Trying to shutdown GRE tunnels based on status of BGP peer

Similar Messages

• Windows Replication RPC Problems with IPSec GRE Tunnel

  We have been having significant issue in troubleshooting random RPC errors with our directory controllers (MS AD 2008R2) and our distributed file shares.  Both services will randomly stop working, throwing RPC errors as the resulting cause.  We have been all over both Cisco and Microsoft forums in trying to troubleshoot this problem.  I'm trying to the Cisco forums first to see if anyone has any network layer thoughts as to best practices or ways to configure the tunnel.
  Our network is simple: two small branch offices connected to each other with two Cisco 2901 ISRs.  An IPSec GRE tunnel exists between both offices.  Interoffice bandwidth is approximately 10mbps.  Pings between offices work, remote desktop works most of the time, file transfers work, and DNS lookups work across both locations.  We really don't have a complicated environment, I'd think it wouldn't be too hard to set up.  But this just seems to be escaping me.  I can't think of anything at the network layer that would be causing problems but I was curious whether anyone else out there with knowledge of small office VPNs might be able to render some thoughts on the matter.
  Please let me know if there is anything further people need to see.  My next step is MS forums but I wanted to eliminate layer 3 first.
  Tunnel Config:
  crypto map outside_crypto 10 ipsec-isakmp
  set peer x.x.x.x
  set transform-set ESP-AES-SHA
  match address 102
  crypto ipsec df-bit clear
  interface Tunnel0
  bandwidth 10240
  ip address x.x.x.x x.x.x.x
  no ip redirects
  ip mtu 1420
  ip virtual-reassembly in
  zone-member security in-zone
  ip tcp adjust-mss 1375
  tunnel source GigabitEthernet0/0
  tunnel destination x.x.x.x
  crypto ipsec df-bit clear
  end

  Hi,
  Based on the third-party article below, you can setup VPN connection between Windows VPN client and Cisco firewall:
  Step By Step Guide To Setup Windows 7/Vista VPN Client to Remote Access Cisco ASA5500 Firewall
  What is the Windows server 2008 R2 for, a RADIUS server? If yes, maybe the links below would be helpful to you:
  RADIUS: Configuring Client VPN with Windows 2008 Network Policy Server (NPS) RADIUS Authentication
  Configuring RADIUS Server on Windows 2008 R2 for Cisco Device Logins
  RADIUS authentication for Cisco switches using w2k8R2 NPS
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Best regards,
  Susie

• IP routing utilizing Verizon private network (GRE tunnel) with remote cellular gateways

