Solved: Re: MPLS over GRE tunnels

alexandru.nitulescu · ‎05-08-2008

Hello everybody,

I need some help in configuring MPLS over GRE tunnels. I did not find any proper configuration example to help me. I need to do this for encrypt the traffic between two PE routers. I have 7609 routers.

Thanks,

Alexandru.

mounir.mohamed · ‎05-08-2008

Hi Alex,

MP-BGP and LDP running smooth over GRE.

Here and example of 2 PE routers (R4 and R5) have GRE tunnel established and up between each others, MP-BGP and LDP running over the tunnel.

In the below example i did used loopback 400 and 500 on R4 and R5 as CE routers under VRF VPN-A, also the below MTU configurations for MPLS-VPN only if you gone use AToM or TE you need to increase the MTU (4 bytes per label)

((R4))

ip vrf VPN-A

rd 150.1.1.1:1

route-target export 1:1

route-target import 1:1

interface Loopback400

ip vrf forwarding VPN-A

ip address 20.1.1.1 255.255.255.0

interface Tunnel1

ip address 150.1.1.1 255.255.255.252

ip mtu 1524

mpls ip

mpls mtu 1532

keepalive 10 3

tunnel source Serial1/0

tunnel destination 10.10.45.5

Router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 150.1.1.2 remote-as 1

no auto-summary

!

address-family vpnv4

neighbor 150.1.1.2 activate

neighbor 150.1.1.2 send-community both

exit-address-family

!

address-family ipv4 vrf VPN-A

redistribute connected

redistribute static

no synchronization

exit-address-family

((R5))

ip vrf VPN-A

rd 150.1.1.2:1

route-target export 1:1

route-target import 1:1

interface Loopback500

ip vrf forwarding VPN-A

ip address 10.1.1.5 255.255.255.0

!

interface Tunnel1

ip address 150.1.1.2 255.255.255.252

ip mtu 1524

mpls ip

mpls mtu 1532

keepalive 10 3

tunnel source Serial0/0/0

tunnel destination 10.10.45.4

router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 150.1.1.1 remote-as 1

no auto-summary

!

address-family vpnv4

neighbor 150.1.1.1 activate

neighbor 150.1.1.1 send-community both

exit-address-family

!

address-family ipv4 vrf VPN-A

redistribute connected

redistribute static

no auto-summary

no synchronization

exit-address-family

R5#show ip route vrf VPN-A bgp

20.0.0.0/24 is subnetted, 1 subnets

B 20.1.1.0 [200/0] via 150.1.1.1, 00:06:34

R5#ping vrf VPN-A 20.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/72/76 ms

R5#ping vrf VPN-A

Protocol [ip]:

Target IP address: 20.1.1.1

Repeat count [5]:

Datagram size [100]: 1508

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface:

Type of service [0]:

Set DF bit in IP header? [no]: yes

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 1508-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:

Packet sent with the DF bit set

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 776/776/776 ms

R5#show ip bg vp al summary

BGP router identifier 100.10.10.5, local AS number 1

BGP table version is 5, main routing table version 5

3 network entries using 411 bytes of memory

3 path entries using 204 bytes of memory

3/2 BGP path/bestpath attribute entries using 372 bytes of memory

1 BGP extended community entries using 24 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 1011 total bytes of memory

BGP activity 3/0 prefixes, 3/0 paths, scan interval 15 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

150.1.1.1 4 1 30 30 5 0 0 00:13:16 1

Bes Regards,

Mounir Mohamed

View solution in original post

mounir.mohamed · ‎05-08-2008

Hi,

The same configurations of regular IP over GRE should be applied over physical interfaces, once the tunnel get ip, establish your routing protocol and LDP over the tunnel interface, based on the MPLS application you gone use decied the maximum number of labels will be included in one packet (4 bytes per label) then add the 24 GRE header and adjust your MTU.

Best Regards,

Mounir Mohamed

alexandru.nitulescu · ‎05-08-2008

I understand. But, I really don't know how can I configure. I tray something but it isn't working.

