MPLS over GRE tunnels

Answered Question
May 8th, 2008

Hello everybody,

I need some help in configuring MPLS over GRE tunnels. I did not find any proper configuration example to help me. I need to do this for encrypt the traffic between two PE routers. I have 7609 routers.

Thanks,

Alexandru.

I have this problem too.
0 votes
Correct Answer by mounir.mohamed about 8 years 7 months ago

Hi Alex,

MP-BGP and LDP running smooth over GRE.

Here and example of 2 PE routers (R4 and R5) have GRE tunnel established and up between each others, MP-BGP and LDP running over the tunnel.

In the below example i did used loopback 400 and 500 on R4 and R5 as CE routers under VRF VPN-A, also the below MTU configurations for MPLS-VPN only if you gone use AToM or TE you need to increase the MTU (4 bytes per label)

((R4))

ip vrf VPN-A

rd 150.1.1.1:1

route-target export 1:1

route-target import 1:1

interface Loopback400

ip vrf forwarding VPN-A

ip address 20.1.1.1 255.255.255.0

interface Tunnel1

ip address 150.1.1.1 255.255.255.252

ip mtu 1524

mpls ip

mpls mtu 1532

keepalive 10 3

tunnel source Serial1/0

tunnel destination 10.10.45.5

Router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 150.1.1.2 remote-as 1

no auto-summary

!

address-family vpnv4

neighbor 150.1.1.2 activate

neighbor 150.1.1.2 send-community both

exit-address-family

!

address-family ipv4 vrf VPN-A

redistribute connected

redistribute static

no synchronization

exit-address-family

((R5))

ip vrf VPN-A

rd 150.1.1.2:1

route-target export 1:1

route-target import 1:1

interface Loopback500

ip vrf forwarding VPN-A

ip address 10.1.1.5 255.255.255.0

!

interface Tunnel1

ip address 150.1.1.2 255.255.255.252

ip mtu 1524

mpls ip

mpls mtu 1532

keepalive 10 3

tunnel source Serial0/0/0

tunnel destination 10.10.45.4

router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 150.1.1.1 remote-as 1

no auto-summary

!

address-family vpnv4

neighbor 150.1.1.1 activate

neighbor 150.1.1.1 send-community both

exit-address-family

!

address-family ipv4 vrf VPN-A

redistribute connected

redistribute static

no auto-summary

no synchronization

exit-address-family

R5#show ip route vrf VPN-A bgp

20.0.0.0/24 is subnetted, 1 subnets

B 20.1.1.0 [200/0] via 150.1.1.1, 00:06:34

R5#ping vrf VPN-A 20.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/72/76 ms

R5#ping vrf VPN-A

Protocol [ip]:

Target IP address: 20.1.1.1

Repeat count [5]:

Datagram size [100]: 1508

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface:

Type of service [0]:

Set DF bit in IP header? [no]: yes

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 1508-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:

Packet sent with the DF bit set

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 776/776/776 ms

R5#show ip bg vp al summary

BGP router identifier 100.10.10.5, local AS number 1

BGP table version is 5, main routing table version 5

3 network entries using 411 bytes of memory

3 path entries using 204 bytes of memory

3/2 BGP path/bestpath attribute entries using 372 bytes of memory

1 BGP extended community entries using 24 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 1011 total bytes of memory

BGP activity 3/0 prefixes, 3/0 paths, scan interval 15 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

150.1.1.1 4 1 30 30 5 0 0 00:13:16 1

Bes Regards,

Mounir Mohamed

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.4 (8 ratings)
Loading.
mounir.mohamed Thu, 05/08/2008 - 02:48

Hi,

The same configurations of regular IP over GRE should be applied over physical interfaces, once the tunnel get ip, establish your routing protocol and LDP over the tunnel interface, based on the MPLS application you gone use decied the maximum number of labels will be included in one packet (4 bytes per label) then add the 24 GRE header and adjust your MTU.

Best Regards,

Mounir Mohamed

alexandru.nitulescu Thu, 05/08/2008 - 03:15

I understand. But, I really don't know how can I configure. I tray something but it isn't working.

I cannot establish the MP-BGP session over my GRE tunnel. I made the GRE tunnel and I put the GRE interface into one VRF.

I'm a little bit lost and I need a configuration example to have a starting point.

Thanks,

Alexandru Nitulescu

Giuseppe Larosa Thu, 05/08/2008 - 12:46

Hello alexandru,

one thing is to have a GRE tunnel as a VRF access link, another different matter is to use the GRE tunnel as your backbone link between PE routers.

in a few words to support MPLS forwarding and signaling you enable MPLS into the tunnel interface with mpls ip command.

