Monday, December 12, 2011

GRE TUNNELS + LAB

GRE

  • Gre (Generic Routing Protocol) is ip protocol 47 it is used to transport payload protocols over an ipv4 network.
  • It supports pretty much anything as it payload ipv6,ipv4,clns,multicast so on.
  • You can even encap frame relay over.
  • You are transpartenly tunnnelling over multiple routers switches from one end point to another so the two devices believe they are directly connected.
  • Watch gre does not pick up  tunnel destination via tunnel it needs a non tunnel route for the tunnel destination you will see an error similar to %tun5 recudown
  • We should use prefix list or some sort of filtering to ensure this
  • Gre is stateless the tunnel will stay up as long as it has a valid source. Also the destination must be in the routing table
  • But in the case you have static route pointing at the destination at interface it will be in the routing table so it is very possible the tunnel could be down one end up another end
  • There is feature called tunnel keepalives a light weight that consistenly checks reachability to the tunnel interface
  • Gre is the default when we enter tunnel config mode
  • Gre tunnel keep alives do not require the sender to support the keepalive. It can do this by encapsulating the the gre reply header in the keep alive so the destination takes off the header and find the inner header with return address of the source
  • Keepalive timers do not have to match both ends they are completely independent

    Packet Format for IPV4 Gre Tunnel



Commands

int tunnel 1
ip address " ip"
tunnel source lo0
tunnel destination "remote end ip"

keep alive 5 4 - where 5 in this case is the frequency and 4 is the retry before considerd down




LAB 1 General Gre tunnel
-------------------------
OK for this lab i will use
r1>connecto>>s1>>>connectto>sw3>>connectto>sw4




I will create a tunnel between r1 and sw4
i will just enable eigrp on all network devices in the lab so r1 s1 sw3 sw4

R1 one of the tunnel endpoints
-------------------------------
So start off by configuring eigrp
r1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
r1(config)#int fa0/0
r1(config-if)#ip address 172.25.15.1 255.255.255.0
r1(config-if)#no shut
r1(config-if)#exit
r1(config)#
r1(config)#
*Mar  1 00:25:36.907: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
r1(config)#ro
*Mar  1 00:25:39.435: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to
r1(config)#router eigrp 2
r1(config-router)#no auto
r1(config-router)#network 172.25.15.0
r1(config-router)#
next i will configure a loopback,advertise in eigrp and configure the tunnel interface
r1(config)#int lo0
r1(config-if)#ip address 1.1.1.1 255.255.255.255
r1(config-if)#

r1(config)#router eigrp 2
r1(config-router)#network 5.5.5.5
r1(config-router)#no network 5.5.5.5
r1(config-router)#network 1.1.1.1
r1(config-router)#
r1(config)#int tunnel 1
r1(config-if)#
*Mar  1 00:29:26.279: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
r1(config-if)#tunnel mode ?     >>>>>>> just showing different tunnel modes gre is                                         default which is ok for this lab
  aurp    AURP TunnelTalk AppleTalk encapsulation
  cayman  Cayman TunnelTalk AppleTalk encapsulation
  dvmrp   DVMRP multicast tunnel
  eon     EON compatible CLNS tunnel
  gre     generic route encapsulation protocol
  ipip    IP over IP encapsulation
  ipsec   IPSec tunnel encapsulation
  iptalk  Apple IPTalk encapsulation
  ipv6    Generic packet tunneling in IPv6
  ipv6ip  IPv6 over IP encapsulation
  nos     IP over IP encapsulation (KA9Q/NOS compatible)
  rbscp   RBSCP in IP tunnel

so this is the tunnel config
r1(config)#do sh run int tunnel 1
Building configuration...
Current configuration : 113 bytes
!
interface Tunnel1
 ip address 10.0.0.7 255.255.255.0 >>>>> tunnel ip will be in the same subnet as                                          other endpoint
 tunnel source Loopback0    >>>i am using the lo0 as the source could have put ip                               either
 tunnel destination 4.4.4.4 >>>> destination of sw4 lo0 inter
end
r1(config)#

ok on sw1 and sw3  i will just configure eigrp i will not show it as it is just base eigrp config

on router 4
============
router eigrp 2
 network 4.0.0.0
 network 172.25.0.0
 no auto-summary
switch4#sh run int tunnel 1
Building configuration...
 Multicast is not supported on tunnel interfaces
Current configuration : 113 bytes
!
interface Tunnel1
 ip address 10.0.0.8 255.255.255.0
 tunnel source Loopback0
 tunnel destination 1.1.1.1
end
I can ping the other tunnel end point.