  Okay, I give up, and think I have done my due diligence (I have been engrossed and fascinated spending many more hours than allotted to try and learn some of the finer details).  Time for some advice.  My usual trade is controls engineering which generally require only basic knowledge of networking principals.  However I recently took a job to integrate 100 or so lift stations scattered around a county into a central SCADA system.  I decided to use cellular technology to connect these remote sites back to the main SCADA system.  Well the infrastructure is now in and it’s time to get these things talking.  Basic topology description is as follows:  Each remote site has an Airlink LS300 gateway.  Attached to the gateway via Ethernet is a system controller that I will be polling via Modbus TCP from the main SCADA system.  The Airlinks are provisioned by Verizon utilizing a private network with static IP's.  This private networks address is 192.168.1.0/24.  Back at the central office the SCADA computer is sitting behind a Cisco 2911.  The LAN address of the central office is 192.168.11.0/24.  The 2911 is utilizing GRE tunnels that terminate with Verizon.  The original turn up was done with another contractor that did a basic config of the router which you will find below.  As it stands now I am pretty confident the tunnels are up and working (if I change a local computers subnet to 255.255.0.0 I can surprisingly reach the airlinks in the field), but this is obviously not the right way to solve the problem, not to mention I was unable to successfully poll the end devices on the other side of the Airlinks.  I think I understand just about every part of the config below and think it is just missing a few items to be complete.  I would greatly appreciate anyone’s help in getting this set up correctly.  I also have a few questions about the set up that still don’t make sense to me, you will find them below the config.  Thanks in advance.
  no aaa new-model
  ip cef
  ip dhcp excluded-address 10.10.10.1
  ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1 
   lease 0 2
  ip domain name yourdomain.com
  no ipv6 cef
  multilink bundle-name authenticated
  username cisco privilege 15 one-time secret 
  redundancy
  crypto isakmp policy 1
  encr 3des
  hash md5
   authentication pre-share
   group 2
  crypto isakmp key AbCdEf01294 address 99.101.15.99  
  crypto isakmp key AbCdEf01294 address 99.100.14.88 
  crypto ipsec transform-set VZW_TSET esp-3des esp-md5-hmac 
  mode transport
  crypto map VZW_VPNTUNNEL 1 ipsec-isakmp 
   description Verizon Wireless Tunnel
   set peer 99.101.15.99
   set peer 99.100.14.88
   set transform-set VZW_TSET 
   match address VZW_VPN
  interface Tunnel1
   description GRE Tunnel to Verizon Wireless
   ip address 172.16.200.2 255.255.255.252
   tunnel source 22.20.19.18
   tunnel destination 99.101.15.99
  interface Tunnel2
  description GRE Tunnel 2 to Verizon Wireless
   ip address 172.16.200.6 255.255.255.252
   tunnel source 22.20.19.18
   tunnel destination 99.100.14.88
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
   ip address 10.10.10.1 255.255.255.248
   shutdown
   duplex auto
   speed auto
  interface GigabitEthernet0/1
   ip address 192.168.11.1 255.255.255.0
   duplex auto
   speed auto
  interface GigabitEthernet0/2
   ip address 22.20.19.18 255.255.255.0
  duplex full
   speed 100
   crypto map VZW_VPNTUNNEL
  router bgp 65505
   bgp log-neighbor-changes
   network 0.0.0.0
   network 192.168.11.0
   neighbor 172.16.200.1 remote-as 6167
   neighbor 172.16.200.5 remote-as 6167
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip route 0.0.0.0 0.0.0.0 22.20.19.19
  ip access-list extended VZW_VPN
   permit gre host 99.101.15.99 host 22.20.19.18
   permit icmp host 99.101.15.99 host 22.20.19.18
   permit esp host 99.101.15.99 host 22.20.19.18
   permit udp host 99.101.15.99 host 22.20.19.18 eq isakmp
   permit gre host 22.20.19.18 host 99.101.15.99
   permit gre host 22.20.19.18 host 99.100.14.88
  access-list 23 permit 10.10.10.0 0.0.0.7
  control-plane
  end
  So after spending countless hours analyzing every portion of this,  I think that adding one line to this will get it going (or at least closer).
  ip route 192.168.1.0 255.255.0.0 22.20.19.19
  That should allow my internal LAN to reach the Airlink gateways on the other side of the tunnel (I think)
  Now for a couple of questions for those that are still actually hanging around.
  #1 what is the purpose of the Ethernet address assigned to each tunnel?  I only see them being used in the BGP section where they are receiving routing tables from the Verizon side (is that correct?).  Why wouldn't or couldn't you just use the physical Ethernet address interface in its place (in the BGP section)?
  #2 is the config above correct in pointing the default route to the physical Ethernet address?  Does that force the packets into the tunnel, or shouldn’t you be pointing it towards the tunnel IP's (172.16.200.2)?  If the config above is correct then I should not need to add the route I described above as if I ping out to 192.168.1.X that should catch it and force it into the tunnel where Verizon would pick it up and know how to get it to its destination??
  #3 Will I need to add another permit to the VZW_VPN for TCP as in the end I need to be able to poll via Modbus which uses port 502 TCP.  Or is TCP implicit in some way with the GRE permit?
   I actually have alot more questions, but I will keep reading for now.
  I really appreciate the time you all took to trudge through this.  Also please feel free to point anything else out that I may have missed or that can be improved.  Have a great day!

