maybe the links below would be helpful to you:
RADIUS: Configuring Client VPN with Windows 2008 Network Policy Server (NPS) RADIUS Authentication
Configuring RADIUS Server on Windows 2008 R2 for Cisco Device Logins
RADIUS authentication for Cisco switches using w2k8R2 NPS
Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
Best regards,
Susie -
IP routing utilizing Verizon private network (GRE tunnel) with remote cellular gateways
Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details). Time for some advice. My usual trade is controls engineering which generally require only basic knowledge of networking principals. However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system. I decided to use cellular technology to connect these remote sites back to the main SCADA system. Well the infrastructure is now in and it’s time to get these things talking. Basic topology description is as follows: Each remote site has an Airlink LS300 gateway. Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system. The Airlinks are provisioned by Verizon utilizing a private network with static IP's. This private networks address is 192.168.1.0/24. Back at the central office the SCADA computer is sitting behind a Cisco 2911. The LAN address of the central office is 192.168.11.0/24. The 2911 is utilizing GRE tunnels that terminate with Verizon. The original turn up was done with another contractor that did a basic config of the router which you will find below. As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks. I think I understand just about every part of the config below and think it is just missing a few items to be complete. I would greatly appreciate anyone’s help in getting this set up correctly. I also have a few questions about the set up that still don’t make sense to me, you will find them below the config. Thanks in advance.
no aaa new-model
ip cef
ip dhcp excluded-address 10.10.10.1
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
ip domain name yourdomain.com
no ipv6 cef
multilink bundle-name authenticated
username cisco privilege 15 one-time secret
redundancy
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key AbCdEf01294 address 99.101.15.99
crypto isakmp key AbCdEf01294 address 99.100.14.88
crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac
mode transport
crypto map VZW_VPNTUNNEL 1 ipsec-isakmp
description Verizon Wireless Tunnel
set peer 99.101.15.99
set peer 99.100.14.88
set transform-set VZW_TSET
match address VZW_VPN
interface Tunnel1
description GRE Tunnel to Verizon Wireless
ip address 172.16.200.2 255.255.255.252
tunnel source 22.20.19.18
tunnel destination 99.101.15.99
interface Tunnel2
description GRE Tunnel 2 to Verizon Wireless
ip address 172.16.200.6 255.255.255.252
tunnel source 22.20.19.18
tunnel destination 99.100.14.88
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.248
shutdown
duplex auto
speed auto
interface GigabitEthernet0/1
ip address 192.168.11.1 255.255.255.0
duplex auto
speed auto
interface GigabitEthernet0/2
ip address 22.20.19.18 255.255.255.0
duplex full
speed 100
crypto map VZW_VPNTUNNEL
router bgp 65505
bgp log-neighbor-changes
network 0.0.0.0
network 192.168.11.0
neighbor 172.16.200.1 remote-as 6167
neighbor 172.16.200.5 remote-as 6167
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip route 0.0.0.0 0.0.0.0 22.20.19.19
ip access-list extended VZW_VPN
permit gre host 99.101.15.99 host 22.20.19.18
permit icmp host 99.101.15.99 host 22.20.19.18
permit esp host 99.101.15.99 host 22.20.19.18
permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
permit gre host 22.20.19.18 host 99.101.15.99
permit gre host 22.20.19.18 host 99.100.14.88
access-list 23 permit 10.10.10.0 0.0.0.7
control-plane
end
So after spending countless hours analyzing every portion of this, I think that adding one line to this will get it going (or at least closer).
ip route 192.168.1.0 255.255.0.0 22.20.19.19
That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
Now for a couple of questions for those that are still actually hanging around.
#1 what is the purpose of the Ethernet address assigned to each tunnel? I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?). Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
#2 is the config above correct in pointing the default route to the physical Ethernet address? Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)? If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
#3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP. Or is TCP implicit in some way with the GRE permit?
I actually have alot more questions, but I will keep reading for now.
I really appreciate the time you all took to trudge through this. Also please feel free to point anything else out that I may have missed or that can be improved. Have a great day!This post is a duplicate of this thread
https://supportforums.cisco.com/discussion/12275476/proper-routing-lan-through-verizon-private-network-gre-airlink-gateways
which has a response. I suggest that all discussion of this question be done through the other thread.