PE1

interface tunnel 12

tunnel source

tunnel destination < remote PE pub ip address >

ip address 10.x.y.1 255.255.255.252

mpls ip

! some mtu fixing may be necessary

interface loop5

ip address 172.16.12.1 255.255.255.255

an IGP running over 10.x.y.0/30 + mpls ldp router-id loop5 or change mpls source on the tunnel

router ospf 12

network 10.x.y.0 0.0.0.3 area 0

network 172.16.12.1 0.0.0.0 area 0

!

router bgp 12

address-family vpnv4

neighbor 172.16.12.2 activate

neighbor 172.16.12.2 update-source loop5

neigh 172.16.12.2 send-community both

Constraint:

the public ip addresses are different from 10.x.y.0/30 and 172.16.12.x and must be known / advertised

public ip addresses mustn't be advertised over IGP running over GRE tunnel (try and see what happens ...)

hope to help

Giuseppe

alexandru.nitulescu Fri, 05/09/2008 - 05:01

Thanks a log for helping me. I will try to configure in the way you suggest next week to see what's happen'.

Correct Answer
mounir.mohamed Thu, 05/08/2008 - 13:22

Hi Alex,

MP-BGP and LDP running smooth over GRE.

Here and example of 2 PE routers (R4 and R5) have GRE tunnel established and up between each others, MP-BGP and LDP running over the tunnel.

In the below example i did used loopback 400 and 500 on R4 and R5 as CE routers under VRF VPN-A, also the below MTU configurations for MPLS-VPN only if you gone use AToM or TE you need to increase the MTU (4 bytes per label)

((R4))

ip vrf VPN-A

rd 150.1.1.1:1

route-target export 1:1

route-target import 1:1

interface Loopback400

ip vrf forwarding VPN-A

ip address 20.1.1.1 255.255.255.0

interface Tunnel1

ip address 150.1.1.1 255.255.255.252

ip mtu 1524

mpls ip

mpls mtu 1532

keepalive 10 3

tunnel source Serial1/0

tunnel destination 10.10.45.5

Router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 150.1.1.2 remote-as 1

no auto-summary

!

address-family vpnv4

neighbor 150.1.1.2 activate

neighbor 150.1.1.2 send-community both

exit-address-family

!

address-family ipv4 vrf VPN-A

redistribute connected

redistribute static

no synchronization

exit-address-family

((R5))

ip vrf VPN-A

rd 150.1.1.2:1

route-target export 1:1

route-target import 1:1

interface Loopback500

ip vrf forwarding VPN-A

ip address 10.1.1.5 255.255.255.0

!

interface Tunnel1

ip address 150.1.1.2 255.255.255.252

ip mtu 1524

mpls ip

mpls mtu 1532

keepalive 10 3

tunnel source Serial0/0/0

tunnel destination 10.10.45.4

router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 150.1.1.1 remote-as 1

no auto-summary

!

address-family vpnv4

neighbor 150.1.1.1 activate

neighbor 150.1.1.1 send-community both

exit-address-family

!

address-family ipv4 vrf VPN-A

redistribute connected

redistribute static

no auto-summary

no synchronization

exit-address-family

R5#show ip route vrf VPN-A bgp

20.0.0.0/24 is subnetted, 1 subnets

B 20.1.1.0 [200/0] via 150.1.1.1, 00:06:34

R5#ping vrf VPN-A 20.1.1.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 72/72/76 ms

R5#ping vrf VPN-A

Protocol [ip]:

Target IP address: 20.1.1.1

Repeat count [5]:

Datagram size [100]: 1508

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface:

Type of service [0]:

Set DF bit in IP header? [no]: yes

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 1508-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:

Packet sent with the DF bit set

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 776/776/776 ms

R5#show ip bg vp al summary

BGP router identifier 100.10.10.5, local AS number 1

BGP table version is 5, main routing table version 5

3 network entries using 411 bytes of memory

3 path entries using 204 bytes of memory

3/2 BGP path/bestpath attribute entries using 372 bytes of memory

1 BGP extended community entries using 24 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 1011 total bytes of memory

BGP activity 3/0 prefixes, 3/0 paths, scan interval 15 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

150.1.1.1 4 1 30 30 5 0 0 00:13:16 1

Bes Regards,

Mounir Mohamed

alexandru.nitulescu Fri, 05/09/2008 - 05:03

Thanks a lot. I will configure it and see the results. I'll keep you informed regarding the results.

Thanks again,

Alexandru

guruprasadr Fri, 05/09/2008 - 06:05

HI Mounir,

The Configuration you POSTED is really useful.

I have some Questions:

======================

What is the difference between the MP-BGP and BGP ?

Do you have a "Sample Template" for a MP-BGP Configuration between PE-PE ?