I cannot establish the MP-BGP session over my GRE tunnel. I made the GRE tunnel and I put the GRE interface into one VRF.

I'm a little bit lost and I need a configuration example to have a starting point.

Thanks,

Alexandru Nitulescu

Giuseppe Larosa · ‎05-08-2008

Hello alexandru,

one thing is to have a GRE tunnel as a VRF access link, another different matter is to use the GRE tunnel as your backbone link between PE routers.

in a few words to support MPLS forwarding and signaling you enable MPLS into the tunnel interface with mpls ip command.

PE1

interface tunnel 12

tunnel source

tunnel destination < remote PE pub ip address >

ip address 10.x.y.1 255.255.255.252

mpls ip

! some mtu fixing may be necessary

interface loop5

ip address 172.16.12.1 255.255.255.255

an IGP running over 10.x.y.0/30 + mpls ldp router-id loop5 or change mpls source on the tunnel

router ospf 12

network 10.x.y.0 0.0.0.3 area 0

network 172.16.12.1 0.0.0.0 area 0

!

router bgp 12

address-family vpnv4

neighbor 172.16.12.2 activate

neighbor 172.16.12.2 update-source loop5

neigh 172.16.12.2 send-community both

Constraint:

the public ip addresses are different from 10.x.y.0/30 and 172.16.12.x and must be known / advertised

public ip addresses mustn't be advertised over IGP running over GRE tunnel (try and see what happens ...)

hope to help

Giuseppe

alexandru.nitulescu · ‎05-09-2008

Thanks a log for helping me. I will try to configure in the way you suggest next week to see what's happen'.

mounir.mohamed · ‎05-08-2008

Hi Alex,

MP-BGP and LDP running smooth over GRE.

Here and example of 2 PE routers (R4 and R5) have GRE tunnel established and up between each others, MP-BGP and LDP running over the tunnel.

In the below example i did used loopback 400 and 500 on R4 and R5 as CE routers under VRF VPN-A, also the below MTU configurations for MPLS-VPN only if you gone use AToM or TE you need to increase the MTU (4 bytes per label)

((R4))

ip vrf VPN-A

rd 150.1.1.1:1

route-target export 1:1

route-target import 1:1

interface Loopback400

ip vrf forwarding VPN-A

ip address 20.1.1.1 255.255.255.0

interface Tunnel1

ip address 150.1.1.1 255.255.255.252

ip mtu 1524

mpls ip

mpls mtu 1532

keepalive 10 3

tunnel source Serial1/0

tunnel destination 10.10.45.5

Router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 150.1.1.2 remote-as 1

no auto-summary

!

address-family vpnv4

neighbor 150.1.1.2 activate

neighbor 150.1.1.2 send-community both

exit-address-family

!

address-family ipv4 vrf VPN-A

redistribute connected

redistribute static

no synchronization

exit-address-family

((R5))

ip vrf VPN-A

rd 150.1.1.2:1

route-target export 1:1

route-target import 1:1

interface Loopback500

ip vrf forwarding VPN-A

ip address 10.1.1.5 255.255.255.0

!

interface Tunnel1

ip address 150.1.1.2 255.255.255.252

ip mtu 1524

mpls ip

mpls mtu 1532

keepalive 10 3

tunnel source Serial0/0/0

tunnel destination 10.10.45.4

router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 150.1.1.1 remote-as 1

no auto-summary

!

address-family vpnv4

neighbor 150.1.1.1 activate

neighbor 150.1.1.1 send-community both

exit-address-family

!

address-family ipv4 vrf VPN-A

redistribute connected

redistribute static

no auto-summary

no synchronization

exit-address-family

R5#show ip route vrf VPN-A bgp

20.0.0.0/24 is subnetted, 1 subnets

B 20.1.1.0 [200/0] via 150.1.1.1, 00:06:34

R5#ping vrf VPN-A 20.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/72/76 ms

