Copyrights©2009, All rights Reserved

Disclaimer

Home | Free Books Center | Members | MM Guru | Quotes Diary| Contact us | Blog | Sign In | Sign Up

GALLERY SERVICES FORUM Home ABOUT US

 Education Made Easy

 L2 GRE TUNNELLING

===============


Notes by Anuranjan Singh

Date: 21/4/2015



- A tunnel looks like one hop, and routing protocols may prefer a tunnel over a multihop physical path.

- This can be deceptive because the tunnel, although it may look like a single hop, may traverse a slower path than a multihop link.

- A tunnel is as robust and fast, or as unreliable and slow, as the links that it actually traverses.

- Routing protocols that make their decisions on the sole basis of hop count will often prefer a tunnel over a set of physical links.

- A tunnel might appear to be a one-hop, point-to-point link and have the lowest-cost path,

  but may actually cost more in terms of latency than an alternative physical topology



Issue with tunnel:

=================


If routing is not carefully configured, the tunnel may have a recursive routing problem.

When the best path to the "tunnel destination" is via the tunnel itself, recursive routing causes the tunnel interface to flap.

To avoid recursive routing problems, keep the control-plane routing separate from the tunnel routing.

Using the following methods:

 –Use a different autonomous system number or tag.

 –Use a different routing protocol.

 –Use static routes to override the first hop (but watch for routing loops).


Remember:

========

 - Encapsulation: It is the process of adding headers to data at each layer of a particular protocol stack.

 - Tunneling: It encapsulates data packets from one protocol inside a different protocol and

   transports the data packets unchanged across a foreign network

 - A tunnel interface is a virtual (or logical) interface

 - GRE is a Layer-3 carrier protocol, Carrier protol can be encapsulated in another carrier protocol

 - L3 Carrier protocols: GRE, IPv6, MPLS, L2TP,PPTP, L2F, IPsec, IP-in-IP

 - L2 Carrier Protocols: PPPoE, PPPoA, UDLR

 - GRE : Generic Routing encapsulation RFC 2784

        

 

Drawback in GRE:

===============

       It doesn't provide security. Therefore we use IPsec tunneling over it.



Question: Why not we use only IPsec tunnel directly, as it is tunnel and provide security, then why GRE we need to involve?

=========


Ans: Ipsec can secure (Authenticate and encapsulate) only Unicast traffic and can't secure Multicast or broadcast traffic.

     GRE is a Unicast packet that can encapsulate any type of traffic unicast/multicast/broadcast.

     Such approach is used to make VPN.


     - IPsec can be use over L2 or L3 GRE.

     - L2 GRE tunnel: For communication accross different sites belogns to same network of same customers (Tunnel end points are L2)

     - L3 GRE tunnel: For communication accross different sites belogns to different network of same customers (Tunnel end oints are L3)




******************************************************************************************************************************************



L2 GRE Tunnel Typical customer Setup: "Communication accross same network"

---------------------------------------------------------------------------




   MAS-1 <[11.11.11.1]>Ge0/0/22 VLAN11 ====== { Service Provider n/w } ====== VLAN33 Ge0/0/33<[33.33.33.1]> MAS-2

  ^         ^

          |             [VLAN30======= L2 GRE Tunnel  =========VLAN30] |

          |          |

   |         |

   |         |

               VLAN10 (Ge0/0/1) site-1  <-------------------------------->      VLAN10 (Ge0/0/1) Site-2

               VLAN20 (Ge0/0/2)         <-------------------------------->      VLAN20 (Ge0/0/2)

 ClientPC-1<-->VLAN30 (Ge0/0/3)         <-------------------------------->      VLAN30 (Ge0/0/3)<-->ClientPC-2



Remember:  

---------

- Both side tunnel physical ports can have different VLAN ID and differnt networks.

- Here VLAN 11 and VLAN 33 are not tunnel interface but routing interface for tunnel. It require just for source/dest IP for L2 tunnel

- L2 GRE tunnel interface will not have any IP, They have just same VLAN swithcing profile both sites.