  This post is a duplicate of this thread
  https://supportforums.cisco.com/discussion/12275476/proper-routing-lan-through-verizon-private-network-gre-airlink-gateways
  which has a response. I suggest that all discussion of this question be done through the other thread.
  HTH
  Rick

• Percentage based on Status using per group

  Hi Gurus,
  Can you help me with this? You have any approach of getting the percentage based on status using per group?
  Currently I have this code below but it doesn’t have result but no error. I am trying to get the % In Complete.
  <?xdofx:(sum(current-group()/NUMINCOMPLETE)/(sum(NUMSUBMITTED) + sum(NUMCOMPLETED) + sum(NUMINPROGRESS) + sum(NUMINCOMPLETE)))*100?>
  Thanks Much,
  JP
  Edited by: BIPnewbie on Feb 6, 2012 3:05 AM

  Use this:
  <?xdoxslt:div(sum(current-group()/NUMINCOMPLETE), ((sum(NUMSUBMITTED) + sum(NUMCOMPLETED) + sum(NUMINPROGRESS) + sum(NUMINCOMPLETE)))*100?>
  Thanks,
  Bipuser

• Auto numbering Column id and filter this lookup id in another list based on status="active"

  Hi,
  I am trying to autonumbeirng the column id with default column ID. But it is not reset if i delete the list item. Also i want this id in another column which have status="Active". How i will do this?
  Thanks in Advance.
  Roopesh

  Hi,
  According to your description, my understanding is that you want to reset the column ID when you delete the list item and then you want to filter the id in another list based on status.
  For resetting column id, there is no direct way to achieve it. I suggest you can save the list as a template and recreate the list. ID columns will always keep incrementing and will never be reused.
  Here is a similar thread about reset column ID for your reference:
  https://social.technet.microsoft.com/Forums/sharepoint/en-US/848a3d73-6273-45fa-806f-96312a4d71d1/is-there-anyway-to-reset-the-default-id-number-that-sharepoint-gives-to-an-item-back-to-1?forum=sharepointgeneralprevious
  For filtering look up field, here are some detailed demos for your reference:
  http://filteredlookup.codeplex.com/
  https://social.technet.microsoft.com/Forums/en-US/d23d6e9b-dc7b-4741-8746-dd4bf00b8110/how-to-filter-lookup-column-in-sharepoint-2010
  v
  Thanks
  Best Regards
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Jerry Guo
  TechNet Community Support

• GRE Tunnel and static PAT

  Hi to all,
  I would like to know if it is possible to create a static Port Address Translation (PAT) that would translate a routable IP address to a private address where  a GRE tunnel would end.
  In other words, I am trying to see if we can use a static PAT for a GRE tunnel like the one that we can used to reach a HTTP server using a private IP address via static PAT to a routable IP address.
  Just trying to see if it is possible to initiate a GRE tunnel from 192.168.1.1 (R1) and used 1.1.1.1 (R2), IP address reachable via internet, as destination address, in the case where we would do a PAT translation on R2 in order to actually terminate the tunnel on R3 router. The static PAT on R2 would translate 1.1.1.1 to 172.16.1.2.
  I am basically looking for an equivalent to the following static PAT but for GRE tunnel
            ip nat inside source static tcp 10.10.10.5 80 192.168.2.1 80
  Thanks for your help
  Stephane

  Hello Stephane,
  GRE is neither TCP nor UDP, GRE has its own protocol number 47. You can allow the traffic by either by calling GRE instead of TCP or UDP or by just putting a normal IP static NAT entry.
  Extended IP access list GRE
      10 permit tcp any any eq 47 log <--- No Hits
      15 permit tcp any any log          <--- No Hits
      20 permit udp any any eq 47 log <--- No Hits
      25 permit udp any any log          <--- No Hits
      30 permit gre any any log (20 matches)
      40 permit ip any any (43 matches)
  *Mar  1 00:27:48.435: IP: tableid=0, s=10.10.10.2 (local), d=10.10.10.1 (Tunnel1), routed via FIB
  *Mar  1 00:27:48.435: IP: s=10.10.10.2 (local), d=10.10.10.1 (Tunnel1), len 100, sending
  *Mar  1 00:27:48.435:     ICMP type=0, code=0
  *Mar  1 00:27:48.435: IP: s=192.168.9.5 (Tunnel1), d=192.168.8.2 (FastEthernet0/0), len 124, sending, proto=47
  I hope it helps great for you. Please rate if you fell this is helpfull.
  Thanks,
  Kasi

