Solved: Hello Imanavalan,Please note

lmanavalan · ‎09-02-2015

Hi

On a Cisco 7301 i have configured GRE Tunnel with vrf mgnt and the Tunnel source interface is not part of any vrf.

The other end of the Tunnel is simple GRE configuration with out any vrf.

The tunnel is not coming up.

Below is the configuration

Router_2:

hostname Router_2
!
vrf definition mgmt
description VRF for Management
rd 1000:1000
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp key <removed> address 122.x.x.66
!
!
crypto ipsec transform-set aes-128-sha esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map managementVpn 10 ipsec-isakmp
set peer 122.x.58.x
set transform-set aes-128-sha
match address VpnList
!
interface Tunnel1
vrf forwarding mgmt
ip address 10.157.252.78 255.255.255.252
ip tcp adjust-mss 1200
ip ospf 2 area 0
keepalive 1 3
tunnel source 162.249.176.141
tunnel destination 10.176.21.6
tunnel vrf mgmt
!
interface GigabitEthernet0/0
no ip address
media-type rj45
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/0.101
encapsulation dot1Q 101
ip address 162.x.x.141 255.255.255.248
standby 101 ip 162.x.x.142
crypto map managementVpn
!
interface GigabitEthernet0/1
no ip address
media-type rj45
speed auto
duplex auto
negotiation auto
!
interface GigabitEthernet0/1.102
encapsulation dot1Q 102
ip address 10.177.56.19 255.255.255.248
standby 102 ip 10.177.56.17
!
interface GigabitEthernet0/1.108
description Link to MgmtVlan
encapsulation dot1Q 108
vrf forwarding mgmt
ip address 10.157.64.131 255.255.255.128
standby 108 ip 10.157.64.129
!
interface GigabitEthernet0/2
no ip address
shutdown
media-type rj45
speed auto
duplex auto
negotiation auto
!
router ospf 2 vrf mgmt
router-id 10.157.64.4
network 10.157.64.0 0.0.3.255 area 100
!
router ospf 1
router-id 10.177.56.2
network 10.177.56.0 0.0.3.255 area 0
!
ip route 0.0.0.0 0.0.0.0 162.x.x.137
ip route 10.176.21.6 255.255.255.255 162.x.x.137
!
ip access-list extended VpnList
permit ip host 162.x.x.141 host 10.176.21.6
!

And Router_1 Confuuguration:

interface Tunnel 101
ip address 10.157.252.77 255.255.255.252
ip tcp adjust-mss 1200
ip ospf 1 area 0
keepalive 1 3
tunnel source 10.176.21.6
tunnel destination 162.x.x.141

regards

Logesh

Ahmed Muhi · ‎09-03-2015

Hello Imanavalan,

Please note that there is a difference between the commands "vrf forwarding mgmt" and the command "tunnel vrf mgmt".

At first when you used the "tunnel vrf mgmt" the router looked for the tunnel source IP and tunnel destination IP in the vrf mgmt, the tunnel source "162.249.176.141" is configured under the interface GigabitEthernet0/0.101 which does not belong to vrf mgmt, and the tunnel destination "10.176.21.6" is under the global routing table by means of a static route and again it does not belong to the vrf mgmt. That is why the tunnel was down, because it did not find a route for the tunnel source and destination in the vrf mgmt.

Now as soon as you remove the tunnel vrf mgmt command the router looks for the tunnel source and the tunnel destination in the global routing table, and since it finds both the tunnel becomes up.

As for the command "vrf forwarding mgmt" this simply puts the actual tunnel interface inside the vrf mgmt, not in the global routing table.

Both commands are not connected to each other, I mean you can have the tunnel in a vrf and the tunnel source and destination in a different vrf for example:

interface tunnel0
ip vrf forwarding green
ip address 1.2.3.4 255.255.255.0
tunnel source 5.6.7.8
tunnel destination 9.10.11.12
tunnel vrf blue

The tunnel would belong to vrf green but it would look for the tunnel source IP " 5.6.7.8" and the tunnel destination IP "9.10.11.12" in the vrf blue.

Just one final note the tunnel source and destination must be in the same vrf, for our example above both the "5.6.7.8" and the "9.10.11.12" must be in vrf blue.

For further information please reference below documents:

http://www.cisco.com/c/en/us/td/docs/routers/10000/10008/feature/guides/122_31sb5/fs_gripvrf.html

http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/46252-grewithvrf.html

View solution in original post

Rolf Fischer · ‎09-02-2015

Hi,

... GRE Tunnel with vrf mgnt and the Tunnel source interface is not part of any vrf.

in such scenarios, you cannot use GRE keepalives.

You could adjust the OSPF timers instead.

HTH

Rolf

lmanavalan · ‎09-02-2015

Hi

i removed the keep alive still the tunnel was down and then i removed the tunnel vrf mgmt and tunnel came up.

interface Tunnel1
vrf forwarding mgmt
ip address 10.157.252.78 255.255.255.252
ip tcp adjust-mss 1200
ip ospf 2 area 0
tunnel source 162.x.x.141
tunnel destination 10.176.21.6
!

Thanks

Regards

Logesh

Rolf Fischer · ‎09-03-2015

Ah, correct; I've overlooked that.

The 'tunnel vrf <VRF>' command specifies the transport-vrf; in your case that's the global routing context.

Does the OSPF adjacency form now?

lmanavalan · ‎09-03-2015

Hi

Yes the OSPF is Up now. Thanks for your help.

regards

Logesh

Ahmed Muhi · ‎09-03-2015