HTH
Rick -
Percentage based on Status using per group
Hi Gurus,
Can you help me with this? You have any approach of getting the percentage based on status using per group?
Currently I have this code below but it doesn’t have result but no error. I am trying to get the % In Complete.
<?xdofx:(sum(current-group()/NUMINCOMPLETE)/(sum(NUMSUBMITTED) + sum(NUMCOMPLETED) + sum(NUMINPROGRESS) + sum(NUMINCOMPLETE)))*100?>
Thanks Much,
JP
Edited by: BIPnewbie on Feb 6, 2012 3:05 AMUse this:
<?xdoxslt:div(sum(current-group()/NUMINCOMPLETE), ((sum(NUMSUBMITTED) + sum(NUMCOMPLETED) + sum(NUMINPROGRESS) + sum(NUMINCOMPLETE)))*100?>
Thanks,
Bipuser -
Auto numbering Column id and filter this lookup id in another list based on status="active"
Hi,
I am trying to autonumbeirng the column id with default column ID. But it is not reset if i delete the list item. Also i want this id in another column which have status="Active". How i will do this?
Thanks in Advance.
RoopeshHi,
According to your description, my understanding is that you want to reset the column ID when you delete the list item and then you want to filter the id in another list based on status.
For resetting column id, there is no direct way to achieve it. I suggest you can save the list as a template and recreate the list. ID columns will always keep incrementing and will never be reused.
Here is a similar thread about reset column ID for your reference:
https://social.technet.microsoft.com/Forums/sharepoint/en-US/848a3d73-6273-45fa-806f-96312a4d71d1/is-there-anyway-to-reset-the-default-id-number-that-sharepoint-gives-to-an-item-back-to-1?forum=sharepointgeneralprevious
For filtering look up field, here are some detailed demos for your reference:
http://filteredlookup.codeplex.com/
https://social.technet.microsoft.com/Forums/en-US/d23d6e9b-dc7b-4741-8746-dd4bf00b8110/how-to-filter-lookup-column-in-sharepoint-2010
v
Thanks
Best Regards
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Jerry Guo
TechNet Community Support -
Hi to all,
I would like to know if it is possible to create a static Port Address Translation (PAT) that would translate a routable IP address to a private address where a GRE tunnel would end.
In other words, I am trying to see if we can use a static PAT for a GRE tunnel like the one that we can used to reach a HTTP server using a private IP address via static PAT to a routable IP address.
Just trying to see if it is possible to initiate a GRE tunnel from 192.168.1.1 (R1) and used 1.1.1.1 (R2), IP address reachable via internet, as destination address, in the case where we would do a PAT translation on R2 in order to actually terminate the tunnel on R3 router. The static PAT on R2 would translate 1.1.1.1 to 172.16.1.2.
I am basically looking for an equivalent to the following static PAT but for GRE tunnel
ip nat inside source static tcp 10.10.10.5 80 192.168.2.1 80
Thanks for your help
StephaneHello Stephane,
GRE is neither TCP nor UDP, GRE has its own protocol number 47. You can allow the traffic by either by calling GRE instead of TCP or UDP or by just putting a normal IP static NAT entry.
Extended IP access list GRE
10 permit tcp any any eq 47 log <--- No Hits
15 permit tcp any any log <--- No Hits
20 permit udp any any eq 47 log <--- No Hits
25 permit udp any any log <--- No Hits
30 permit gre any any log (20 matches)
40 permit ip any any (43 matches)
*Mar 1 00:27:48.435: IP: tableid=0, s=10.10.10.2 (local), d=10.10.10.1 (Tunnel1), routed via FIB
*Mar 1 00:27:48.435: IP: s=10.10.10.2 (local), d=10.10.10.1 (Tunnel1), len 100, sending
*Mar 1 00:27:48.435: ICMP type=0, code=0
*Mar 1 00:27:48.435: IP: s=192.168.9.5 (Tunnel1), d=192.168.8.2 (FastEthernet0/0), len 124, sending, proto=47
I hope it helps great for you. Please rate if you fell this is helpfull.
