- Finding Feature Information
- Restrictions for Implementing Tunnels
- Information About Implementing Tunnels
- Tunneling Versus Encapsulation
- Tunnel ToS
- Generic Routing Encapsulation
- EoMPLS over GRE
- Provider Edge to Provider Edge Generic Routing EncapsulationTunnels
- Provider to Provider Generic Routing Encapsulation Tunnels
- Provider Edge to Provider Generic Routing Encapsulation Tunnels
- Features Specific to Generic Routing Encapsulation
- Features Specific to Ethernet over MPLS
- Features Specific to Multiprotocol Label Switching Virtual Private Network
- Overlay Tunnels for IPv6
- IPv6 Manually Configured Tunnels
- Automatic 6to4 Tunnels
- ISATAP Tunnels
- Path MTU Discovery
- QoS Options for Tunnels
- How to Implement Tunnels
- Configuration Examples for Implementing Tunnels
- Example: Configuring a GRE IPv4 Tunnel
- Example: Configuring GRE on IPv6 Tunnels
- Example: Configuring GRE Tunnel IP Source and Destination VRF Membership
- Example: Configuring EoMPLS over GRE
- Example: Manually Configuring IPv6 Tunnels
- Example: Configuring 6to4 Tunnels
- Example: Configuring ISATAP Tunnels
- Configuring QoS Options on Tunnel Interfaces Examples
Implementing Tunnels
This module describes the various types of tunneling techniques. Configuration details and examples are provided for the tunnel types that use physical or virtual interfaces. Many tunneling techniques are implemented using technology-specific commands, and links are provided to the appropriate technology modules.
Tunneling provides a way to encapsulate arbitrary packets inside a transport protocol. Tunnels are implemented as virtual interfaces to provide a simple interface for configuration purposes. The tunnel interface is not tied to specific "passenger" or "transport" protocols, but rather is an architecture to provide the services necessary to implement any standard point-to-point encapsulation scheme.
Note |
Cisco ASR 1000 Series Aggregation Services Routers support VPN routing and forwarding (VRF)-aware generic routing encapsulation (GRE) tunnel keepalive features. |
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Implementing Tunnels
- It is important to allow the tunnel protocol to pass through a firewall and access control list (ACL) check.
- Multiple point-to-point tunnels can saturate the physical link with routing information if the bandwidth is not configured correctly on a tunnel interface.
- A tunnel looks like a single hop link, and routing protocols may prefer a tunnel over a multihop physical path. The tunnel, despite looking like a single hop link, may traverse a slower path than a multihop link. A tunnel is as robust and fast, or as unreliable and slow, as the links that it actually traverses. Routing protocols that make their decisions based only on hop counts will often prefer a tunnel over a set of physical links. A tunnel might appear to be a one-hop, point-to-point link and have the lowest-cost path, but the tunnel may actually cost more in terms of latency when compared to an alternative physical topology. For example, in the topology shown in the figure below, packets from Host 1 will appear to travel across networks w, t, and z to get to Host 2 instead of taking the path w, x, y, and z because the tunnel hop count appears shorter. In fact, the packets going through the tunnel will still be traveling across Router A, B, and C, but they must also travel to Router D before coming back to Router C.
Figure 1 | Tunnel Precautions: Hop Counts |
-
A tunnel may have a recursive routing problem if routing is not configured accurately. The best path to a tunnel destination is via the tunnel itself; therefore recursive routing causes the tunnel interface to flap. To avoid recursive routing problems, keep the control-plane routing separate from the tunnel routing by using the following methods:
- Use a different autonomous system number or tag.
- Use a different routing protocol.
- Ensure that static routes are used to override the first hop (watch for routing loops).
The following error is displayed when there is recursive routing to a tunnel destination:
%TUN-RECURDOWN Interface Tunnel 0 temporarily disabled due to recursive routing
Information About Implementing Tunnels
- Tunneling Versus Encapsulation
- Tunnel ToS
- Generic Routing Encapsulation
- EoMPLS over GRE
- Overlay Tunnels for IPv6
- IPv6 Manually Configured Tunnels
- Automatic 6to4 Tunnels
- ISATAP Tunnels
- Path MTU Discovery
- QoS Options for Tunnels
Tunneling Versus Encapsulation
To understand how tunnels work, you must be able to distinguish between concepts of encapsulation and tunneling. Encapsulation is the process of adding headers to data at each layer of a particular protocol stack. The Open Systems Interconnection (OSI) reference model describes the functions of a network. To send a data packet from one host (for example, a PC) to another on a network, encapsulation is used to add a header in front of the data packet at each layer of the protocol stack in descending order. The header must contain a data field that indicates the type of data encapsulated at the layer immediately above the current layer. As the packet ascends the protocol stack on the receiving side of the network, each encapsulation header is removed in reverse order.
