Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
885
Views
0
Helpful
2
Replies

Multiple GRE tunnels same Tunnel SRC IP/DESIP without tunnel key scenario

sarahr202
Level 5
Level 5

‎11-18-2016 02:40 PM - edited ‎03-05-2019 07:30 AM

Hi everybody,

Quick question  for you guys:

SET UP:

(loop: 1.1.1.1/32)  R1 --f0/0 (12.12.12.1)------(12.12.12.2)f0/0 R2 ( loop: 2.2.2.2/32)

R1:

tunnel 1

ip address 192.192.192.1/24

tunnel source 12.12.12.1

tunnel destination 12.12.12.2

tunnel 2

ip address 10.10.10.10.1/24

tunnel source 12.12.12.1

tunnel destination 12.12.12.2

ip route 2.2.2.2/32 tun1

R2:

tunnel 1

ip address 192.192.192.2/24

tunnel source 12.12.12.2

tunnel destination 12.12.12.1

tunnel 2

ip address 10.10.10.10.2/24

tunnel source 12.12.12.2

tunnel destination 12.12.12.1

tunnel 3

ip address 169.169.169.2/24

tunnel source 12.12.12.2

tunnel destination 12.12.12.1

ip route 1.1.1.1/32 tun1

Questions:

When we send the ping to 2.2.2.2 source 1.1.1.1 from R1, R2 always picks up the highest tunnel number( which is tunnel 3) to de capsulate the traffic as shown below:

EXAMPLE:

R1#ping 2.2.2.2 source 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 1.1.1.1
!!!!!

R2# debug all

R2#=12.12.12.2, len 124, rcvd 2
*Nov 18 15:28:40.563: IP: s=12.12.12.1 (FastEthernet0/0), d=12.12.12.2, len 124, stop process pak for forus packet
*Nov 18 15:28:40.563: Tunnel3: GRE/IP (PS) to decaps 12.12.12.1->12.12.12.2 (tbl=0,"default" len=124 ttl=254)
*Nov 18 15:28:40.563: Tunnel3: GRE decapsulated IP packet (linktype=7, len=100)

R2#show interfaces tunnel 3
 truncated!!


Tunnel source 12.12.12.2, destination 12.12.12.1
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
5 packets input, 620 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
fers swapped out
R2#

R2#show version
Cisco IOS Software, 7200 Software (C7200-ADVIPSERVICESK9-M), Version 15.2(4)S5, RELEASE SOFTWARE (fc1)

1) Is it standard behavior across all IOS version? or  is it particular to this IOS only?

I was under the impression R2 should discard the packet because there was no tunnel key so R2 can not decide which tunnel to use to decapsulate the packet as outer IP header has SRC IP 12.12.12.1 DST IP 12.12.12.2 which match all the tunnel src/dst configured under all tunnels on R2.

Thanks and have a nice weekend!!

1 person had this problem
Labels:
0 Helpful
2 Replies 2

nicholas nelson
Level 4
Level 4

‎11-18-2016 03:39 PM

sarahr202,

What is the output of show ip cef 1.1.1.1 and show ip route 1.1.1.1 ? It looks like you are creating a recursive nightmare. The tunnel key is a security feature set that essentially like a plain text authentication mechanism. In GRE purposes it doesn't help distinguish a tunnel by the sense of the key being authentication-like mechanism.

The static route you are defining is saying to use a tunnel interface that all terminate to the same NBMA address. This will cause confusion in any OS with not only the software working correctly but your routing protocols as well. 

This looks like you are just labbing this based on the ip addresses and setup.

0 Helpful

sarahr202
Level 5
Level 5
In response to nicholas nelson

‎11-18-2016 05:44 PM

Thanks Nicholas for your response.

What is the output of show ip cef 1.1.1.1 and show ip route 1.1.1.1 ? It looks like you are creating a recursive nightmare.

There is no recursive look up, for 1.1.1.1 on R2, as shown below:

R2#show ip cef 1.1.1.1
0.0.0.0/0
attached to Tunnel1

It is immaterial how R2 routes for 1.1.1.1, we are discussing : why R2 chose tunnel3 to decapsulate the packet received from R1. 

The tunnel key is a security feature set that essentially like a plain text authentication mechanism

Tunnel key is not intended for authentication as per RFC 2890:

The Key field is intended to be used for identifying an individual traffic flow within a tunnel.

The static route you are defining is saying to use a tunnel interface that all terminate to the same NBMA address

Not sure what it has to do with R2 picking tunnel 3 to  decapsulate packet from R1.

################

Again, the focus is not how R2 route traffic for 1.1.1.1 but how R2 receives GRE encapsulated packet using tunnel 3 from R1.

It appears to me for this given IOS, R2 always use the highest tunnel number to decapsulate the traffic if there are multiple GRE tunnels with same tunnel src/dest ip and no tunnel key.

Not sure if this true for other IOS version too.

Have a nice weekend!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card