• GRE Tunnel/NAT with multiple subnets and interfaces

  So, I am not sure if we are trying to accomplish too many things at once and what we are attempting to do is not possible or if we are missing something in our configurations...
  Here is the situation...
  We are migrating some equipment between datacenters.  The equipment only a has a /27 worth of IP space assigned to it so we cannot simply "move" the IP space to the new datacenter.  Further because we have several VPNs terminated in the old IP space that originate from devices we do not directly control and are essential in continuing to provide service, it was/is difficult to magically update some DNS entries and change IP addresses overnight.  The last twist in this puzzle is that at the new datacenter, we will deploying some new equipment that will be in a separate subnet (with a separate Windows AD structure) but sharing the new public IP space we have in the new datacenter.
  We thought using a GRE tunnel, some trunks, and a bunch of NATs would make the whole process easy and we tested ti in a lab and everything SEEMED to work.  However, when we performed the move we ran into an odd issue that we were unable to figure out and had to go back to a failsafe configuration that has the essentials up and running, but the environment is not running in an ideal way for us to gradually transition as we would like.
  Essentially what we had/have and how it was configured is as follows:
  Site A
  Edge Router - x.x.x.x /24 BGP announcement
  x.x.x.y/27 that is within the /24 that we need at site b
  GRE tunnel configuration
  interface tunnel0
    ip address 10.x.x.1 255.255.255.252
    tunnel source <router edge IP>
    tunnel destination <site b router edge ip>
    keepalive 10 3
  static route for site a public ip to bring it to site b via GRE tunnel
  ip route x.x.x.y 255.255.255.224 10.x.x.2
  Site B
  Edge Router - y.y.y.y /24 BGP announcement
  Similar GRE tunnel configuration (tunnel comes out and works so don't think issue is here)
  2 Vlans (1 for site a ip space, 1 for site b ip space)
  int vlan 50
  ip address x.x.x.1 /27
  int vlan 51
  ip address y.y.y.129 /25
  Trunk port for the VLANs going down to an ASA
  int g1/1
    swi mode trunk
    swi trunk native vlan 51
    swi tru all vlan 50,51
    swi tru en dot1q
  Then on the ASA, I have 2 physical interfaces for 4 logical interfaces (outside, outsideold, inside, insideold)
  int e0/0
   nameif outside
   sec 0
   ip address y.y.y.130 /25
  int e0/0.50
   nameif outsideold
   sec 0
   ip address x.x.x.2 /27
   vlan 51
  int e0/1
    nameif inside
    sec 100
    ip address 192.168.y.1 /24
  int e0/1.60
    nameif insideold
    sec 100
    ip address 192.168.x.1 /24
    vlan 60
  A static route using the new ip space on the native outside interface...
  route 0 0 y.y.y.129
  And then I have some nat rules which is where I think things go a little haywire...
  object network obj-y.y.y.0-24
    subnet y.y.y.0 255.255.255.0
   nat (inside,outside) dynamic interface
  object network obj-x.x.x.0-24
    subnet x.x.x.0 255.255.255.0
   nat (insideold,outside) dynamic interface
  object network obj-y.y.y.135-160
    range y.y.y.135 y.y.y.160
  object network obj-192.168.y.135-160
    range 192.168.y.135 192.168.y.160
    nat (inside,outside) static obj-y.y.y.135-160
  object network obj-x.x.x.10-20
    range x.x.x.10 x.x.x.20
  object network obj-192.168.x.10-20
    range 192.168.x.10 192.168.x.20
    nat (insideold,outsideold) static obj-x.x.x.10-20
  From some debugging and looking at packet-tracer, I found out I left out the below which was needed to properly nat traffic as it leaves the outside interface (when the default sends the traffic)
  object network obj-192.168.x.10-20-2
    range 192.168.x.10 192.168.x.20
    nat (insideold,outside) static obj-x.x.x.10-20
  There are / were a bunch of other nat exemptions for the VPNs and specific external routes to ensure all vpn traffic exited the "outsideold" interface which is where all the existing tunnels were terminated.
  Everything appeared to be working great as all the VPN tunnels came up perfectly as expected and traffic appeared to be flowing, except for some of the most important traffic.  The following was what was observed:
  1.  Any traffic using the dynamic NAT (ie...a machine with IP x.x.x.200 or y.y.y.20) would connect to the internet perfectly and work fine using the "new interface ip".
  2.  Any traffic in the "new range" using a one to one nat worked perfectly (ie y.y.y.140).  Internet would work etc and nat translation would properly occur and everything could connect fine as expected.
  3.  ICMP packets to "old ip range" flowed perfectly fine to one to one nat IP (ie I could ping x.x.x.20 from outside) and likelise I could ping anywhere on the internet from a machine with a static natted ip.
  4.  Heres the butt...no traffic other than ICMP would reach these machines with static ips.  Same range, same subnet as ones using the dynamic port translation that worked perfectly.  Do not understand why this was / is the case and this is what I am seeking a solution to.  I have attempted the following troubleshooting steps without success:
  A. Confirmed MTU size was not an issue with the GRE tunnel.  2 methods, one plugging to edge router and using the "outsideold" ip space works perfectly and 2 if I assign outsideold ip space to "outside" interface, everything nats fine.
  B. Ran packet-tracer, all results show "allow" as if I should be seeing the packets.
  C. Confirmed local windows machine firewall was off and not blocking anything.
  D. Reviewed logs and observed SYN timeouts and TCP teardowns as if the firewall is not getting a response and this is where I am stumped.  There is no path around the firewall so asymmetric routing should not be an issue and if that was the problem it should not work when the "outsideold" ip space is assigned and natted from the "outside" interface, but it does.  Packet-tracer shows proper nat translations occurring and there is definitely proper routing along the path for stuff to return to the network or ICMP would not work (IE I can ping www.google.com but not open the web page).
  So what simple piece of the nat configuration am I overlooking because I cannot possible wrap my head around it being anything else.
  Any suggestions / lessons would be greatly appreciated.