Thanks,
Kasi -
GRE Tunnel/NAT with multiple subnets and interfaces
So, I am not sure if we are trying to accomplish too many things at once and what we are attempting to do is not possible or if we are missing something in our configurations...
Here is the situation...
We are migrating some equipment between datacenters. The equipment only a has a /27 worth of IP space assigned to it so we cannot simply "move" the IP space to the new datacenter. Further because we have several VPNs terminated in the old IP space that originate from devices we do not directly control and are essential in continuing to provide service, it was/is difficult to magically update some DNS entries and change IP addresses overnight. The last twist in this puzzle is that at the new datacenter, we will deploying some new equipment that will be in a separate subnet (with a separate Windows AD structure) but sharing the new public IP space we have in the new datacenter.
We thought using a GRE tunnel, some trunks, and a bunch of NATs would make the whole process easy and we tested ti in a lab and everything SEEMED to work. However, when we performed the move we ran into an odd issue that we were unable to figure out and had to go back to a failsafe configuration that has the essentials up and running, but the environment is not running in an ideal way for us to gradually transition as we would like.
Essentially what we had/have and how it was configured is as follows:
Site A
Edge Router - x.x.x.x /24 BGP announcement
x.x.x.y/27 that is within the /24 that we need at site b
GRE tunnel configuration
interface tunnel0
ip address 10.x.x.1 255.255.255.252
tunnel source <router edge IP>
tunnel destination <site b router edge ip>
keepalive 10 3
static route for site a public ip to bring it to site b via GRE tunnel
ip route x.x.x.y 255.255.255.224 10.x.x.2
Site B
Edge Router - y.y.y.y /24 BGP announcement
Similar GRE tunnel configuration (tunnel comes out and works so don't think issue is here)
2 Vlans (1 for site a ip space, 1 for site b ip space)
int vlan 50
ip address x.x.x.1 /27
int vlan 51
ip address y.y.y.129 /25
Trunk port for the VLANs going down to an ASA
int g1/1
swi mode trunk
swi trunk native vlan 51
swi tru all vlan 50,51
swi tru en dot1q
Then on the ASA, I have 2 physical interfaces for 4 logical interfaces (outside, outsideold, inside, insideold)
int e0/0
nameif outside
sec 0
ip address y.y.y.130 /25
int e0/0.50
nameif outsideold
sec 0
ip address x.x.x.2 /27
vlan 51
int e0/1
nameif inside
sec 100
ip address 192.168.y.1 /24
int e0/1.60
nameif insideold
sec 100
ip address 192.168.x.1 /24
vlan 60
A static route using the new ip space on the native outside interface...
route 0 0 y.y.y.129
And then I have some nat rules which is where I think things go a little haywire...
object network obj-y.y.y.0-24
subnet y.y.y.0 255.255.255.0
nat (inside,outside) dynamic interface
object network obj-x.x.x.0-24
subnet x.x.x.0 255.255.255.0
nat (insideold,outside) dynamic interface
object network obj-y.y.y.135-160
range y.y.y.135 y.y.y.160
object network obj-192.168.y.135-160
range 192.168.y.135 192.168.y.160
nat (inside,outside) static obj-y.y.y.135-160
object network obj-x.x.x.10-20
range x.x.x.10 x.x.x.20
object network obj-192.168.x.10-20
range 192.168.x.10 192.168.x.20
nat (insideold,outsideold) static obj-x.x.x.10-20
From some debugging and looking at packet-tracer, I found out I left out the below which was needed to properly nat traffic as it leaves the outside interface (when the default sends the traffic)
object network obj-192.168.x.10-20-2
range 192.168.x.10 192.168.x.20
nat (insideold,outside) static obj-x.x.x.10-20
There are / were a bunch of other nat exemptions for the VPNs and specific external routes to ensure all vpn traffic exited the "outsideold" interface which is where all the existing tunnels were terminated.
Everything appeared to be working great as all the VPN tunnels came up perfectly as expected and traffic appeared to be flowing, except for some of the most important traffic. The following was what was observed:
1. Any traffic using the dynamic NAT (ie...a machine with IP x.x.x.200 or y.y.y.20) would connect to the internet perfectly and work fine using the "new interface ip".
