01-08-2025 12:02 PM - edited 01-08-2025 12:09 PM
Hello everyone,
We are an ISP providing internet services to customers using multivendor CPEs (Fortirouter, Juniper, Cisco) installed onsite. These CPEs connect over a fiber-optic last-mile to the nearest Provider Edge (PE), where the gateway is configured.
Occasionally, customers report issues such as high latency or not achieving their subscribed bandwidth. To address these concerns, we certify the last-mile connection using iPerf3 for traffic and bandwidth analysis.
Current Process:
To perform this certification, we dispatch a technician to the customer site. The technician connects a PC running iPerf3 as a client and establishes a connection to our iPerf3 server. We temporarily add the customer’s public IP to our firewall to enable communication between the client and server.
Challenge:
We are looking to eliminate the need for dispatching technicians onsite. Ideally, we want to conduct the iPerf3 certification remotely, streamlining the process and reducing operational costs.
Proposed Idea:
One potential solution is setting up one or more GRE tunnels between our infrastructure and the customer CPE. With proper routing, this could enable direct communication between the iPerf3 client (on the CPE or customer-side network) and our iPerf3 server, without requiring a physical technician presence.
Attached is a topology diagram illustrating the proposed setup.
Request for Feedback:
We appreciate any insights or suggestions to refine this approach.
Thank you in advance for your time and expertise!
Best regards,
01-08-2025 12:40 PM
What has this to do with Cisco Collaboration products? It’s likely best if you get this post moved to a more suitable place in the community.
01-09-2025 06:19 AM
Hi Roger, sorry I'm new here, could you please suggest a suitable place and how to move it?, thanks
01-08-2025 12:43 PM
What you are trying to accomplish is similar to a Hairpinning with GRE tunnel. Traffic must leave one GRE tunnel and return to the other tunnel in order to get back to the ISP. I am not sure this is possible.
What you can look additionally is Cisco ThousandEye, which will cost you, of course. And/or see the availability of run the iPerf on the device itself, which is not possible to all devices.
I know a service provider that use linux server instead router just to overcome situaltion like this and they say the linux server does not get behind of any router they know.
01-09-2025 06:24 AM
Hi Flavio,
Correct, it is like a hairpinning with GRE tunnel on the CPE, building a logical connection between our two linux servers where the Client/Server iPerf3 are running. There is a public IP configured for one of the linux server, and the another public IP will be for the customer configured on the CPE, so the tricky thing here is how can establish that connection over that public IP
01-09-2025 06:40 AM
Got It. However, technically speaking I dont believe you can make the traffic leave one tunnel and return to the other
01-09-2025 07:34 AM
actually, the hairpin GRE tunnels method on the CPE works over the L3VPN solution, we are adding the two linux servers into the same customer's VRF, but we can't figure it out how can be possible via Internet solution (using public IPs)
01-08-2025 10:13 PM
As this is not related to anything within Collaboration and looks to be better suited in the Service Provider section of the community I moved it there.
01-09-2025 06:19 AM
appreciate it
01-09-2025 09:05 PM
Hello @mfnmike
Your proposed idea of using GRE tunnels to facilitate remote iPerf3 testing is a viable solution, but there are several considerations and alternative approaches to evaluate. Below is a detailed analysis of your proposal, along with feedback and suggestions:
GRE (Generic Routing Encapsulation) tunnels can indeed provide a way to establish a virtual point-to-point connection between your infrastructure and the customer CPE. This would allow you to route iPerf3 traffic through the tunnel without requiring a technician onsite.
Configuration Complexity:
Security Concerns:
Performance Overhead:
Scalability:
While GRE tunnels are a good option, there are other approaches that might be more efficient or easier to implement:
Regardless of the approach you choose, there are some general pitfalls and security concerns to address:
Based on your requirements and the considerations above, here is a recommended approach:
Start with Reverse iPerf3 Testing:
Use GRE or IPsec Tunnels for Advanced Scenarios:
Evaluate Long-Term Solutions:
Your idea of using GRE tunnels is a solid starting point, but it’s important to weigh the complexity and scalability of this approach against alternatives like reverse iPerf3 testing or VPN-based solutions. By automating the process and addressing security concerns, you can streamline the certification process and reduce operational costs effectively.
Hope This Helps!!!
AshSe
Forum Tips:
01-10-2025 08:39 AM
thanks for your response. Below my notes:
- Neither SD-WAN nor cloud-based monitoring tools are available
- Only some of the CPE support iPerf3 itself, such us Cisco ISR43XX and some Fortirouter, but the Juniper ones are not supporting that feature.
- We already have the automation applied for this purpose
- The hardening is already set on our FWs
- That was a good tip set the IPsec tunnel over the GRE to increase the security
But still I don't know how to build that connection, using the Public IP configured on the customer site
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide