GRE tunnel between 3560 and cisco 2801

Unanswered Question
Jul 18th, 2008
User Badges:
  • Gold, 750 points or more

Is GRE support on the 3560?


I will have two cisco ASA's between the 3560 and 2801 passing the GRE over IPSEC and also EIGRP traffic as well. is this possible? The plan is to route multicast PIM and multicast traffic across the GRE tunnel.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (9 ratings)
Loading.
Edison Ortiz Fri, 07/18/2008 - 07:11
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Yes, the 3560 supports GRE tunnels


Switch#sh ver | i IOS

Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(25)SEC2, RELEASE SOFTWARE (fc1)


Switch#sh int | i Tun

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Tunnel source 10.1.1.2 (Vlan1), destination 10.1.1.1, fastswitch TTL 255

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Tunnel TTL 255


HTH,


__


Edison.


Please rate helpful posts


a.alekseev Fri, 07/18/2008 - 07:29
User Badges:
  • Gold, 750 points or more

Hi, Edison Ortiz

look at your sh ver


3550 and 3560 have different hardware.

Edison Ortiz Fri, 07/18/2008 - 07:36
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Good catch. I just grabbed a CCIE rack w/o noticing the hardware.


Let me test in a 3560...



tdrais Fri, 07/18/2008 - 07:16
User Badges:
  • Blue, 1500 points or more


edit I was going to say not but they may have added support in a later release

Edison Ortiz Fri, 07/18/2008 - 07:35
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Hi Tim,


I was able to configure but the documentation says otherwise:


Q. Does the Cisco Catalyst 3560-E support generic routing encapsulation (GRE) tunneling?

A. No. The Cisco Catalyst 3560-E can switch "transient" GRE tunneled traffic in hardware at wire rate, but it cannot act as a GRE tunnel endpoint. Future support of GRE tunneling in software is possible


http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps7078/prod_qas0900aecd805bacc7.html


Strange ...


___


Edison.

a.alekseev Fri, 07/18/2008 - 07:21
User Badges:
  • Gold, 750 points or more

GRE is not supported on 3560 as well as on 3750. This is hardware limitation.


By the way GRE is supported in software on 3550.


Use a router instead.



francisco_1 Fri, 07/18/2008 - 07:29
User Badges:
  • Gold, 750 points or more

Not sure why cisco would enable it on lower end switch like the 3550 and not on the 3560!

tdrais Fri, 07/18/2008 - 07:30
User Badges:
  • Blue, 1500 points or more

That makes more sense. I knew you could configure it on 3550 even though it very clearly says in the documentation that it is not supported. Never tried it on a 3560 since it says it is not supported and figured they patched it to not take the commands

sundar.palaniappan Fri, 07/18/2008 - 07:35
User Badges:
  • Green, 3000 points or more

Good catch there a.alekseev.


Deserves a '5' rating ;-) Have rated '5'

francisco_1 Fri, 07/18/2008 - 07:43
User Badges:
  • Gold, 750 points or more

i also get the output below on my 3560!


switch#sh int | i Tun

Tunnel10 is up, line protocol is down

Hardware is Tunnel

Tunnel source UNKNOWN

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Tunnel TTL 255

Edison Ortiz Fri, 07/18/2008 - 07:46
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

switch#sh int | i Tun

Tunnel10 is up, line protocol is down

Hardware is Tunnel

Tunnel source UNKNOWN

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Tunnel TTL 255


You need to specify the tunnel source and destination.


tdrais Fri, 07/18/2008 - 07:46
User Badges:
  • Blue, 1500 points or more

Sure does I tried it also. Even though the documentation clearly says it does not support the global command "interface tunnel"


Found this and I assume it applies to 3560 also


High CPU Utilization After Enabling GRE Tunnels


Generic Routing Encapsulation (GRE) tunnels are not supported on the Cisco Catalyst 3550 Switch. Even though the CLI commands are there to configure the GRE, it is not officially supported. Refer to the Unsupported VPN Configuration Commands section of Unsupported CLI Commands for Catalyst 3550 for this information. The reason for this is that the Cisco Catalyst 3550 Switch uses hardware-based Cisco Express Forwarding (CEF) switching. There is no method to CEF-switch GRE packets. GRE packets must be encapsulated by the software. The hardware does not have the capability to encapsulate the packets. Consequently, this traffic is processed or software switched. The process or software switched traffic can quickly cause the CPU to spike.

Edison Ortiz Fri, 07/18/2008 - 07:50
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Good find Tim ! The problem is the feature is software driven hence not recommended or supported in 35xx.