2. Any traffic in the "new range" using a one to one nat worked perfectly (ie y.y.y.140). Internet would work etc and nat translation would properly occur and everything could connect fine as expected.
3. ICMP packets to "old ip range" flowed perfectly fine to one to one nat IP (ie I could ping x.x.x.20 from outside) and likelise I could ping anywhere on the internet from a machine with a static natted ip.
4. Heres the butt...no traffic other than ICMP would reach these machines with static ips. Same range, same subnet as ones using the dynamic port translation that worked perfectly. Do not understand why this was / is the case and this is what I am seeking a solution to. I have attempted the following troubleshooting steps without success:
A. Confirmed MTU size was not an issue with the GRE tunnel. 2 methods, one plugging to edge router and using the "outsideold" ip space works perfectly and 2 if I assign outsideold ip space to "outside" interface, everything nats fine.
B. Ran packet-tracer, all results show "allow" as if I should be seeing the packets.
C. Confirmed local windows machine firewall was off and not blocking anything.
D. Reviewed logs and observed SYN timeouts and TCP teardowns as if the firewall is not getting a response and this is where I am stumped. There is no path around the firewall so asymmetric routing should not be an issue and if that was the problem it should not work when the "outsideold" ip space is assigned and natted from the "outside" interface, but it does. Packet-tracer shows proper nat translations occurring and there is definitely proper routing along the path for stuff to return to the network or ICMP would not work (IE I can ping www.google.com but not open the web page).
So what simple piece of the nat configuration am I overlooking because I cannot possible wrap my head around it being anything else.
Any suggestions / lessons would be greatly appreciated.is this still a problem?
-
Problem with a simple GRE tunnel
Hello everyone:
I have a problem with a simple GRE tunnel, and can not make it work, the problem lies in the instruction "tunnel source loopback-0" if I use this command does not work, now if I use "tunnel source <ip wan >" if it works, someone can tell me why?
Thanks for your help
Router 1: 2811
version 12.4
no service password-encryption
hostname cisco2811
no aaa new-model
ip cef
interface Loopback0
ip address 2.2.2.2 255.255.255.255
interface Tunnel0
ip address 10.10.1.1 255.255.255.0
tunnel source Loopback0
tunnel destination 217.127.XXX.188
interface Tunnel1
ip address 10.10.2.1 255.255.255.0
tunnel source Loopback0
tunnel destination 80.32.XXX.125
interface FastEthernet0/0
description LOCAL LAN Interface
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/1
description WAN Interface
ip address 195.77.XXX.70 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 195.77.XXX.65
ip route 192.168.3.0 255.255.255.0 Tunnel0
ip route 192.168.4.0 255.255.255.0 Tunnel1
ip nat inside source route-map salida-fibra interface FastEthernet0/1 overload
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
route-map salida-fibra permit 10
match ip address 120
Router 2: 2811
version 12.4
service password-encryption
ip cef
no ip domain lookup
multilink bundle-name authenticated
username admin privilege 15 password 7 104CXXXXx13
interface Loopback0
ip address 4.4.4.4 255.255.255.255
interface Tunnel0
ip address 10.10.1.2 255.255.255.0
tunnel source Loopback0
tunnel destination 195.77.XXX.70
interface Ethernet0
ip address 192.168.3.251 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 100 out
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
ip address 217.127.XXX.188 255.255.255.192
ip nat outside
ip virtual-reassembly
no ip route-cache
no snmp trap link-status
pvc 8/32
encapsulation aal5snap
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 192.168.1.0 255.255.255.0 Tunnel0
ip nat inside source route-map nonat interface ATM0.1 overload
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip 192.168.3.0 0.0.0.255 any
route-map nonat permit 10
match ip address 120Hello, thank you for the answer, as to your question, I have no connectivity within the tunnel, whether from Router 1, I ping 10.10.1.2 not get response ...