Tunneling encapsulates data packets from one protocol within a different protocol and transports the packets on a foreign network. Unlike encapsulation, tunneling allows a lower-layer protocol and a same-layer protocol to be carried through the tunnel. A tunnel interface is a virtual (or logical) interface. Tunneling consists of three main components:
- Passenger protocol--The protocol that you are encapsulating. For example, IPv4 and IPv6 protocols.
- Carrier protocol--The protocol that encapsulates. For example, generic routing encapsulation (GRE) and Multiprotocol Label Switching (MPLS).
- Transport protocol--The protocol that carries the encapsulated protocol. The main transport protocol is IP.
The figure below illustrates IP tunneling terminology and concepts:
Figure 2 | IP Tunneling Terminology and Concepts |
Tunnel ToS
Tunnel type of service (ToS) allows you to tunnel network traffic and group all packets in the same ToS byte value. The ToS byte values and Time-to-Live (TTL) hop-count value can be set in the encapsulating IP header of tunnel packets for an IP tunnel interface on a router. Tunnel ToS feature is supported for Cisco Express Forwarding (formerly known as CEF), fast switching, and process switching.
The ToS and TTL byte values are defined in RFC 791. RFC 2474, and RFC 2780 obsolete the use of the ToS byte as defined in RFC 791. RFC 791 specifies that bits 6 and 7 of the ToS byte (the first two least significant bits) are reserved for future use and should be set to 0. For Cisco IOS XE Release 2.1, the Tunnel ToS feature does not conform to this standard and allows you to use the whole ToS byte value, including bits 6 and 7, and to decide to which RFC standard the ToS byte of your packets should conform.
Generic Routing Encapsulation
GRE is defined in RFC 2784. GRE is a carrier protocol that can be used with many different underlying transport protocols and can carry many passenger protocols. RFC 2784 also covers the use of GRE with IPv4 as the transport protocol and the passenger protocol. Cisco software supports GRE as the carrier protocol with many combinations of passenger and transport protocols.
GRE tunnels are described in the following sections:
GRE Tunnel IP Source and Destination VRF Membership
The GRE Tunnel IP Source and Destination VRF Membership feature allows you to configure the source and destination of a tunnel to belong to any VPN routing and forwarding (VRFs) tables. A VRF table stores routing data for each VPN. The VRF table defines the VPN membership of a customer site that is attached to the network access server (NAS). Each VRF table comprises an IP routing table, a derived Cisco Express Forwarding table, and guidelines and routing protocol parameters that control the information that is included in the routing table.
Prior to Cisco IOS XE Release 2.2, GRE IP tunnels required the IP tunnel destination to be in the global routing table. The implementation of this feature allows you to configure a tunnel source and destination to belong to any VRF. As with existing GRE tunnels, the tunnel becomes disabled if no route to the tunnel destination is defined.
GRE IPv4 Tunnel Support for IPv6 Traffic
IPv6 traffic can be carried over IPv4 GRE tunnels by using the standard GRE tunneling technique to provide the services necessary to implement a standard point-to-point encapsulation scheme. GRE tunnels are links between either two points, with a separate tunnel for each point. The tunnels are not tied to a specific passenger or transport protocol, but in this case, IPv6 is the passenger protocol, GRE is the carrier protocol, and IPv4 is the transport protocol.
The primary use of GRE tunnels is to provide a stable connection and secure communication between two edge routers, or between an edge router and an end system. The edge router and the end system must have a dual-stack implementation.
GRE has a protocol field that identifies the passenger protocol. GRE tunnels allow intermediate system to intermediate system (IS-IS) or IPv6 to be specified as the passenger protocol; thus, allowing both IS-IS and IPv6 traffic to run over the same tunnel. If GRE does not have a protocol field, it becomes impossible to distinguish whether the tunnel is carrying IS-IS or IPv6 packets.