__


Edison.

rsgamage1 Fri, 07/18/2008 - 07:58
User Badges:
  • Bronze, 100 points or more

So that's what FN says if you search by feature.

francisco_1 Fri, 07/18/2008 - 07:50
User Badges:
  • Gold, 750 points or more

i also get the output below on my 3560!


switch#sh int | i Tun

Tunnel10 is up, line protocol is down

Hardware is Tunnel

Tunnel source UNKNOWN

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Tunnel TTL 255

Edison Ortiz Fri, 07/18/2008 - 07:44
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Verified with 3560s this time :)


Rack1SW2#sh ver | i IOS

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(25)SEE4, RELEASE SOFTWARE (fc1)

!

!

!

Rack1SW2#sh int | i Tun

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Tunnel source 150.1.8.8 (Loopback0), destination 150.1.7.7, fastswitch TTL 255

Tunnel protocol/transport GRE/IP, key

disabled, sequencing disabled

Tunnel TTL 255

!

!

!

Rack1SW2#sh run | be Tunnel

interface Tunnel0

ip address 9.9.9.2 255.255.255.0

tunnel source Loopback0

tunnel destination 150.1.7.7


!

!


Verify that multicast actually works


Rack1SW2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1SW2(config)#router eigrp 1

Rack1SW2(config-router)#net 9.9.9.2 255.255.255.0

Rack1SW2(config-router)#no aut

Rack1SW2(config-router)#end

Rack1SW2#

Rack9Pod1>1

[Resuming connection 1 to SW1 ... ]


3w

Rack1SW1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1SW1(config)#router eigrp 1

Rack1SW1(config-router)#net 9.9.9.1 255.255.255.0

Rack1SW1(config-router)#end

Rack1SW1#

3w0d: %SYS-5-CONFIG_I: Configured from console by console

Rack1SW1#

3w0d: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 9.9.9.2 (Tunnel0) is up: new adjacency

Rack1SW1#sh ip eigrp ne

IP-EIGRP neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) Cnt Num

1 183.1.107.10 Fa0/14 14 1w3d 1 200 0 494

0 183.1.17.1 Fa0/1 13 1w4d 1 200 0 618

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) Cnt Num

0 9.9.9.2 Tu0 14 00:00:15 764 5000 0 1

Rack1SW1#

rsgamage1 Fri, 07/18/2008 - 07:47
User Badges:
  • Bronze, 100 points or more

So how reliable is the Cisco FN in situations like this ?



a.alekseev Fri, 07/18/2008 - 08:01
User Badges:
  • Gold, 750 points or more

try to forward traffic through the tunnel

Edison Ortiz Fri, 07/18/2008 - 08:10
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Rack1SW1#show ip route eigrp 1

91.0.0.0/24 is subnetted, 1 subnets

D 91.91.91.0 [90/297372416] via 9.9.9.2, 00:00:33, Tunnel0

Rack1SW1#ping 91.91.91.2


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 91.91.91.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 67/70/76 ms

Rack1SW1#telnet 91.91.91.2

Trying 91.91.91.2 ... Open



User Access Verification


Password:

rsgamage1 Fri, 07/18/2008 - 08:11
User Badges:
  • Bronze, 100 points or more

Any impact on the CPU utilization?

Edison Ortiz Fri, 07/18/2008 - 08:14
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

I was routing 1 network.


I checked the CPU and showed no spike. Not sure how it would behave with a lot of traffic. Most likely, it will spike the CPU since packets will be processed switched.


Not a recommended solution but tunneling in the 3560 does work.

rsgamage1 Fri, 07/18/2008 - 08:20
User Badges:
  • Bronze, 100 points or more

So the point here is whether it is 'usable' or not?


As most of the documents clearly indicated it is not recommended/fully support for "some" reason(CPU,etc).


Is this a generic rule for Catalyst 2XXX and 3XXX?


Are there any exceptions?


Edison: As a NCE would you suggest that Netpros rely on Cisco Feature Navigator?



Edison Ortiz Fri, 07/18/2008 - 08:28
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Right, the feature works but not recommended due to hardware limitation.


The problem is that Cat3xxx shares a lot of the code from regular IOS routers and while the commands are available, the feature does not work. It comes to mind some QoS commands and ip accounting. While you can enter the commands in the CLI, they do nothing.


On this case, the tunnel actually works and transport data. In a pinch, you can configure a tunnel with a 3560 but I wouldn't recommend such design in a production environment. Large amount of data via the tunnel can result in a denial of service on the switch.


The Feature Navigator is a solid search engine. With that said, there are a lot of Cisco products out there and there are times when all the features/services aren't incorporated in the tool. Best bet is to double-check a feature/service by looking at the product's Release Notes.


HTH,


__


Edison.

rsgamage1 Fri, 07/18/2008 - 12:41
User Badges:
  • Bronze, 100 points or more

Edison,


Great explanation !


Thanks for your valued thoughts and time..5+ :)

a.alekseev Fri, 07/18/2008 - 09:07
User Badges:
  • Gold, 750 points or more

this is localy generated traffic...