Now both routers remove the loopback, and the interface tunnel 0 change the tunnel source to "tunnel source " tunnel works perfectly, the problem is when I have to use the loopback. Unfortunately achieved when the tunnel work, this will have to endure multicast, and all the examples found carrying a loopback as' source '... but this is a step back ..
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.10.1.1/24
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 2.2.2.2 (Loopback0), destination 217.127.XXX.188
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 09:04:38, output 00:00:19, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
11101 packets output, 773420 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out -
Interface Bridging Into GRE Tunnel
Hello all, I was wondering if it is still possible as I know it was never supported to bridge a layer 2 interface directly into a GRE tunnel. I have a customer that currently has a dedicated L2 circuit and a new L3 connection, he wants to move his L2 device to his L3 link to save money on circuits. The issue that I have is he does not want to change his IP addresses and the layer 2 network terminates in another location 20 miles away. The layer 3 routed network is also between both buildings and I can create a GRE tunnel between the 2 locations without touching the Internet. I have tried this using a 2921 router runnning IOS 15.4(2)T1 but the bridge-group command is not available on the GRE tunnel interface.
I have also looked at pseudowire and cannot find the commands related to this, do I need to upgrade my license to security?
Cheers
StuartIt's a hidden command. Even do, you might get a warning messasge stating this is obsolete and unsupported, it still technically a valid configuration. Legacy, but works.
Keep in mind there are better solutions for this kind of connections. But you can try it, it's simple anyways.
Host1---Fa0/0--R1-------------GRE------------R2--Fa0/0---Host2
1. Create a Loopback intf. on both routers and ensure L3 connectivity between them.
2. Create bridge:
router(config)#bridge 1 protocol ieee
3. Create a GRE tunnel interface (dont configure IP's):
router(config)# interface tun0
router(config-if)# tun source loopback x
router(config-if)# tun destination <other router loopback ip>
router(config-if)# bridge-group 1
**This is a hidden cmd. You will get a warning message, but ignore it**
3. Attach Physical Interface to Bridge as well:
router(config)# interface Fa0/0
router(config-if)# bridge-group 1
4. Configure the Hosts IP addresses to be on the same IP Segment and validate communication between them.
You can try this on GNS3 as well. I made a diagram and a brief explanation at another thread, but really don't remember how to get to it.
Once again, this is legacy and there are better ways to achieve this. But for small implementations this is valid and easier. It also helps to understand the newer versions/enhancements to this as well.
HTH -
Anybody know the default mtu setting on a gre tunnel interface such as this?:
interface Tunnel1
description "xxx"
ip address x.x.x.x 255.255.255.252
tunnel source Loopback1
tunnel destination x.x.x.x
I'm asking cause on the core redundant to this one where I've copied code from, the config line 'ip mtu 1500' is configured. I want to make sure these are matched up.
Thanks in advance.
/rlsRobert,
Sorry, I spoke too soon. I should have focused on your question, which is "IP MTU" and referred you to the command "show ip interface Tu0" instead of "show interface tu0".
GRE packets are formed by the addition of the original packets and the required GRE
headers. These headers are 24-bytes in length and since these headers are added to the
original frame, depending on the original size of the packet we may run into IP MTU
problems.
Even though the maximum IP datagram has been defined as 64K, most links enforce a smaller
maximum size for the packets. This maximum size is known as MTU (Maximum Transmission
Unit) and as you also know, different types of media have different MTU sizes they can
accommodate and transport. The most common IP MTU is 1500-bytes in length (Ethernet).
The IP implementation, as we know it, provides a mechanism to allow routers the
fragmentation and transmission of packets larger if there are differences in the MTU and a
packet is larger than what the outgoing media will support. Once a packet has been
fragmented to be sent over a media that will not support the original packet size, the end
station is responsible for the reassembly of the different fragments the original packet
was broken into.
GRE tunnels normally calculate their IP MTU size based on the physical link they will use
as the outgoing interface.
What you see in âshow interface Gig Xâ is the MTU of the interface and NOT the IP MTU.
In order for you to see the IP MTU you need to use the âshow ip interface Gig Xâ
When the tunnel is created, it deducts the 24-bytes it needs to encapsulate the passenger
protocols and that is the IP MTU it will use.