EoMPLS over GRE
Ethernet over MPLS (EoMPLS) is a tunneling mechanism that allows you to tunnel Layer 2 traffic through a Layer 3 MPLS network. EoMPLS is also known as Layer 2 tunneling.
EoMPLS effectively facilitates Layer 2 extension over long distances. EoMPLS over GRE helps you to create the GRE tunnel as hardware-based switched, and encapsulates EoMPLS frames within the GRE tunnel. The GRE connection is established between the two core routers, and then the MPLS label switched path (LSP) is tunneled over.
GRE encapsulation is used to define a packet that has header information added to it prior to being forwarded. De-encapsulation is the process of removing the additional header information when the packet reaches the destination tunnel endpoint.
When a packet is forwarded through a GRE tunnel, two new headers are added to the front of the packet and hence the context of the new payload changes. After encapsulation, what was originally the data payload and separate IP header are now known as the GRE payload. A GRE header is added to the packet to provide information on the protocol type and the recalculated checksum. A new IP header is also added to the front of the GRE header. This IP header contains the destination IP address of the tunnel.
The GRE header is added to packets such as IP, Layer 2 VPN, and Layer 3 VPN before the header enters into the tunnel. All routers along the path that receives the encapsulated packet use the new IP header to determine how the packet can reach the tunnel endpoint.
In IP forwarding, on reaching the tunnel destination endpoint, the new IP header and the GRE header are removed from the packet and the original IP header is used to forward the packet to the final destination.
The EoMPLS over GRE feature removes the new IP header and GRE header from the packet at the tunnel destination, and the MPLS label is used to forward the packet to the appropriate Layer 2 attachment circuit or Layer 3 VRF.
The scenarios in the following sections describe the L2VPN and L3VPN over GRE deployment on provider edge (PE) or provider (P) routers:
- Provider Edge to Provider Edge Generic Routing EncapsulationTunnels
- Provider to Provider Generic Routing Encapsulation Tunnels
- Provider Edge to Provider Generic Routing Encapsulation Tunnels
- Features Specific to Generic Routing Encapsulation
- Features Specific to Ethernet over MPLS
- Features Specific to Multiprotocol Label Switching Virtual Private Network
Provider Edge to Provider Edge Generic Routing EncapsulationTunnels
In the Provider Edge to Provider Edge (PE) GRE tunnels scenario, a customer does not transition any part of the core to MPLS but prefers to offer EoMPLS and basic MPLS VPN services. Therefore, GRE tunneling of MPLS traffic is done between PEs.
Provider to Provider Generic Routing Encapsulation Tunnels
In the Provider to Provider (P) GRE tunnels scenario, Multiprotocol Label Switching (MPLS) is enabled between Provider Edge (PE ) and P routers but the network core can either have non-MPLS aware routers or IP encryption boxes. In this scenario, GRE tunneling of the MPLS labeled packets is done between P routers.
Provider Edge to Provider Generic Routing Encapsulation Tunnels
In a Provider Edge to Provider GRE tunnels scenario, a network has MPLS-aware P to P nodes. GRE tunneling is done between a PE to P non-MPLS network segment.
Features Specific to Generic Routing Encapsulation
You should understand the following configurations and information for a deployment scenario:
- Tunnel endpoints can be loopbacks or physical interfaces.
- Configurable tunnel keepalive timer parameters per endpoint and a syslog message must be generated when the keepalive timer expires.
- Bidirectional forwarding detection (BFD) is supported for tunnel failures and for the Interior Gateway Protocol (IGP) that use tunnels.
- IGP load sharing across a GRE tunnel is supported.
- IGP redundancy across a GRE tunnel is supported.
- Fragmentation across a GRE tunnel is supported.
- Ability to pass jumbo frames is supported.
- All IGP control plane traffic is supported.
- IP ToS preservation across tunnels is supported.
- A tunnel should be independent of the endpoint physical interface type; for example, ATM, Gigabit, Packet over SONET (POS), and TenGigabit.
- Up to 100 GRE tunnels are supported.
Features Specific to Ethernet over MPLS
Features Specific to Multiprotocol Label Switching Virtual Private Network
- Support for the PE role with IPv4 VRF.
- Support for all PE to customer edge (CE) protocols.