  is this still a problem?

• Problem with a simple GRE tunnel

  Hello everyone:
  I have a problem with a simple GRE tunnel, and can not make it work, the problem lies in the instruction "tunnel source loopback-0" if I use this command does not work, now if I use "tunnel source <ip wan >" if it works, someone can tell me why?
  Thanks for your help
  Router 1: 2811
  version 12.4
  no service password-encryption
  hostname cisco2811
  no aaa new-model
  ip cef
  interface Loopback0
  ip address 2.2.2.2 255.255.255.255
  interface Tunnel0
  ip address 10.10.1.1 255.255.255.0
  tunnel source Loopback0
  tunnel destination 217.127.XXX.188
  interface Tunnel1
  ip address 10.10.2.1 255.255.255.0
  tunnel source Loopback0
  tunnel destination 80.32.XXX.125
  interface FastEthernet0/0
  description LOCAL LAN Interface
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface FastEthernet0/1
  description WAN Interface
  ip address 195.77.XXX.70 255.255.255.248
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 195.77.XXX.65
  ip route 192.168.3.0 255.255.255.0 Tunnel0
  ip route 192.168.4.0 255.255.255.0 Tunnel1
  ip nat inside source route-map salida-fibra interface FastEthernet0/1 overload
  access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
  access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
  access-list 120 permit ip 192.168.1.0 0.0.0.255 any
  route-map salida-fibra permit 10
  match ip address 120
  Router 2: 2811
  version 12.4
  service password-encryption
  ip cef
  no ip domain lookup
  multilink bundle-name authenticated
  username admin privilege 15 password 7 104CXXXXx13
  interface Loopback0
  ip address 4.4.4.4 255.255.255.255
  interface Tunnel0
  ip address 10.10.1.2 255.255.255.0
  tunnel source Loopback0
  tunnel destination 195.77.XXX.70
  interface Ethernet0
  ip address 192.168.3.251 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  hold-queue 100 out
  interface ATM0
  no ip address
  no ip route-cache cef
  no ip route-cache
  no atm ilmi-keepalive
  dsl operating-mode auto
  interface ATM0.1 point-to-point
  ip address 217.127.XXX.188 255.255.255.192
  ip nat outside
  ip virtual-reassembly
  no ip route-cache
  no snmp trap link-status
  pvc 8/32
  encapsulation aal5snap
  ip route 0.0.0.0 0.0.0.0 ATM0.1
  ip route 192.168.1.0 255.255.255.0 Tunnel0
  ip nat inside source route-map nonat interface ATM0.1 overload
  access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 120 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 120 permit ip 192.168.3.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 120