- if we want many client VLAN go via this L2 GRE tunnel then, don't configure switching profile with specific to VLAN but with trunk mode.

    (ArubaS2500-48P) (switching profile "sw22") #switchport-mode trunk    <== this need to apply in Tunnel configuration




Generic L2 GRE topology compare with MAS:

-----------------------------------------


 

   <==PC-1====>   <=============MAS-1============> <====== L2GRE Tunnel============> <=========MAS-2======================>   <====PC-2==>


   ClientPC-1====[V1,V2,V3]Switch1[T]==Router1 [22]==========={ N/W }===========[33]Router2======[T]Switch2 [V1,V2,V3]=======ClientPC-2


   Where:

   ------

 VLAN: V1, V2, V3

 Router port : [22]-IP: 11.11.11.1,  In MAS this port is router cum switch Trunk port that listen VLAN 1,2,3

 Router Port : [33]-IP: 33.33.33.1,  In MAS this port is router cum switch Trunk port that listen VLAN 1,2,3

 [T]: Switches trunk port

   Before L2 GRE tunnel configuration, port[22] and port[33] should be pingable

 After L2 GRE configuration, anything coming to port [22] and port [33] get encapsulated



Packet encapsulation and flow:

------------------------------


   <====== [L2 header] [L3 IP Header] [GRE Header] [Client L2 with or without VLAN] [Client IP header + Data] =======<


  where 'with or without VLAN' means: depends on trunk mode switching profile added or access mode to the logical tunnel interface.



******************************************************************************************************************************************



Concept:

========

1.  In L2 GRE Tunnel case for client it looks like two switches are connected, where ARP (Broadcast packet) can reach to other switches,though there is

GRE L2 tunnel network.


2.  Using L2 GRE tunneling we can extend our DHCP and DNS service via remote node.


3. In L2 GRE Tunnel logical 'Tunnel Ip' is not needed, just we need to put logical tunnel interface in same VLAN (via switching profile)

   as in Client or in Trunk, because this is L2 Tunnel,  


4. First static/dynamic routing between edge switches should be there and any packet coming in VLAN 22 will go to MAS-1 VLAN22 (Ge0/0/0)

   and thereafter via logical tunnel (that also has VLAN22) go to VLAN22 ports of MAS-2.

   

5. Keepalive/retire/MTU/same protocol no. should be same both side


6. It is important to allow the tunnel protocol through a firewall and to allow it to pass access control list (ACL) checking


7. The local endpoint of the tunnel on the switch. This can be one of the following:

 - source IP address of the interface

 - controller IP address

 - the loopback interface configured on the switch

 - 802.1q VLAN interface number

    

8. In L2 GRE, both side end user should be in same broadcast domain.

9. If L2 GRE Line protocol is down ? check the pysical connection ports, they should be up and pingable.


10. In L2 or L3 GRE, source and destination interface need not to be in same network. but as we give Tunnel-IP in L3 GRE,

    they should be in same network like a point-to-point connection.



Let us Verify one L2 GRE bug:

-----------------------------


Bug - L2GRE: After GRE Tunnel is setup, Mac learning fails on the interface. (edit)

==========================================================================================



1. Configure L2GRE Tunnel

        

          MAS stack    MAS STANDALONE

 

  1.1.20.1 (VLAN20) 2/0/15 ============ 0/0/2 (VLAN20) 1.1.20.2

        

 ixia 3/5-->VLAN100 (2/0/8)                           VLAN100 (0/0/38) <--ixia 3/6

 DestMac:   00:00:00:00:00:36    DestMac:   00:00:00:00:00:31

 SrcMac:    00:00:00:00:00:31                             SrcMac:    00:00:00:00:00:36



NOTE: 1.1.20.1 and 1.1.20.2 are tunnel source/dest IPs.and  

These IPs are not required to be in the same VLAN as Tunneled VLAN switching profile

    Here : VLAN100 is part of tunnel switching profile.Means Tunned L2 point.


