GRE tunnel between 3560 and cisco 2801

Unanswered Question
Jul 18th, 2008

Is GRE support on the 3560?

I will have two cisco ASA's between the 3560 and 2801 passing the GRE over IPSEC and also EIGRP traffic as well. is this possible? The plan is to route multicast PIM and multicast traffic across the GRE tunnel.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (9 ratings)
Loading.
Edison Ortiz Fri, 07/18/2008 - 07:11

Yes, the 3560 supports GRE tunnels

Switch#sh ver | i IOS

Cisco IOS Software, C3550 Software (C3550-IPSERVICESK9-M), Version 12.2(25)SEC2, RELEASE SOFTWARE (fc1)

Switch#sh int | i Tun

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Tunnel source 10.1.1.2 (Vlan1), destination 10.1.1.1, fastswitch TTL 255

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Tunnel TTL 255

HTH,

__

Edison.

Please rate helpful posts

a.alekseev Fri, 07/18/2008 - 07:29

Hi, Edison Ortiz

look at your sh ver

3550 and 3560 have different hardware.

Edison Ortiz Fri, 07/18/2008 - 07:36

Good catch. I just grabbed a CCIE rack w/o noticing the hardware.

Let me test in a 3560...

tdrais Fri, 07/18/2008 - 07:16

edit I was going to say not but they may have added support in a later release

Edison Ortiz Fri, 07/18/2008 - 07:35

Hi Tim,

I was able to configure but the documentation says otherwise:

Q. Does the Cisco Catalyst 3560-E support generic routing encapsulation (GRE) tunneling?

A. No. The Cisco Catalyst 3560-E can switch "transient" GRE tunneled traffic in hardware at wire rate, but it cannot act as a GRE tunnel endpoint. Future support of GRE tunneling in software is possible

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps7078/prod_qas0900aecd805bacc7.html

Strange ...

___

Edison.

a.alekseev Fri, 07/18/2008 - 07:21

GRE is not supported on 3560 as well as on 3750. This is hardware limitation.

By the way GRE is supported in software on 3550.

Use a router instead.

francisco_1 Fri, 07/18/2008 - 07:29

Not sure why cisco would enable it on lower end switch like the 3550 and not on the 3560!

tdrais Fri, 07/18/2008 - 07:30

That makes more sense. I knew you could configure it on 3550 even though it very clearly says in the documentation that it is not supported. Never tried it on a 3560 since it says it is not supported and figured they patched it to not take the commands

francisco_1 Fri, 07/18/2008 - 07:43

i also get the output below on my 3560!

switch#sh int | i Tun

Tunnel10 is up, line protocol is down

Hardware is Tunnel

Tunnel source UNKNOWN

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Tunnel TTL 255

Edison Ortiz Fri, 07/18/2008 - 07:46

switch#sh int | i Tun

Tunnel10 is up, line protocol is down

Hardware is Tunnel

Tunnel source UNKNOWN

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Tunnel TTL 255

You need to specify the tunnel source and destination.

tdrais Fri, 07/18/2008 - 07:46

Sure does I tried it also. Even though the documentation clearly says it does not support the global command "interface tunnel"

Found this and I assume it applies to 3560 also

High CPU Utilization After Enabling GRE Tunnels

Generic Routing Encapsulation (GRE) tunnels are not supported on the Cisco Catalyst 3550 Switch. Even though the CLI commands are there to configure the GRE, it is not officially supported. Refer to the Unsupported VPN Configuration Commands section of Unsupported CLI Commands for Catalyst 3550 for this information. The reason for this is that the Cisco Catalyst 3550 Switch uses hardware-based Cisco Express Forwarding (CEF) switching. There is no method to CEF-switch GRE packets. GRE packets must be encapsulated by the software. The hardware does not have the capability to encapsulate the packets. Consequently, this traffic is processed or software switched. The process or software switched traffic can quickly cause the CPU to spike.

Edison Ortiz Fri, 07/18/2008 - 07:50

Good find Tim ! The problem is the feature is software driven hence not recommended or supported in 35xx.

__

Edison.

francisco_1 Fri, 07/18/2008 - 07:50

i also get the output below on my 3560!

switch#sh int | i Tun

Tunnel10 is up, line protocol is down

Hardware is Tunnel

Tunnel source UNKNOWN

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Tunnel TTL 255

Edison Ortiz Fri, 07/18/2008 - 07:44

Verified with 3560s this time :)

Rack1SW2#sh ver | i IOS

Cisco IOS Software, C3560 Software (C3560-IPSERVICESK9-M), Version 12.2(25)SEE4, RELEASE SOFTWARE (fc1)

!