  Hello, thank you for the answer, as to your question, I have no connectivity within the tunnel, whether from Router 1, I ping 10.10.1.2 not get response ...
  Now both routers remove the loopback, and the interface tunnel 0 change the tunnel source to "tunnel source " tunnel works perfectly, the problem is when I have to use the loopback. Unfortunately achieved when the tunnel work, this will have to endure multicast, and all the examples found carrying a loopback as' source '... but this is a step back ..
  Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 10.10.1.1/24
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
  reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 2.2.2.2 (Loopback0), destination 217.127.XXX.188
  Tunnel protocol/transport GRE/IP
  Key disabled, sequencing disabled
  Checksumming of packets disabled
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Last input 09:04:38, output 00:00:19, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
  0 packets input, 0 bytes, 0 no buffer
  Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
  0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
  11101 packets output, 773420 bytes, 0 underruns
  0 output errors, 0 collisions, 0 interface resets
  0 unknown protocol drops
  0 output buffer failures, 0 output buffers swapped out

• Interface Bridging Into GRE Tunnel

  Hello all, I was wondering if it is still possible as I know it was never supported to bridge a layer 2 interface directly into a GRE tunnel. I have a customer that currently has a dedicated L2 circuit and a new L3 connection, he wants to move his L2 device to his L3 link to save money on circuits. The issue that I have is he does not want to change his IP addresses and the layer 2 network terminates in another location 20 miles away. The layer 3 routed network is also between both buildings and I can create a GRE tunnel between the 2 locations without touching the Internet. I have tried this using a 2921 router runnning IOS 15.4(2)T1 but the bridge-group command is not available on the GRE tunnel interface.
  I have also looked at pseudowire and cannot find the commands related to this, do I need to upgrade my license to security?
  Cheers
  Stuart

  It's a hidden command.  Even do, you might get a warning messasge stating this is obsolete and unsupported, it still technically a valid configuration. Legacy, but works.
  Keep in mind there are better solutions for this kind of connections.  But you can try it, it's simple anyways.
  Host1---Fa0/0--R1-------------GRE------------R2--Fa0/0---Host2
  1. Create a Loopback intf. on both routers and ensure L3 connectivity between them.
  2. Create bridge:
  router(config)#bridge 1 protocol ieee
  3. Create a GRE tunnel interface (dont configure IP's):
  router(config)# interface tun0
  router(config-if)# tun source loopback x
  router(config-if)# tun destination <other router loopback ip>
  router(config-if)# bridge-group 1
  **This is a hidden cmd. You will get a warning message, but ignore it**
  3. Attach Physical Interface to Bridge as well:
  router(config)# interface Fa0/0
  router(config-if)# bridge-group 1
  4. Configure the Hosts IP addresses to be on the same IP Segment and validate communication between them.
  You can try this on GNS3 as well.  I made a diagram and a brief explanation at another thread, but really don't remember how to get to it.
  Once again, this is legacy and there are better ways to achieve this. But for small implementations this is valid and easier.  It also helps to understand the newer versions/enhancements to this as well. 
  HTH

• GRE tunnel default MTU

  Anybody know the default mtu setting on a gre tunnel interface such as this?:
  interface Tunnel1
  description "xxx"
  ip address x.x.x.x 255.255.255.252
  tunnel source Loopback1
  tunnel destination x.x.x.x
  I'm asking cause on the core redundant to this one where I've copied code from, the config line 'ip mtu 1500' is configured. I want to make sure these are matched up.
  Thanks in advance.
  /rls