- Load sharing through multiple tunnels and also equal cost IGP paths with a single tunnel.
- Support for redundancy through unequal cost IGP paths with a single tunnel.
- Support for the IP precedence value being copied onto the expression (EXP) bits field of the Multiprotocol Label Switching (MPLS) label and then onto the precedence bits on the outer IPv4 ToS field of the generic routing encapsulation (GRE) packet.
See the section, "Example: Configuring EoMPLS over GRE" for a sample configuration sequence of EoMPLS over GRE. For more details on EoMPLS over GRE, see the Deploying and Configuring MPLS Virtual Private Networks In IP Tunnel Environments document.
Overlay Tunnels for IPv6
The figure below illustrates how overlay tunneling encapsulates IPv6 packets in IPv4 packets for delivery across an IPv4 infrastructure (a core network or the Internet). By using overlay tunnels, you can communicate with isolated IPv6 networks without upgrading the IPv4 infrastructure between them. Overlay tunnels can be configured between border routers or between a border router and a host; however, both tunnel endpoints must support, IPv4 and IPv6 protocol stacks. IPv6 supports the following types of overlay tunneling mechanisms:
Figure 3 | Overlay Tunnels |
Note |
If the basic IPv4 packet header does not have optional fields, overlay tunnels can reduce the maximum transmission unit (MTU) of an interface by 20 octets. A network that uses overlay tunnels is difficult to troubleshoot. Therefore, overlay tunnels that connect isolated IPv6 networks should not be considered as the final IPv6 network architecture. The use of overlay tunnels is considered as a transition technique for a network that supports either both IPv4 and IPv6 protocol stacks or just the IPv6 protocol stack. |
Consult the table below to determine which type of tunnel you want to configure to carry IPv6 packets over an IPv4 network.
Table 1 | Suggested Usage of Tunnel Types to Carry IPv6 Packets over an IPv4 Network |
Tunneling Type |
Suggested Usage |
Usage Notes |
---|---|---|
6to4 |
Point-to-multipoint tunnels that can be used to connect isolated IPv6 sites. |
Sites use addresses that begin with the 2002::/16 prefix. |
GRE/IPv4 |
Simple point-to-point tunnels that can be used within a site or between sites. |
Tunnels can carry IPv6, Connectionless Network ServiceCLNS, and many other types of packets. |
ISATAP |
Point-to-multipoint tunnels that can be used to connect systems within a site. |
Sites can use any IPv6 unicast addresses. |
Manual |
Simple point-to-point tunnels that can be used within a site or between sites. |
Tunnels can carry IPv6 packets only. |
Individual tunnel types are discussed in detail in the following concepts, and we recommend that you review and understand the information on the specific tunnel type that you want to implement. Consult the table below for a summary of the tunnel configuration parameters that you may find useful.
Table 2 | Overlay Tunnel Configuration Parameters by Tunneling Type |
Overlay Tunneling Type |
Overlay Tunnel Configuration Parameter |
|||
---|---|---|---|---|
Tunnel Mode |
Tunnel Source |
Tunnel Destination |
Interface Prefix/Address |
|
6to4 |
ipv6ip 6to4
|
An IPv4 address or a reference to an interface on which IPv4 is configured. |
Not required. These are all point-to-multipoint tunneling types. The IPv4 destination address is calculated, on a per-packet basis, from the IPv6 destination. |
An IPv6 address. The prefix must embed the tunnel source IPv4 address. |
GRE/IPv4 |
gre ip |
An IPv4 address. |
An IPv6 address. |
|
ISATAP |
ipv6ip isatap |
Not required. These are all point-to-multipoint tunneling types. The IPv4 destination address is calculated on a per-packet basis from the IPv6 destination. |
An IPv6 prefix in modified eui-64 format. The IPv6 address is generated from the prefix and the tunnel source IPv4 address. |
|
Manual |
ipv6ip |
An IPv4 address. |
An IPv6 address. |
IPv6 Manually Configured Tunnels
A manually configured tunnel is equivalent to a permanent link between two IPv6 domains over an IPv4 backbone. The primary use of a manually configured tunnel is to stabilize connections that require secure communication between two edge routers, or between an end system and an edge router. The manual configuration tunnel also stabilizes connection between remote IPv6 networks.
