Solved: MPLS over GRE tunnels - Page 2

alexandru.nitulescu · ‎05-08-2008

Hello everybody,

I need some help in configuring MPLS over GRE tunnels. I did not find any proper configuration example to help me. I need to do this for encrypt the traffic between two PE routers. I have 7609 routers.

Thanks,

Alexandru.

jackawang · ‎12-29-2011

Peter,

Thanks for your quick tip. I know assigning the tunnel with unique address will work because the solution has been provided by Mounir in this thread back in 2008. What I'm trying to figure out is why my configuration would not work. I have my reasons not to assigning unique addresses to the tunnels.

Peter Paluch · ‎12-29-2011

Hello,

In my opinion, the main problem is concerned by the reachability of the loopback address, which also happens to be the tunnel's endpoint. You can't force the router to reach the neighbor's loopback address through the tunnel, as that would case a recursive routing (tunnel endpoint reachable through the tunnel itself). The opposite router's loopback is therefore still reachable through the normal routing, bypassing the tunnel, hence through a path that is not MPLS-enabled. As the NEXT_HOP attribute of routes advertised from the BGP peer will be set to its loopback address, the router will try to forward packets through the non-tunneled, non-MPLS path.

Until there is not a unique address on each end of the tunnel, or a new loopback on each router whose reachability is provided exclusively through the tunnel, I do not see how to solve this problem if you insist on running the IP Unnumbered.

Best regards,

Peter

jackawang · ‎12-29-2011

Peter,

Your logic does make sense. Loop0 is reachable through normal routing and the tunnel so a recursive routing may have occurred. After I assigning an unique /30 network to the tunnel, everything started working.

Since we normally use /32 loopback for MPLS routing, would this tunnel+MPLS configuration potentially create any problem?

*Dec 29 14:44:20.897: %BGP-4-VPNV4NH_IF: Nexthop 150.0.0.2 may not be reachable from neigbor 150.0.0.1 - not a loopback

Jack

Peter Paluch · ‎12-29-2011

Hi Jack,

The warning you are seeing is to make you aware that with non-loopback IP addresses used for BGP peering, a premature PHP may occur, leading to reachability issues. However, as the BGP peers should be peered "over a single link", that is, the tunnel interface, there should be no issues with premature PHP. I see no obvious issues with peering your BGP speakers using tunnel interfaces' addresses.

If you want to be on a totally safe side, give your tunnel an IP space without using IP Unnumbered, and additionally, create a pair of new unique loopbacks on your routers (separate from the loopbacks your are using to define the tunnel source/destination). Then, define a pair of static routes to reach these loopbacks via tunnel interfaces, and peer the BGP using these new loopbacks.

Best regards,

Peter

jackawang · ‎12-29-2011

Thanks, Peter. That's nice and clear.

Peter Paluch · ‎12-29-2011

Jack,

You are welcome!

Best regards,

Peter