switch4#ping 10.0.0.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.7, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms
switch4#


switch4#sh int tunnel 1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 10.0.0.8/24
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 4.4.4.4 (Loopback0), destination 1.1.1.1, fastswitch TTL 255
  Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
  Tunnel TTL 255
  Checksumming of packets disabled, fast tunneling enabled
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buf
The tunnel is up up and notice the bandwidth is very low + delay is high so eigrp will not natively select as a route to the destination 1.1.1.1 

switch4(config)#do sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
D       1.1.1.1 [90/161280] via 172.25.8.1, 00:09:55, Port-channel10
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     172.25.0.0/24 is subnetted, 3 subnets
D       172.25.15.0 [90/33280] via 172.25.8.1, 00:09:55, Port-channel10
D       172.25.9.0 [90/13568] via 172.25.8.1, 00:09:55, Port-channel10
C       172.25.8.0 is directly connected, Port-channel10
     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Tunnel1

the only thing pointing at the tunnel is the tunnel subnet 10.0.0.0
I will make it more preferable going out the tunnel for traffic i do this by going under
interface tunnel
bandwidth 10000
delay 1
I also advertised on both r1 and sw4 network 10.0.0.0 so they formed a eigrp relationship over th tunnel

01:07:03nected, Tunnel1
switch4#: %SYS-5-CONFIG_I: Configured from console by console
01:07:04: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
01:07:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
01:07:05: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 2: Neighbor 10.0.0.7 (Tunnel1) is down: interface down
01:08:05: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to up
01:08:06: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 2: Neighbor 10.0.0.7 (Tunnel1) is up: new adjacency
01:08:14: %TUN-5-RECURDOWN: Tunnel1 temporarily disabled due to recursive routing
01:08:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed state to down
01:08:15: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 2: Neighbor 10.0.0.7 (Tunnel1) is down: interface down
the tunnel is brought down as it is looking at the tunnel to get to the tunnel destination
to change this i will do a distribute list on each endpoint to stop advertising the tunnel sources over the tunnel
SW4
---
ip prefix-list EOGHAN seq 5 deny 4.0.0.0/32
ip prefix-list EOGHAN seq 10 permit 0.0.0.0/0 le 32

router eigrp 2
 network 4.0.0.0
 network 172.25.0.0
 network 0.0.0.0
 distribute-list prefix EOGHAN out Tunnel1
 no auto-summary

r1
---

ip prefix-list EOGHAN seq 5 deny 1.0.0.0/32
ip prefix-list EOGHAN seq 10 permit 0.0.0.0/0 le 32
router eigrp 2

 distribute-list prefix EOGHAN out Tunnel1
 no auto-summary
this sorts it out the tunnel is backup

switch4#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
     1.0.0.0/32 is subnetted, 1 subnets
D       1.1.1.1 [90/161280] via 172.25.8.1, 00:34:21, Port-channel10
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     172.25.0.0/24 is subnetted, 3 subnets
D       172.25.15.0 [90/28416] via 10.0.0.7, 00:00:56, Tunnel1
D       172.25.9.0 [90/13568] via 172.25.8.1, 00:00:56, Port-channel10
C       172.25.8.0 is directly connected, Port-channel10
     10.0.0.0/24 is subnetted, 1 subnets
C       10.0.0.0 is directly connected, Tunnel1
switch4#sh run | router eg
watch out when applying the distribute list on eigrp

 distribute-list prefix EOGHAN out Tunnel1
the prefix keyword is essential to look at the prefix list i kept having problems with this i done
distribute-list EOGHAN out Tunnel1

and it would create a blank standard access-list in the running config and tunnel remained down

No comments:

Post a Comment