Edison Ortiz Fri, 07/18/2008 - 09:37
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

interface Loopback91

ip address 91.91.91.2 255.255.255.0

interface Tunnel0

ip address 9.9.9.2 255.255.255.0

tunnel source Loopback0

tunnel destination 150.1.7.7

router eigrp 1

network 9.9.9.0 0.0.0.255

network 91.91.91.0 0.0.0.255

no auto-summary


Rack1SW2#sh ip eigrp neighbors tunnel 0

IP-EIGRP neighbors for process 100

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) Cnt Num

0 9.9.9.1 Tu0 13 00:01:34 59 5000 0 3

Rack1SW2#


interface Tunnel0

ip address 9.9.9.1 255.255.255.0

tunnel source Loopback0

tunnel destination 150.1.8.8


router eigrp 1

network 9.9.9.0 0.0.0.255

no auto-summary


Rack1SW1#sh ip eigrp ne tunnel 0

IP-EIGRP neighbors for process 100

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) Cnt Num

0 9.9.9.2 Tu0 12 00:02:21 285 5000 0 3

Rack1SW1#


!

!

!

Rack1R1(config)#ip route 9.9.9.0 255.255.255.0 183.1.17.7

Rack1SW2(config)#ip route 183.1.17.0 255.255.255.0 9.9.9.1



Rack1R1#trace 9.9.9.2


Type escape sequence to abort.

Tracing the route to 9.9.9.2


1 183.1.17.7 0 msec 4 msec 0 msec

2 9.9.9.2 45 msec * 40 msec

Rack1R1#telnet 9.9.9.2

Trying 9.9.9.2 ... Open



User Access Verification


Password:

Rack1SW2>


Rack1SW2#sh int tunnel 0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 9.9.9.2/24

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 150.1.8.8 (Loopback0), destination 150.1.7.7, fastswitch TTL 255

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Tunnel TTL 255

Checksumming of packets disabled, fast tunneling enabled

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

140 packets input, 11041 bytes, 0 no buffer

Received 0 broadcasts (86 IP multicast)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

128 packets output, 10944 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out



a.alekseev Fri, 07/18/2008 - 09:54
User Badges:
  • Gold, 750 points or more

Edison Ortiz


thank you for your patience. 5 ponits :)


but could you add some device behind 3560?

Edison Ortiz Fri, 07/18/2008 - 10:28
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Rack 1 Router will connect to 92.92.92.2 via Tunnel.


Router 1 is directly attached to SW1

Router 2 is directly attached to SW2

Router 2 is announcing 92.92.92.2 via OSPF


Rack1R2#sh ip os int bri

Interface PID Area IP Address/Mask Cost State Nbrs F/C

Lo92 1 0 92.92.92.2/24 1 LOOP 0/0

Fa0/0 1 0 183.1.28.2/24 1 BDR 1/1

Rack1R2#


!

!

Rack1SW2#sh ip route os

92.0.0.0/32 is subnetted, 1 subnets

O 92.92.92.2 [110/2] via 183.1.28.2, 00:01:44, Vlan28

!

!

Rack1SW1#sh ip route os

92.0.0.0/32 is subnetted, 1 subnets

O 92.92.92.2 [110/11113] via 9.9.9.2, 00:02:01, Tunnel0

!

!

Rack1R1#sh ip route os

9.0.0.0/24 is subnetted, 1 subnets

O 9.9.9.0 [110/11112] via 183.1.17.7, 00:02:19, FastEthernet0/0

92.0.0.0/32 is subnetted, 1 subnets

O 92.92.92.2 [110/11114] via 183.1.17.7, 00:02:19, FastEthernet0/0


!

!

!

Rack1R1#trace 92.92.92.2


Type escape sequence to abort.

Tracing the route to 92.92.92.2


1 183.1.17.7 0 msec 4 msec 0 msec

2 9.9.9.2 36 msec 36 msec 44 msec

3 183.1.28.2 36 msec * 32 msec

Rack1R1#

!

!

!

Rack1R1#ping 92.92.92.2 repeat 100000


Type escape sequence to abort.

Sending 100000, 100-byte ICMP Echos to 92.92.92.2, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


!

!


Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 7%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 7%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#sh int tunnel 0 | i packets output

1061 packets output, 141750 bytes, 0 underruns

Rack1SW1#sh int tunnel 0 | i packets output

1075 packets output, 143682 bytes, 0 underruns

Rack1SW1#sh int tunnel 0 | i packets output

1090 packets output, 145752 bytes, 0 underruns

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 8%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 7%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#sh int tunnel 0 | i packets output

1213 packets output, 162692 bytes, 0 underruns

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 7%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#sh int tunnel 0 | i packets output

1259 packets output, 169040 bytes, 0 underruns

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 7%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#sh int tunnel 0 | i packets output

1321 packets output, 177562 bytes, 0 underruns

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 7%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#


___


This is it for me. I'm done testing.

Actions

This Discussion