For example, if we are forming a tunnel over FastEthernet (IP MTU 1500) the IOS calculates
the IP MTU on the tunnel as:
1500-bytes from Ethernet - 24-bytes for the GRE encapsulation = 1476-Bytes
Let me explain this with a simple set up:
Lets say I configure a Tunnel interface and sourcing it via a physical interface which has an MTU of 1500, then the Tunnel
interface will have IP MTU of 1476, leaving space for the 24 byte GRE Header.
In my case, I am sourcing the packets from Gig0/0 which has physical interface of MTU 1500, so when I do a "show ip int Tu0",
You will see that the IP MTU is 1476.
Router#sh run int gi0/0
Building configuration...
Current configuration : 118 bytes
interface GigabitEthernet0/0
ip address 10.89.245.253 255.255.255.0
duplex auto
speed auto
media-type rj45
end
Router#sh run int tu0
Building configuration...
Current configuration : 127 bytes
interface Tunnel0
ip address 1.1.1.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 10.89.245.1
end
Router#sh int gi 0/0
GigabitEthernet0/0 is up, line protocol is up
Internet address is 10.89.245.253/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
Router#sh ip int tu 0
Tunnel0 is up, line protocol is up
Internet address is 1.1.1.1/30
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1476 bytes
Now, lets say I lower the IP MTU value on Gi0/0 to 1400, What should be the default new value on the tunnel interface?? You
are absolutely right, 1376 :-)
Router#sh run int gi0/0
Building configuration...
Current configuration : 131 bytes
interface GigabitEthernet0/0
ip address 10.89.245.253 255.255.255.0
ip mtu 1400
duplex auto
speed auto
media-type rj45
end
Router#sh ip int tu0
Tunnel0 is up, line protocol is up
Internet address is 1.1.1.1/30
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1376 bytes
Please standby.... More to follow in the second post due to character limitation
Regards,
Arul
** Please rate all helpful posts ** -
Congestion on encrypted GRE tunnel
Hello
I have an encrypted GRE tunnel from a remote office to our data centre. I am using ADSL for the remote office connectivity and occasionally the line gets congested on the upstream.
I am also using the ADSL line in the remote office to access the internet (HTTP, POP3 etc) over NAT.
When the line is congested I require that my RDP(tcp 3389) and ICA(tcp 1494) between the remote office and the data centre through the GRE tunnel have priority over all other traffic.
What is the best way the achieve this ?
Class Based Weighted Fair Queuing was my initial thought however I cannot attach the service policy to the GRE tunnel.
Any help would be greatly appreciated.
Thanks in advance.
MartinPlease see the document 'Quality of Service Options on GRE Tunnel Interfaces' at http://www.cisco.com/warp/public/105/qostunnel.html
-
Hi
I am looking for adding QoS for GRE Tunnel and found this info
Where Do I Apply the Service Policy?
You can apply a service policy to either the tunnel interface or to the underlying physical interface. The decision of where to apply the policy depends on the QoS objectives. It also depends on which header you need to use for classification.
Apply the policy to a physical interface and enable qos-preclassify on a tunnel interface when you want to classify packets based on the pre-tunnel header.
In our environment, I am using service policy under serial interface, the source interface of Tunnel is F0/0, so from above info, which interface is "physical interface" for my case, serial or F0/0 ?
Thanks. LeoHello
You should determine which one is the physical interface by checking which interface (again, physical) will be used to router GRE packets towards the destination.
For instance, you state that your tunnel configuration is as follows:
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 192.168.1.1
If the destination ip 192.168.1.1 is routed via your serial interface, then the physical interface that you will use to apply your Output service policy is SerialX/X.
Your setup seems correct. You only need to review if your policies are correctly configured for the pre-gre header or the GRE encapsulated packets (as stated in the documentation
Adolfo -
Hi,
Can any one guide me about the benefits of MPLS over GRE Tunnels. Do this serve the purpose of MPLS (except TE, which is suppose is not possible on GRE Tunnels) as Layer-3 is already involved before Label Switching even starts.
thanx and regards,
Shakeel AhmadI have a problem with MPLS over GRE. When i try to apply a policy to shape the traffic it seems that the default-class dosent see the mpls packets.