An IPv6 address is manually configured on a tunnel interface. Manually configured IPv4 addresses are assigned to the tunnel source and destination. The host or router at each end of a configured tunnel must support both the IPv4 and IPv6 protocol stacks. Manually configured tunnels can be configured between border routers or between a border router and a host. Cisco Express Forwarding switching can be used for manually configured IPv6 tunnels. Switching can be disabled if process switching is required.
Automatic 6to4 Tunnels
An automatic 6to4 tunnel allows isolated IPv6 domains to be connected over an IPv4 network to remote IPv6 networks. The key difference between automatic 6to4 tunnels and manually configured tunnels is that the tunnel is not point-to-point; it is point-to-multipoint. In automatic 6to4 tunnels, routers are not configured in pairs because they treat the IPv4 infrastructure as a virtual nonbroadcast multiaccess (NBMA) links. The IPv4 address embedded in the IPv6 address is used to find the other end of the automatic tunnel.
An automatic 6to4 tunnel may be configured on a border router in an isolated IPv6 network, which creates a tunnel on a per-packet basis on a border router in another IPv6 network over an IPv4 infrastructure. The tunnel destination is determined by the IPv4 address of the border router extracted from the IPv6 address that starts with the prefix 2002::/16, where the format is 2002:border-router-IPv4-address ::/48.The embedded IPv4 addresses are 16 bits and can be used to number networks within the site. The border router at each end of a 6to4 tunnel must support both IPv4 and IPv6 protocol stacks. 6to4 tunnels are configured between border routers or between a border router and a host.
The simplest deployment scenario for 6to4 tunnels is to interconnect multiple IPv6 sites, each of which has at least one connection to a shared IPv4 network. This IPv4 network could either be the Internet or a corporate backbone. The key requirement is that each site have a globally unique IPv4 address; the Cisco software uses this address to construct a globally unique 6to4/48 IPv6 prefix. A tunnel with appropriate entries in a Domain Name System (DNS) that maps hostnames and IP addresses for both IPv4 and IPv6 domains, allows the applications to choose the required address.
ISATAP Tunnels
The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) is an automatic overlay tunneling mechanism that uses the underlying IPv4 network as an NBMA link layer for IPv6. ISATAP is designed for transporting IPv6 packets within a site, where a native IPv6 infrastructure is not yet available; for example, when sparse IPv6 hosts are deployed for testing. ISATAP tunnels allow individual IPv4/IPv6 dual-stack hosts within a site to communicate with other such hosts on the same virtual link, basically creating an IPv6 network using the IPv4 infrastructure.
The ISATAP router provides standard router advertisement network configuration support for the ISATAP site. ISATAP allows clients to automatically configure themselves as they would do if they were connected to an Ethernet. ISATAP can also be configured to provide connectivity out of the site. It uses a well-defined IPv6 address format composed of any unicast IPv6 prefix (/64). The prefix can be link-local or global (including 6to4 prefixes), enabling IPv6 routing locally or on the Internet. The IPv4 address is encoded in the last 32 bits of the IPv6 address, enabling automatic IPv6-in-IPv4 tunneling.
Although the ISATAP tunneling mechanism is similar to other automatic tunneling mechanisms, such as IPv6 6to4 tunneling, ISATAP is designed for transporting IPv6 packets within a site, not between sites.
ISATAP uses unicast addresses that include a 64-bit IPv6 prefix and a 64-bit interface identifier. The interface identifier is created in modified Extended Unique Identifier (EUI)-64 format in which the first 32 bits contain the value 000:5EFE to indicate that the address is an IPv6 ISATAP address. The table below shows the layout of an ISATAP address.
Table 3 | ISATAP Address Example |
64 Bits |
32 Bits |
32 Bits |
---|---|---|
Link-local or global IPv6 unicast prefix |
0000:5EFE |
IPv4 address of the ISATAP link |
As shown in the table above, an ISATAP address consists of an IPv6 prefix and the ISATAP interface identifier. This interface identifier includes the IPv4 address of the underlying IPv4 link. The following example shows how an actual ISATAP address looks if the prefix is 2001:0DB8:1234:5678::/64 and the embedded IPv4 address is 10.173.129.8. In the ISATAP address, the IPv4 address is expressed in hexadecimal as 0AAD:8108.