  Robert,
  Sorry, I spoke too soon. I should have focused on your question, which is "IP MTU" and referred you to the command "show ip interface Tu0" instead of "show interface tu0".
  GRE packets are formed by the addition of the original packets and the required GRE
  headers. These headers are 24-bytes in length and since these headers are added to the
  original frame, depending on the original size of the packet we may run into IP MTU
  problems.
  Even though the maximum IP datagram has been defined as 64K, most links enforce a smaller
  maximum size for the packets. This maximum size is known as MTU (Maximum Transmission
  Unit) and as you also know, different types of media have different MTU sizes they can
  accommodate and transport. The most common IP MTU is 1500-bytes in length (Ethernet).
  The IP implementation, as we know it, provides a mechanism to allow routers the
  fragmentation and transmission of packets larger if there are differences in the MTU and a
  packet is larger than what the outgoing media will support. Once a packet has been
  fragmented to be sent over a media that will not support the original packet size, the end
  station is responsible for the reassembly of the different fragments the original packet
  was broken into.
  GRE tunnels normally calculate their IP MTU size based on the physical link they will use
  as the outgoing interface.
  What you see in “show interface Gig X” is the MTU of the interface and NOT the IP MTU.
  In order for you to see the IP MTU you need to use the “show ip interface Gig X”
  When the tunnel is created, it deducts the 24-bytes it needs to encapsulate the passenger
  protocols and that is the IP MTU it will use.
  For example, if we are forming a tunnel over FastEthernet (IP MTU 1500) the IOS calculates
  the IP MTU on the tunnel as:
  1500-bytes from Ethernet - 24-bytes for the GRE encapsulation = 1476-Bytes
  Let me explain this with a simple set up:
  Lets say I configure a Tunnel interface and sourcing it via a physical interface which has an MTU of 1500, then the Tunnel
  interface will have IP MTU of 1476, leaving space for the 24 byte GRE Header.
  In my case, I am sourcing the packets from Gig0/0 which has physical interface of MTU 1500, so when I do a "show ip int Tu0",
  You will see that the IP MTU is 1476.
  Router#sh run int gi0/0
  Building configuration...
  Current configuration : 118 bytes
  interface GigabitEthernet0/0
  ip address 10.89.245.253 255.255.255.0
  duplex auto
  speed auto
  media-type rj45
  end
  Router#sh run int tu0
  Building configuration...
  Current configuration : 127 bytes
  interface Tunnel0
  ip address 1.1.1.1 255.255.255.252
  tunnel source GigabitEthernet0/0
  tunnel destination 10.89.245.1
  end
  Router#sh int gi 0/0
  GigabitEthernet0/0 is up, line protocol is up
  Internet address is 10.89.245.253/24
  MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
  Router#sh ip int tu 0
  Tunnel0 is up, line protocol is up
  Internet address is 1.1.1.1/30
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1476 bytes
  Now, lets say I lower the IP MTU value on Gi0/0 to 1400, What should be the default new value on the tunnel interface?? You
  are absolutely right, 1376 :-)
  Router#sh run int gi0/0
  Building configuration...
  Current configuration : 131 bytes
  interface GigabitEthernet0/0
  ip address 10.89.245.253 255.255.255.0
  ip mtu 1400
  duplex auto
  speed auto
  media-type rj45
  end
  Router#sh ip int tu0
  Tunnel0 is up, line protocol is up
  Internet address is 1.1.1.1/30
  Broadcast address is 255.255.255.255
  Address determined by setup command
  MTU is 1376 bytes
  Please standby.... More to follow in the second post due to character limitation
  Regards,
  Arul
  ** Please rate all helpful posts **

• Congestion on encrypted GRE tunnel

  Hello
  I have an encrypted GRE tunnel from a remote office to our data centre. I am using ADSL for the remote office connectivity and occasionally the line gets congested on the upstream.
  I am also using the ADSL line in the remote office to access the internet (HTTP, POP3 etc) over NAT.
  When the line is congested I require that my RDP(tcp 3389) and ICA(tcp 1494) between the remote office and the data centre through the GRE tunnel have priority over all other traffic.
  What is the best way the achieve this ?
  Class Based Weighted Fair Queuing was my initial thought however I cannot attach the service policy to the GRE tunnel.
  Any help would be greatly appreciated.
  Thanks in advance.
  Martin

  Please see the document 'Quality of Service Options on GRE Tunnel Interfaces' at http://www.cisco.com/warp/public/105/qostunnel.html

• GRE Tunnel QoS

  Hi
  I am looking for adding QoS for GRE Tunnel and found this info
  Where Do I Apply the Service Policy?
  You can apply a service policy to either the tunnel interface or to the underlying physical interface. The decision of where to apply the policy depends on the QoS objectives. It also depends on which header you need to use for classification.
  Apply the policy to a physical interface and enable qos-preclassify on a tunnel interface when you want to classify packets based on the pre-tunnel header.
  In our environment, I am using service policy under serial interface, the source interface of Tunnel is F0/0, so from above info, which interface is "physical interface" for my case, serial or F0/0 ?
  Thanks. Leo