Im trying to shape the traffic to 256k but it seems that the shaping never are activated.
Anyone have any idea how to solve this?
Example:
class-map match-all PING
match access-group 171
policy-map class-default
class PING
bandwidth percent 15
policy-map PING
class class-default
shape average 256000
service-policy class-default
INterfacexx
service-policy output PING
access-list 171 permit icmp any any -
How many numbers of GRE Tunnels are supported on Cisco 3925 router?
Hi...
I would like to know that.......
How many numbers of GRE Tunnels are supported on Cisco 3925 router?
Thanks....This is what I found in my search:
There may be factors such as memory constraints that will place practical limits on how many tunnels you can support. But there is also a hard limit on the number of tunnels that you can configure. That limit is based on the limitation of the number of IDBs supported by your router. The IDB is the Interface Descriptor Block and each interface (physical, or tunnel, or loopback, or whatever) requires an IDB. The number of IDBs will vary by platform and sometimes by release level of the code that you are running. You can use the privileged command show idb to see what the limitation is on your router. On the 1841 router that I just checked the limit on IDB is 1200 (which is a pretty large number - I believe that you would encounter other limits on performance or on size of configuration before you exhaust the IDB limit).
https://supportforums.cisco.com/thread/2007932
Hope it helps.
Jatin Katyal
- Do rate helpful posts - -
Dear expert,
Currently I have problem running bridging over GRE tunnel.We are using cisco 3640 but somehow under tunnel 0, the is no 'bridge-group 1' command.We are trying to get the IOS that support the command under tunnel 0 but to no avail.Can someone help me ? Thanks
--ranIt's a hidden command. Even do, you might get a warning messasge stating this is obsolete and unsupported, it still technically a valid configuration. Legacy, but works.
Keep in mind there are better solutions for this kind of connections. But you can try it, it's simple anyways.
Host1---Fa0/0--R1-------------GRE------------R2--Fa0/0---Host2
1. Create a Loopback intf. on both routers and ensure L3 connectivity between them.
2. Create bridge:
router(config)#bridge 1 protocol ieee
3. Create a GRE tunnel interface (dont configure IP's):
router(config)# interface tun0
router(config-if)# tun source loopback x
router(config-if)# tun destination <other router loopback ip>
router(config-if)# bridge-group 1
**This is a hidden cmd. You will get a warning message, but ignore it**
3. Attach Physical Interface to Bridge as well:
router(config)# interface Fa0/0
router(config-if)# bridge-group 1
4. Configure the Hosts IP addresses to be on the same IP Segment and validate communication between them.
You can try this on GNS3 as well. I made a diagram and a brief explanation at another thread, but really don't remember how to get to it.
Once again, this is legacy and there are better ways to achieve this. But for small implementations this is valid and easier. It also helps to understand the newer versions/enhancements to this as well.
HTH
Maybe you are looking for
-
How do i replace my hard drive? dv4
I have a Pavilion DV4 Entertainment Laptop. I replaced the hard drive and now it is acting like the drive isn't installed. When I check BIOS, it says no HDD exists. Is there something I am missing? I made sure the drive is seated, it has 3 screws
-
OS 4.5 Calendar Problems
Hello, Here is my device information: Blackberry 8310 OS Version: 4.5.0.110 Carrier: AT&T using B.I.S. Three POP Email Accounts The problem is as follows: After upgrading to the new OS, I noticed that I have duplicate calendar appointments on m
-
Access AM method from backing bean - best practice
Hello, I need to call an appModule method from a backing bean. What is better? 1. Resolve bindings.AMDataControl.dataProvider, get AM and invoke the method directly or 2. Create method action in page definition, resolve OperationBinding from it's bin
-
Lately I have been experiencing the Internet shutting down and the phone returning to the home screen. Is this normal or a defect with the phone?
-
Backing up songs on iPod????
Hi there, I want to send my iPod off for repair but I also want all my songs so when it returns I can reload all the songs back on it. Does anyone know how to save the songs off the iPod onto the computer or CDROM's so I can keep all my music??? Than