2001:0DB8:1234:5678:0000:5EFE:0AAD:8108
Path MTU Discovery
Path MTU Discovery (PMTUD) can be enabled on a GRE or IP-in-IP tunnel interface. When PMTUD (RFC 1191) is enabled on a tunnel interface, the router performs PMTUD processing for the GRE (or IP-in-IP) tunnel IP packets. The router always performs PMTUD processing on the original data IP packets that enter the tunnel. When PMTUD is enabled, packet fragmentation is not permitted for packets that traverse the tunnel because the Don't Fragment (DF) bit is set on all the packets. If a packet that enters the tunnel encounters a link with a smaller MTU, the packet is dropped and an Internet Control Message Protocol (ICMP) message is sent back to the sender of the packet. This message indicates that fragmentation was required (but not permitted) and provides the MTU of the link that caused the packet to be dropped.
Note |
PMTUD on a tunnel interface requires that the tunnel endpoint be able to receive ICMP messages generated by routers in the path of the tunnel. Ensure that ICMP messages can be received before using PMTUD over firewall connections. |
Use the tunnel path-mtu-discovery command to enable PMTUD for the tunnel packets and use the show interfaces tunnel command to verify the tunnel PMTUD parameters. PMTUD works only on GRE and IP-in-IP tunnel interfaces.
QoS Options for Tunnels
A tunnel interface supports various quality of service (QoS) features as a physical interface. QoS provides a way to ensure that mission-critical traffic has an acceptable level of performance. QoS options for tunnels include support for applying generic traffic shaping (GTS) directly on the tunnel interface and support for class-based shaping using the modular QoS CLI (MQC). Tunnel interfaces also support class-based policing, but they do not support committed access rate (CAR).
GRE tunnels allow the router to copy the IP precedence bit values of the ToS byte to the tunnel or the GRE IP header that encapsulates the inner packet. Intermediate routers between the tunnel endpoints can use the IP precedence values to classify packets for QoS features such as policy routing, weighted fair queueing (WFQ), and weighted random early detection (WRED).
When packets are encapsulated by tunnel or encryption headers, QoS features are unable to examine the original packet headers and correctly classify the packets. Packets that travel across the same tunnel have the same tunnel headers, so the packets are treated identically if the physical interface is congested. Tunnel packets can, however, be classified before tunneling and encryption can occur when a user applies the QoS preclassify feature on the tunnel interface or on the crypto map.
Note |
Class-based WFQ (CBWFQ) inside class-based shaping is not supported on a multipoint interface. |
For examples of how to implement some QoS features on a tunnel interface, see the section"Configuring QoS Options on Tunnel Interfaces Examples" on page 32.
How to Implement Tunnels
- Determining the Tunnel Type
- Configuring an IPv4 GRE Tunnel
- Configuring GRE on IPv6 Tunnels
- Configuring GRE Tunnel IP Source and Destination VRF Membership
- Manually Configuring IPv6 Tunnels
- Configuring 6to4 Tunnels
- Configuring ISATAP Tunnels
- Verifying Tunnel Configuration and Operation
Determining the Tunnel Type
Before configuring a tunnel, you must determine the type of tunnel you want to create.
DETAILED STEPS
Configuring an IPv4 GRE Tunnel
Perform this task to configure a GRE tunnel. A tunnel interface is used to pass protocol traffic across a network that does not normally support the protocol. To build a tunnel, you must define a tunnel interface on each of the two routers, and the tunnel interfaces must reference each other. At each router, the tunnel interface must be configured with a Layer 3 address. The tunnel endpoints, tunnel source, and tunnel destination must be defined, and the type of tunnel must be selected. Optional steps can be performed to customize the tunnel.
Remember to configure the router at each end of the tunnel. If only one side of a tunnel is configured, the tunnel interface may still come up and stay up (unless keepalive is configured), but packets going into the tunnel will be dropped.
GRE Tunnel Keepalive
Keepalive packets can be configured to be sent over IP-encapsulated GRE tunnels. You can specify the rate at which keepalives are sent and the number of times that a device will continue to send keepalive packets without a response before the interface becomes inactive. GRE keepalive packets may be sent from both sides of a tunnel or from just one side.
Ensure that the physical interface to be used as the tunnel source in this task is up and configured with the appropriate IP address. For hardware technical descriptions and information about installing interfaces, see the hardware installation and configuration publication for your product.