Remember: if 2/0/15 and 0/0/2 should be up otherwise tunnel line protocol will be down

 but if 2/0/8 and 0/0/38  are down also tunnel line protocol will remain up.



a) configuration on stack


configure t

vlan 20

!

vlan 100

!

interface vlan 20

ip address 1.1.20.1 255.255.255.0

!

interface-profile switching-profile 20

access-vlan 20

!

interface gigabitethernet 2/0/15

switching-profile 20

no shutdown

!

interface-profile switching-profile 100

access-vlan 100

!

interface tunnel ethernet 50

destination-ip 1.1.20.2

source-ip 1.1.20.1

switching-profile 100       

keepalive 3 3

!

ip access-list stateless All_Tunnel

any any any redirect tunnel 50

!

interface gigabitethernet 2/0/8

switching-profile 100

ip access-group in All_Tunnel

no shutdown

!

end


b) Configuration of STANDALONE Switch



configure t

vlan 20

!

vlan 100

!

interface vlan 20

ip address 1.1.20.2 255.255.255.0

!

interface-profile switching-profile 20

access-vlan 20

!

interface gigabitethernet 0/0/2

switching-profile 20

no shutdown

!

interface-profile switching-profile 100

access-vlan 100

!

interface tunnel ethernet 50

destination-ip 1.1.20.1

source-ip 1.1.20.2

switching-profile 100

keepalive 3 3

!

ip access-list stateless All_Tunnel

any any any redirect tunnel 50

!

interface gigabitethernet 0/0/38

switching-profile 100

ip access-group in All_Tunnel

no shutdown

!

end



Note: Verified The Tunnel is UP both side.


(ANU2500-4P) #show interface tunnel


tunnel 50 is administratively Up, Line protocol is Up

Description: GRE Interface

Source  1.1.20.1

Destination 1.1.20.2

Tunnel mtu is set to 1100

Tunnel keepalive is enabled

Tunnel keepalive interval is 3 seconds, retries 3

        Heartbeats sent 1491, Heartbeats lost 522

 Tunnel is down 1 times

Tunnel is an L2 GRE Tunnel

Protocol number  0

Tunnel is Trusted

Inter Tunnel Flooding is enabled

Switching-profile "100"




(Anu2500-4P) #show vlan


VLAN CONFIGURATION

------------------

VLAN  Description  Ports

----  -----------  -----

1     VLAN0001     GE1/0/0-47 GE1/1/0-1 GE2/0/0-7 GE2/0/9-14

                   GE2/0/16-47 GE2/1/0-2

20    VLAN0020     GE2/0/15

100   VLAN0100     GE2/0/8 GRE-TUN50



(Anu2500-4P) #show interface tunnel


tunnel 50 is administratively Up, Line protocol is Up

Description: GRE Interface

Source  1.1.20.2

Destination 1.1.20.1

Tunnel mtu is set to 1100

Tunnel keepalive is enabled

Tunnel keepalive interval is 3 seconds, retries 3

        Heartbeats sent 975, Heartbeats lost 2

        Tunnel is down 0 times

Tunnel is an L2 GRE Tunnel

Protocol number  0

Tunnel is Trusted

Inter Tunnel Flooding is enabled

Switching-profile "100"





(Anu2500-4P) #show vlan


VLAN CONFIGURATION

------------------

VLAN  Description  Ports

----  -----------  -----

1     VLAN0001     GE0/0/0-1 GE0/0/3-37 GE0/0/39-47 GE0/1/0-3

20    VLAN0020     GE0/0/2

100   VLAN0100     GE0/0/38 GRE-TUN50




2. Send Traffic through Ixia



3. Check if Mac is learnt in the Switch.



Mac Learning @ Stacked:

----------------------------

(Anu2500-4T) #show mac-address-table


Total MAC address: 3

Learnt: 3, Static: 0, Auth: 0, Phone: 0 Sticky: 0


MAC Address Table

-----------------

MAC Address        Address Type  VLAN  Interface

-----------        ------------  ----  ---------

00:0b:86:a2:70:00  Learned       0020  GE2/0/15

00:00:00:00:00:31  Learned       0100  GE2/0/8

00:00:00:00:00:36  Learned       0100  GRE-TUN50





 Mac Learning @ STANDALONE

------------------------------


MAC Address Table

-----------------

MAC Address        Address Type  VLAN  Interface

-----------        ------------  ----  ---------

00:1a:1e:0e:3d:80  Learned       0020  GE0/0/2

00:00:00:00:00:31  Learned       0100  GRE-TUN50

00:00:00:00:00:36  Learned       0100  GE0/0/38   <=== This was not coming before fix, now its coming