R5#ping vrf VPN-A

Protocol [ip]:

Target IP address: 20.1.1.1

Repeat count [5]:

Datagram size [100]: 1508

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface:

Type of service [0]:

Set DF bit in IP header? [no]: yes

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 1508-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:

Packet sent with the DF bit set

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 776/776/776 ms

R5#show ip bg vp al summary

BGP router identifier 100.10.10.5, local AS number 1

BGP table version is 5, main routing table version 5

3 network entries using 411 bytes of memory

3 path entries using 204 bytes of memory

3/2 BGP path/bestpath attribute entries using 372 bytes of memory

1 BGP extended community entries using 24 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 1011 total bytes of memory

BGP activity 3/0 prefixes, 3/0 paths, scan interval 15 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

150.1.1.1 4 1 30 30 5 0 0 00:13:16 1

Bes Regards,

Mounir Mohamed

alexandru.nitulescu · ‎05-09-2008

Thanks a lot. I will configure it and see the results. I'll keep you informed regarding the results.

Thanks again,

Alexandru

mounir.mohamed · ‎05-10-2008

Welcome Alex, interested to know your results.

guruprasadr · ‎05-09-2008

HI Mounir,

The Configuration you POSTED is really useful.

I have some Questions:

======================

What is the difference between the MP-BGP and BGP ?

Do you have a "Sample Template" for a MP-BGP Configuration between PE-PE ?

In the above Configuration, there is a Tunnel between the PE-PE to form MP-BGP Mesh. In this case, if i have 10" PE's for example, so i should run Tunnel between each other to complete the MP-BGP Mesh ?

Thanks in Advance.

Best Regards,

Guru Prasad R

mounir.mohamed · ‎05-10-2008

Hi Guru,

BGP Originally designed to carry routing information only for IPv4 address family,

But actually this was limitation for BGP, because there is so many protocols need to be carry also, so IETF standardized the Multiprotocol extensions for BGP, this extension allow BGP4 to carry routing Information for multiple network layer protocols like (IPv6, IPX, and VPNv4)

Regarding the MP-BGP configurations of PE-to-PE this is not the common case, usually MP-BGP Route-Reflector used to save resources and overhead.

Please rate helpful posts.

Best Regards,

Mounir Mohamed

Harold Ritter · ‎05-10-2008

Great explanation Mounir. I just wanted to add that this extension to BGP-4 is defined by RFC2858 for those interested to learn a bit more about it.

http://www.ietf.org/rfc/rfc2858.txt?number=2858

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

mounir.mohamed · ‎05-10-2008

Hi Harold,

Thanks for your great remembered point :)

Best Regards,

Mounir Mohamed

guruprasadr · ‎05-11-2008

HI Mounir & Harold,

That's a Master-piece of the POST.

Have Rated both.

Best Regards,

Guru Prasad R

jackawang · ‎12-29-2011

Hello, I came across this post when I was troubleshooting a MPLS over GRE issue I had. I configured everything else the same except the tunnle interfaces on R4 and R5. Highlighted in bold.

! On R4

interface Tunnel1

ip unnumbered loopback 0

mpls ip

tunnel source loopback 0

tunnel destination 5.5.5.5 ! R5's loop 0

router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 5.5.5.5 remote-as 1

neighbor 5.5.5.5 update-source loop 0

no auto-summary

......

! R5 has the similar configuration

Now the tunnel came up and LDP also built adj over the tunnel, confirmed by "show mpls ldp nei". I can see the vrf routes populated on both PEs. CE also learned the routes from the other end.The issue is that no traffic can be passed. After doing a traceroute from the CE, it dies at the first PE it connected to. Can someone tell me why my tunnel configuration would not work?

Peter Paluch · ‎12-29-2011

Hello,

Just a quick hint: try to remove the IP Unnumbered from the tunnel interfaces and instead, assign them with unique addresses. Then set up the BGP peering to use the tunnel addresses instead of the loopbacks.

Best regards,

Peter