!

!

Rack1SW2#sh int | i Tun

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Tunnel source 150.1.8.8 (Loopback0), destination 150.1.7.7, fastswitch TTL 255

Tunnel protocol/transport GRE/IP, key

disabled, sequencing disabled

Tunnel TTL 255

!

!

!

Rack1SW2#sh run | be Tunnel

interface Tunnel0

ip address 9.9.9.2 255.255.255.0

tunnel source Loopback0

tunnel destination 150.1.7.7

!

!

Verify that multicast actually works

Rack1SW2#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1SW2(config)#router eigrp 1

Rack1SW2(config-router)#net 9.9.9.2 255.255.255.0

Rack1SW2(config-router)#no aut

Rack1SW2(config-router)#end

Rack1SW2#

Rack9Pod1>1

[Resuming connection 1 to SW1 ... ]

3w

Rack1SW1#conf t

Enter configuration commands, one per line. End with CNTL/Z.

Rack1SW1(config)#router eigrp 1

Rack1SW1(config-router)#net 9.9.9.1 255.255.255.0

Rack1SW1(config-router)#end

Rack1SW1#

3w0d: %SYS-5-CONFIG_I: Configured from console by console

Rack1SW1#

3w0d: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 1: Neighbor 9.9.9.2 (Tunnel0) is up: new adjacency

Rack1SW1#sh ip eigrp ne

IP-EIGRP neighbors for process 100

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) Cnt Num

1 183.1.107.10 Fa0/14 14 1w3d 1 200 0 494

0 183.1.17.1 Fa0/1 13 1w4d 1 200 0 618

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) Cnt Num

0 9.9.9.2 Tu0 14 00:00:15 764 5000 0 1

Rack1SW1#

Edison Ortiz Fri, 07/18/2008 - 08:10

Rack1SW1#show ip route eigrp 1

91.0.0.0/24 is subnetted, 1 subnets

D 91.91.91.0 [90/297372416] via 9.9.9.2, 00:00:33, Tunnel0

Rack1SW1#ping 91.91.91.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 91.91.91.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 67/70/76 ms

Rack1SW1#telnet 91.91.91.2

Trying 91.91.91.2 ... Open

User Access Verification

Password:

Edison Ortiz Fri, 07/18/2008 - 08:14

I was routing 1 network.

I checked the CPU and showed no spike. Not sure how it would behave with a lot of traffic. Most likely, it will spike the CPU since packets will be processed switched.

Not a recommended solution but tunneling in the 3560 does work.

rsgamage1 Fri, 07/18/2008 - 08:20

So the point here is whether it is 'usable' or not?

As most of the documents clearly indicated it is not recommended/fully support for "some" reason(CPU,etc).

Is this a generic rule for Catalyst 2XXX and 3XXX?

Are there any exceptions?

Edison: As a NCE would you suggest that Netpros rely on Cisco Feature Navigator?

Edison Ortiz Fri, 07/18/2008 - 08:28

Right, the feature works but not recommended due to hardware limitation.

The problem is that Cat3xxx shares a lot of the code from regular IOS routers and while the commands are available, the feature does not work. It comes to mind some QoS commands and ip accounting. While you can enter the commands in the CLI, they do nothing.

On this case, the tunnel actually works and transport data. In a pinch, you can configure a tunnel with a 3560 but I wouldn't recommend such design in a production environment. Large amount of data via the tunnel can result in a denial of service on the switch.

The Feature Navigator is a solid search engine. With that said, there are a lot of Cisco products out there and there are times when all the features/services aren't incorporated in the tool. Best bet is to double-check a feature/service by looking at the product's Release Notes.

HTH,

__

Edison.

rsgamage1 Fri, 07/18/2008 - 12:41

Edison,

Great explanation !

Thanks for your valued thoughts and time..5+ :)

Edison Ortiz Fri, 07/18/2008 - 09:37

interface Loopback91

ip address 91.91.91.2 255.255.255.0

interface Tunnel0

ip address 9.9.9.2 255.255.255.0

tunnel source Loopback0

tunnel destination 150.1.7.7

router eigrp 1

network 9.9.9.0 0.0.0.255

network 91.91.91.0 0.0.0.255

no auto-summary

Rack1SW2#sh ip eigrp neighbors tunnel 0

IP-EIGRP neighbors for process 100

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) Cnt Num

0 9.9.9.1 Tu0 13 00:01:34 59 5000 0 3

Rack1SW2#

interface Tunnel0

ip address 9.9.9.1 255.255.255.0

tunnel source Loopback0

tunnel destination 150.1.8.8

router eigrp 1

network 9.9.9.0 0.0.0.255

no auto-summary

Rack1SW1#sh ip eigrp ne tunnel 0

IP-EIGRP neighbors for process 100

IP-EIGRP neighbors for process 1

H Address Interface Hold Uptime SRTT RTO Q Seq Type

(sec) (ms) Cnt Num

0 9.9.9.2 Tu0 12 00:02:21 285 5000 0 3

Rack1SW1#

!