(Anu2500-4P) #show ver


(Anu2500-48T) #show interface-config tunnel ethernet


Tunnel List

-----------

Name  References  Profile Status

----  ----------  --------------

50    0           N/A

Total:1


(Anu2500-48T) #show interface-config tunnel ethernet 50


Tunnel "50"

-----------

Parameter                 Value

---------                 -----

Tunnel Description        N/A

Tunnel Source IP          1.1.20.1

Tunnel Protocol           0

Inter-Tunnel-Flooding     Enabled

Tunnel Keepalive          3/3

Tunnel Switching Profile  100

Tunnel Trusted            Enabled

Tunnel MTU                1100

Tunnel Shutdown           Disabled


(Anu2500-48T) #show interface counters


Port      InOctets     InUcastPkts  InMcastPkts  InBcastPkts

----      --------     -----------  -----------  -----------

GE1/1/0   23680        0            185          0


GE2/0/8   56334830336  880232049    0            0


GE2/0/15  66118298     621327       2260         592




Port      OutOctets    OutUcastPkts  OutMcastPkts  OutBcastPkts

----      ---------    ------------  ------------  ------------

GE1/1/0   14050413729  219530423     2973          260


GE2/0/8   1274866      19190         362           0


GE2/0/15  175886211    1658460       737           882






Debug

------


1. End point should be reachable


 (Anu2500-48P) (config) #ping 22.22.22.2


2. Keep alive 10 sec (heart beat); retries 3 sec

3. Trusted / control enable

4. Use switching profile

#show interface gigabitethernet 0/1/0 transceiver detail

#show interface gigabitethernet 1/0/24

#show interface-group-config gigabitethernet

#show interface-group-config gigabitethernet default

# show interface local-mgmt member-id 3

#show ip interface bri


(Anu2500-48P) (config) #show trace interface-manager | include HeartBeatPress 'q' to abort.

Feb 12 04:27:34 [TUNNEL] im_gre_tunnel_send_hb(997): HeartBeat Sent for tunnel 22 : src_ip: 22.22.22.1 dest_ip

Feb 12 04:27:34 [TUNNEL] im_gre_tunnel_keepalive_receive(1124): HeartBeat Reply Received for tunnel 22 : src_ip: 22.22.22.1 dest_ip

Feb 12 04:27:37 [TUNNEL] im_gre_tunnel_send_hb(997): HeartBeat Sent for tunnel 22 : src_ip: 22.22.22.1 dest_ip

Feb 12 04:27:37 [TUNNEL] im_gre_tunnel_keepalive_receive(1124): HeartBeat Reply Received for tunnel 22 : src_ip: 22.22.22.1 dest_ip

Feb 12 04:27:40 [TUNNEL] im_gre_tunnel_send_hb(997): HeartBeat Sent for tunnel 22 : src_ip: 22.22.22.1 dest_ip

Feb 12 04:27:40 [TUNNEL] im_gre_tunnel_keepalive_receive(1124): HeartBeat Reply Received for tunnel 22 : src_ip: 22.22.22.1 dest_ip

Feb 12 04:27:43 [TUNNEL] im_gre_tunnel_send_hb(997): HeartBeat Sent for tunnel 22 : src_ip: 22.22.22.1 dest_ip

Feb 12 04:27:43 [TUNNEL] im_gre_tunnel_keepalive_receive(1124): HeartBeat Reply Received for tunnel 22 : src_ip: 22.22.22.1 dest_ip

Feb 12 04:27:46 [TUNNEL] im_gre_tunnel_send_hb(997): HeartBeat Sent for tunnel 22 : src_ip: 22.22.22.1 dest_ip

--More-- (q) quit (u) pageup (/) search (n) repeat



*****************************************************************