DETAILED STEPS
Command or Action | Purpose | |||||
---|---|---|---|---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode. |
||||
|
Example: Router# configure terminal |
Enters global configuration mode. |
||||
|
Example: Router(config)# interface tunnel 0 |
Specifies the interface type and number, and enters interface configuration mode. |
||||
|
Example: Router(config-if)# bandwidth 1000 |
Sets the current bandwidth value for an interface and communicates it to higher-level protocols.
|
||||
|
Example: Router(config-if)# keepalive 3 7 |
(Optional) Specifies the number of times the device will continue to send keepalive packets without response before bringing the tunnel interface protocol down.
|
||||
|
Example: Router(config-if)# tunnel source GigabitEthernet 0/0/0 |
Configures the tunnel source.
|
||||
|
Example: Router(config-if)# tunnel destination 10.0.2.1 |
Configures the tunnel destination.
|
||||
|
Example: Router(config-if)# tunnel key 1000 |
(Optional) Enables an ID key for a tunnel interface.
|
||||
|
Example: Device(config-if)# tunnel mode gre ip |
Specifies the encapsulation protocol to be used in the tunnel. |
||||
|
Example: Device(config-if)# ip mtu 1400 |
(Optional) Sets the MTU size of IP packets sent on an interface.
|
||||
|
Example: Device(config-if)# ip tcp mss 250 |
(Optional) Specifies the maximum segment size (MSS) for TCP connections that originate or terminate on a router. |
||||
|
Example: Device(config-if)# tunnel path-mtu-discovery |
(Optional) Enables PMTUD on a GRE or IP-in-IP tunnel interface. |
||||
|
Example: Device(config-if)# end |
Exits interface configuration mode and returns to privileged EXEC mode. |
What to Do Next
Proceed to the "Verifying Tunnel Configuration and Operation" section.
Configuring GRE on IPv6 Tunnels
This task explains how to configure a GRE tunnel on an IPv6 network. GRE tunnels can be configured to run over an IPv6 network layer and to transport IPv4 packets in IPv6 tunnels.
When GRE/IPv6 tunnels are configured, IPv6 addresses are assigned to the tunnel source and the tunnel destination. The tunnel interface can be assigned either IPv4 or IPv6 addresses assigned (this is not shown in the following task). The host or router at each end of a configured tunnel must support both the IPv4 and IPv6 protocol stacks.
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode. |
||
|
Example: Router# configure terminal |
Enters global configuration mode. |
||
|
Example: Router(config)# interface tunnel 0 |
Specifies a tunnel interface and number and enters interface configuration mode. |
||
|
Example: Router(config-if)# tunnel source GigabitEthernet 0/0/0 |
Specifies the source IPv6 address or the source interface type and number for the tunnel interface.
|
||
|
Example: Router(config-if)# tunnel destination 2001:0DB8:0C18:2::300 |
Specifies the destination IPv6 address for the tunnel interface.
|
||
|
Example: Router(config-if)# tunnel mode gre ipv6 |
Specifies a GRE IPv6 tunnel.
|
||
|
Example: Router(config-if)# ipv6 mtu 1400 |
(Optional) Sets the MTU size of IPv6 packets sent on an interface. |
||
|
Example: Router(config-if)# end |
Exits interface configuration mode and returns to privileged EXEC mode. |
What to Do Next
Proceed to the "Verifying Tunnel Configuration and Operation" section.
Configuring GRE Tunnel IP Source and Destination VRF Membership
This task explains how to configure the source and destination of a tunnel to correspond to any VRF table.
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode. |
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
Example: Router(config)# interface tunnel 0 |
Enters interface configuration mode for the specified interface. |
|
Example: Router(config-if)# ip vrf forwarding vrf1 |
Defines the VRF associated with the tunnel interface. |
|
Example: Router(config-if)# ip address 10.7.7.7 255.255.255.0 |
Specifies the IP address and subnet mask. |
|
Example: Router(config-if)# tunnel source loopback 0 |
Specifies the tunnel source. |
|
Example: Router(config-if)# tunnel destination 10.5.5.5 |
Defines the tunnel destination. |
|
Example: Router(config-if)# tunnel vrf finance1 |
Defines the VRF associated with the physical interface from which tunnel packets are sent. |
|
Example: Router(config-if)# end |
Exits interface configuration mode and returns to privileged EXEC mode. |
What to Do Next
Proceed to the "Verifying Tunnel Configuration and Operation" section.