In the above Configuration, there is a Tunnel between the PE-PE to form MP-BGP Mesh. In this case, if i have 10" PE's for example, so i should run Tunnel between each other to complete the MP-BGP Mesh ?

Thanks in Advance.

Best Regards,

Guru Prasad R

mounir.mohamed Sat, 05/10/2008 - 03:00

Hi Guru,

BGP Originally designed to carry routing information only for IPv4 address family,

But actually this was limitation for BGP, because there is so many protocols need to be carry also, so IETF standardized the Multiprotocol extensions for BGP, this extension allow BGP4 to carry routing Information for multiple network layer protocols like (IPv6, IPX, and VPNv4)

Regarding the MP-BGP configurations of PE-to-PE this is not the common case, usually MP-BGP Route-Reflector used to save resources and overhead.

Please rate helpful posts.

Best Regards,

Mounir Mohamed

guruprasadr Sun, 05/11/2008 - 04:10

HI Mounir & Harold,

That's a Master-piece of the POST.

Have Rated both.

Best Regards,

Guru Prasad R

jackawang Thu, 12/29/2011 - 13:14

Hello, I came across this post when I was troubleshooting a MPLS over GRE issue I had. I configured everything else the same except the tunnle interfaces on R4 and R5. Highlighted in bold.

! On R4

interface Tunnel1

ip unnumbered loopback 0

mpls ip

tunnel source loopback 0

tunnel destination 5.5.5.5 ! R5's loop 0

router bgp 1

no synchronization

bgp log-neighbor-changes

neighbor 5.5.5.5 remote-as 1

neighbor 5.5.5.5 update-source loop 0

no auto-summary

......

! R5 has the similar configuration

Now the tunnel came up and LDP also built adj over the tunnel, confirmed by "show mpls ldp nei". I can see the vrf routes populated on both PEs. CE also learned the routes from the other end.The issue is that no traffic can be passed. After doing a traceroute from the CE, it dies at the first PE it connected to. Can someone tell me why my tunnel configuration would not work?

Peter Paluch Thu, 12/29/2011 - 13:46

Hello,

Just a quick hint: try to remove the IP Unnumbered from the tunnel interfaces and instead, assign them with unique addresses. Then set up the BGP peering to use the tunnel addresses instead of the loopbacks.

Best regards,

Peter

jackawang Thu, 12/29/2011 - 14:02

Peter,

Thanks for your quick tip. I know assigning the tunnel with unique address will work because the solution has been provided by Mounir in this thread back in 2008. What I'm trying to figure out is why my configuration would not work. I have my reasons not to assigning unique addresses to the tunnels.

Peter Paluch Thu, 12/29/2011 - 14:22

Hello,

In my opinion, the main problem is concerned by the reachability of the loopback address, which also happens to be the tunnel's endpoint. You can't force the router to reach the neighbor's loopback address through the tunnel, as that would case a recursive routing (tunnel endpoint reachable through the tunnel itself). The opposite router's loopback is therefore still reachable through the normal routing, bypassing the tunnel, hence through a path that is not MPLS-enabled. As the NEXT_HOP attribute of routes advertised from the BGP peer will be set to its loopback address, the router will try to forward packets through the non-tunneled, non-MPLS path.

Until there is not a unique address on each end of the tunnel, or a new loopback on each router whose reachability is provided exclusively through the tunnel, I do not see how to solve this problem if you insist on running the IP Unnumbered.

Best regards,

Peter

jackawang Thu, 12/29/2011 - 14:52

Peter,

Your logic does make sense. Loop0 is reachable through normal routing and the tunnel so a recursive routing may have occurred. After I assigning an unique /30 network to the tunnel, everything started working.

Since we normally use /32 loopback for MPLS routing, would this tunnel+MPLS configuration potentially create any problem?

*Dec 29 14:44:20.897: %BGP-4-VPNV4NH_IF: Nexthop 150.0.0.2 may not be reachable from neigbor 150.0.0.1 - not a loopback

Jack

Peter Paluch Thu, 12/29/2011 - 15:29

Hi Jack,

The warning you are seeing is to make you aware that with non-loopback IP addresses used for BGP peering, a premature PHP may occur, leading to reachability issues. However, as the BGP peers should be peered "over a single link", that is, the tunnel interface, there should be no issues with premature PHP. I see no obvious issues with peering your BGP speakers using tunnel interfaces' addresses.

If you want to be on a totally safe side, give your tunnel an IP space without using IP Unnumbered, and additionally, create a pair of new unique loopbacks on your routers (separate from the loopbacks your are using to define the tunnel source/destination). Then, define a pair of static routes to reach these loopbacks via tunnel interfaces, and peer the BGP using these new loopbacks.

Best regards,

Peter

Actions

This Discussion