Bridging over GRE - is it possible?

Unanswered Question
Aug 6th, 2007

Hi,


Does anyone know whether bridging [Transparent, IRB, CRB] is possible over IPsec/GRE? I?ve tried various configurations but it never seems to work. The IOS I?m using at the moment is 123-11.T10.


Here?s one example of the config I am using [mirrored at the other end]:


!

bridge irb

!

!

interface Tunnel2

description Primary Tunnel to SpokeA

bandwidth 1024

ip unnumbered Loopback0

ip tcp adjust-mss 1340

keepalive 10 3

tunnel source Loopback1

tunnel destination 172.20.66.40

bridge-group 1

!

!

interface BVI1

ip address 192.168.1.1 255.255.255.0

!

!

ip http server

no ip http secure-server

!

!

bridge 1 protocol ieee

bridge 1 route ip

!


Many thanks.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Mon, 08/06/2007 - 09:52

Ziad


I believe that the general answer to your question is that it is possible to send bridged traffic over a GRE tunnel. However this is not officially supported by Cisco. This means that the traffic might go across the tunnel but that if there is some problem Cisco is not obligated to do anything about the problem. I might do this in a lab situation. But I would be very reluctant to put production traffic into a "not supported" mechanism.


The configuration that you posted is using IRB and routing IP. Is there a physical interface with bridge-group 1 configured in addition to the tunnel? Is there non-routed (bridged) traffic - non IP traffic - going through this interface? If so I would expect it to go through the tunnel?


HTH


Rick

ziaddar786 Mon, 08/06/2007 - 10:24

Hi Rick.


Many thanks for your help. I have attached 3 configs, SpokeA, Internet_Sim, and HubA.[Very basic]. I applied the bridge-group command on the WAN interfaces too but to no avail. Could you point me in the right direction of a config which does work? I understand Cisco may not support bridging over GRE but a working config may give me some idea of where I am going wrong.


Many thanks for your help.




Attachment: 
Richard Burts Mon, 08/06/2007 - 11:07

Ziad


There are a number of issues and ambiguities in the configs that you have posted.

- you are configuring IRB and specifying that IP is routed. So what traffic are you going to bridge?

- you have configured bridge-group only on the tunnel interface. For bridging to work there must be a bridge-group on at least 2 interfaces, an interface where the bridged traffic arrives and the interface where the bridged traffic exits.

- you have configured EIGRP 100 to run over the tunnel. But since it runs on no other interfaces it has nothing to advertise. What good is a dynamic routing protocol if it has nothing to advertise?


I see that you have configured keepalives on the GRE tunnel. Do the tunnels come up and stay up (do the keepalives work)?


HTH


Rick

ziaddar786 Tue, 08/07/2007 - 02:17

Hi Rick,


Thanks for the info, the EIGRP is part of a legacy setup and I have now removed it. I?ve also removed IRB completely ? this is so I have a base setup and can work my way upwards. The keepalives do work, debugs are at the end of the HUB-A config.


At the Hub end it looks promising?


HUB-A#show bridge verbose


Total of 300 station blocks, 300 free

Codes: P - permanent, S - self



Flood ports (BG 1) RX count TX count

FastEthernet0/1 58 0

Tunnel2 0 58


However the spoke end doesn?t RX or TX anything.


I?ve attached the updated configs too.


Many thanks.




Attachment: 
Richard Burts Tue, 08/07/2007 - 06:14

Ziad


I have looked at the new config files that you posted. I am glad to see the EIGRP and the IRB removed from the configs. I agree that establishing a base setup is good and you can work up from there. In that way I would suggest that you remove the crypto map from the physical interfaces in both routers. Lets take IPSec VPN out of the picture until you have bridging working and have the GRE tunnels working.


I notice on the spoke router that the FastEthernet0/0 is configured with no keepalive. I wonder why this is? Is there something connected on this port to generate traffic and to receive traffic? If not bridging will have a difficult time working.


HTH


Rick

ziaddar786 Wed, 08/08/2007 - 02:16

Hi Rick.


I've removed the crypto, enabled keepalive on the LAN interface. Looks worse than before, now the hub end doesn?t register an TX/RX.


I have also include show arp, show bridge group, and bridge verbose.


Many thanks for your help.




Attachment: 
Richard Burts Wed, 08/08/2007 - 06:55

Ziad


These configs do seem to get us to the point where we have a basic config and this will allow us to focus on the fundamentals of getting bridged traffic over the GRE tunnels. In terms of the mechanics of the config and of syntax these are now configs that should work.


I believe that there is a conceptual question which we now need to address. In several of my previous posts I have asked questions that I now believe are central to the problem:

Is there non-routed (bridged) traffic - non IP traffic - going through this interface?

and

you are configuring IRB and specifying that IP is routed. So what traffic are you going to bridge?


I believe that the crux of the problem now is what traffic will be bridged? If you are routing IP then IP can not be bridged. So what traffic is there that will be bridged? If there were IPX traffic, or SNA traffic, or some other non-routed protocol traffic on the FastEthernet interface then I believe that it would be bridged and carried over the tunnel. But what traffic is there that should be bridged?


HTH


Rick


ziaddar786 Wed, 08/08/2007 - 08:01

Hi Rick.


SNA traffic needs to be bridged and unfortunately I do not have access to an AS400.


I think I may have to test the config in a live envornment.

Actions

This Discussion