!

!

Rack1R1(config)#ip route 9.9.9.0 255.255.255.0 183.1.17.7

Rack1SW2(config)#ip route 183.1.17.0 255.255.255.0 9.9.9.1

Rack1R1#trace 9.9.9.2

Type escape sequence to abort.

Tracing the route to 9.9.9.2

1 183.1.17.7 0 msec 4 msec 0 msec

2 9.9.9.2 45 msec * 40 msec

Rack1R1#telnet 9.9.9.2

Trying 9.9.9.2 ... Open

User Access Verification

Password:

Rack1SW2>

Rack1SW2#sh int tunnel 0

Tunnel0 is up, line protocol is up

Hardware is Tunnel

Internet address is 9.9.9.2/24

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive not set

Tunnel source 150.1.8.8 (Loopback0), destination 150.1.7.7, fastswitch TTL 255

Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

Tunnel TTL 255

Checksumming of packets disabled, fast tunneling enabled

Last input 00:00:00, output 00:00:00, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

140 packets input, 11041 bytes, 0 no buffer

Received 0 broadcasts (86 IP multicast)

0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

128 packets output, 10944 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

a.alekseev Fri, 07/18/2008 - 09:54

Edison Ortiz

thank you for your patience. 5 ponits :)

but could you add some device behind 3560?

Edison Ortiz Fri, 07/18/2008 - 10:28

Rack 1 Router will connect to 92.92.92.2 via Tunnel.

Router 1 is directly attached to SW1

Router 2 is directly attached to SW2

Router 2 is announcing 92.92.92.2 via OSPF

Rack1R2#sh ip os int bri

Interface PID Area IP Address/Mask Cost State Nbrs F/C

Lo92 1 0 92.92.92.2/24 1 LOOP 0/0

Fa0/0 1 0 183.1.28.2/24 1 BDR 1/1

Rack1R2#

!

!

Rack1SW2#sh ip route os

92.0.0.0/32 is subnetted, 1 subnets

O 92.92.92.2 [110/2] via 183.1.28.2, 00:01:44, Vlan28

!

!

Rack1SW1#sh ip route os

92.0.0.0/32 is subnetted, 1 subnets

O 92.92.92.2 [110/11113] via 9.9.9.2, 00:02:01, Tunnel0

!

!

Rack1R1#sh ip route os

9.0.0.0/24 is subnetted, 1 subnets

O 9.9.9.0 [110/11112] via 183.1.17.7, 00:02:19, FastEthernet0/0

92.0.0.0/32 is subnetted, 1 subnets

O 92.92.92.2 [110/11114] via 183.1.17.7, 00:02:19, FastEthernet0/0

!

!

!

Rack1R1#trace 92.92.92.2

Type escape sequence to abort.

Tracing the route to 92.92.92.2

1 183.1.17.7 0 msec 4 msec 0 msec

2 9.9.9.2 36 msec 36 msec 44 msec

3 183.1.28.2 36 msec * 32 msec

Rack1R1#

!

!

!

Rack1R1#ping 92.92.92.2 repeat 100000

Type escape sequence to abort.

Sending 100000, 100-byte ICMP Echos to 92.92.92.2, timeout is 2 seconds:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

!

!

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 7%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 7%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#sh int tunnel 0 | i packets output

1061 packets output, 141750 bytes, 0 underruns

Rack1SW1#sh int tunnel 0 | i packets output

1075 packets output, 143682 bytes, 0 underruns

Rack1SW1#sh int tunnel 0 | i packets output

1090 packets output, 145752 bytes, 0 underruns

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 8%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 7%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#sh int tunnel 0 | i packets output

1213 packets output, 162692 bytes, 0 underruns

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 7%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#sh int tunnel 0 | i packets output

1259 packets output, 169040 bytes, 0 underruns

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 7%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#sh int tunnel 0 | i packets output

1321 packets output, 177562 bytes, 0 underruns

Rack1SW1#show process cpu | i CPU

CPU utilization for five seconds: 7%/0%; one minute: 7%; five minutes: 7%

Rack1SW1#

___

This is it for me. I'm done testing.

Actions

This Discussion