  Hello
  You should determine which one is the physical interface by checking which interface (again, physical) will be used to router GRE packets towards the destination.
  For instance, you state that your tunnel configuration is as follows:
  interface Tunnel0
  ip address 10.0.0.1 255.255.255.252
  tunnel source FastEthernet0/0
  tunnel destination 192.168.1.1
  If the destination ip 192.168.1.1 is routed via your serial interface, then the physical interface that you will use to apply your Output service policy is SerialX/X.
  Your setup seems correct. You only need to review if your policies are correctly configured for the pre-gre header or the GRE encapsulated packets (as stated in the documentation
  Adolfo

• MPLS over GRE Tunnel

  Hi,
  Can any one guide me about the benefits of MPLS over GRE Tunnels. Do this serve the purpose of MPLS (except TE, which is suppose is not possible on GRE Tunnels) as Layer-3 is already involved before Label Switching even starts.
  thanx and regards,
  Shakeel Ahmad

  I have a problem with MPLS over GRE. When i try to apply a policy to shape the traffic it seems that the default-class dosent see the mpls packets.
  Im trying to shape the traffic to 256k but it seems that the shaping never are activated.
  Anyone have any idea how to solve this?
  Example:
  class-map match-all PING
  match access-group 171
  policy-map class-default
  class PING
  bandwidth percent 15
  policy-map PING
  class class-default
  shape average 256000
  service-policy class-default
  INterfacexx
  service-policy output PING
  access-list 171 permit icmp any any

• How many numbers of GRE Tunnels are supported on Cisco 3925 router?

  Hi...
  I would like to know that.......
  How many numbers of GRE Tunnels are supported on Cisco 3925 router?
  Thanks....

  This is what I found in my search:
  There may be factors such as memory constraints that will place practical limits on how many tunnels you can support. But there is also a hard limit on the number of tunnels that you can configure. That limit is based on the limitation of the number of IDBs supported by your router. The IDB is the Interface Descriptor Block and each interface (physical, or tunnel, or loopback, or whatever) requires an IDB. The number of IDBs will vary by platform and sometimes by release level of the code that you are running. You can use the privileged command show idb to see what the limitation is on your router. On the 1841 router that I just checked the limit on IDB is 1200 (which is a pretty large number - I believe that you would encounter other limits on performance or on size of configuration before you exhaust the IDB limit).
  https://supportforums.cisco.com/thread/2007932
  Hope it helps.
  Jatin Katyal
  - Do rate helpful posts -

• Bridging over GRE tunnel

  Dear expert,
  Currently I have problem running bridging over GRE tunnel.We are using cisco 3640 but somehow under tunnel 0, the is no 'bridge-group 1' command.We are trying to get the IOS that support the command under tunnel 0 but to no avail.Can someone help me ? Thanks
  --ran

  It's a hidden command.  Even do, you might get a warning messasge stating this is obsolete and unsupported, it still technically a valid configuration. Legacy, but works.
  Keep in mind there are better solutions for this kind of connections.  But you can try it, it's simple anyways.
  Host1---Fa0/0--R1-------------GRE------------R2--Fa0/0---Host2
  1. Create a Loopback intf. on both routers and ensure L3 connectivity between them.
  2. Create bridge:
  router(config)#bridge 1 protocol ieee
  3. Create a GRE tunnel interface (dont configure IP's):
  router(config)# interface tun0
  router(config-if)# tun source loopback x
  router(config-if)# tun destination <other router loopback ip>
  router(config-if)# bridge-group 1
  **This is a hidden cmd. You will get a warning message, but ignore it**
  3. Attach Physical Interface to Bridge as well:
  router(config)# interface Fa0/0
  router(config-if)# bridge-group 1
  4. Configure the Hosts IP addresses to be on the same IP Segment and validate communication between them.
  You can try this on GNS3 as well.  I made a diagram and a brief explanation at another thread, but really don't remember how to get to it.
  Once again, this is legacy and there are better ways to achieve this. But for small implementations this is valid and easier.  It also helps to understand the newer versions/enhancements to this as well. 
  HTH