Manually Configuring IPv6 Tunnels
For manually configured IPv6 tunnels, an IPv6 address is configured on a tunnel interface. Manually configured IPv4 addresses are assigned to the tunnel source and the tunnel destination. The host or the router at each end of a configured tunnel must support both IPv4 and IPv6 protocol stacks.
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode. |
||
|
Example: Router# configure terminal |
Enters global configuration mode. |
||
|
Example: Router(config)# interface tunnel 0 |
Specifies a tunnel interface and number, and enters interface configuration mode. |
||
|
Example: Router(config-if)# ipv6 address 2001:0DB8:1234:5678::3/126 |
Specifies the IPv6 network assigned to the interface and enables IPv6 processing on the interface.
|
||
|
Example: Router(config-if)# tunnel source GigabitEthernet 0/0/0 |
Specifies the source IPv4 address or the source interface type and number for the tunnel interface. |
||
|
Example: Router(config-if)# tunnel destination 10.16.30.1 |
Specifies the destination IPv4 address for the tunnel interface. |
||
|
Example: Router(config-if)# tunnel mode ipv6ip |
Specifies a manually configured IPv6 tunnel.
|
||
|
Example: Router(config-if)# end |
Exits interface configuration mode and returns to privileged EXEC mode. |
What to Do Next
Proceed to the "Verifying Tunnel Configuration and Operation" section.
Configuring 6to4 Tunnels
With 6to4 tunnels, the tunnel destination is determined by the border-router IPv4 address, which is concatenated to the prefix 2002::/16 in the format 2002:border-router-IPv4-address ::/48. The border router at each end of a 6to4 tunnel must support both the IPv4 and IPv6 protocol stacks.
Note |
The configuration of only one IPv4-compatible tunnel and one 6to4 IPv6 tunnel is supported on a router. If you choose to configure both of these tunnel types on the same router, Cisco recommends that they not share the same tunnel source. A 6to4 tunnel and an IPv4-compatible tunnel cannot share the same interface because both of them are NBMA "point-to-multipoint" access links, and only the tunnel source can be used to reorder the packets from a multiplexed packet stream into a single packet stream for an incoming interface. When a packet with an IPv4 protocol type of 41 arrives on an interface, the packet is mapped to an IPv6 tunnel interface on the basis of the IPv4 address. However, if both the 6to4 tunnel and the IPv4-compatible tunnel share the same source interface, the router cannot determine the IPv6 tunnel interface to which it should assign the incoming packet. Manually configured IPv6 tunnels can share the same source interface because a manual tunnel is a "point-to-point" link, and both IPv4 source and the IPv4 destination of the tunnel are defined. |
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode. |
||
|
Example: Router# configure terminal |
Enters global configuration mode. |
||
|
Example: Router(config)# interface tunnel 0 |
Specifies a tunnel interface and number and enters interface configuration mode. |
||
|
Example: Router(config-if)# ipv6 address 2002:c0a8:6301:1::1/64 |
Specifies the IPv6 address assigned to the interface and enables IPv6 processing on the interface.
|
||
|
Example: Router(config-if)# tunnel source GigabitEthernet 0/0/0 |
Specifies the source IPv4 address or the source interface type and number for the tunnel interface.
|
||
|
Example: Router(config-if)# tunnel mode ipv6ip 6to4 |
Specifies an IPv6 overlay tunnel using a 6to4 address. |
||
|
Example: Router(config-if)# exit |
Exits interface configuration mode and returns to global configuration mode. |
||
|
Example: Router(config)# ipv6 route 2002::/16 tunnel 0 |
Configures a static route to the specified tunnel interface.
|
||
|
Example: Router(config)# end |
Exits global configuration mode and returns to privileged EXEC mode. |
What to Do Next
Proceed to the "Verifying Tunnel Configuration and Operation" section.
Configuring ISATAP Tunnels
This task describes how to configure an ISATAP overlay tunnel.
The tunnel source command used in the configuration of an ISATAP tunnel must point to an interface that is configured with an IPv4 address. The ISATAP IPv6 address and prefix (or prefixes) advertised are configured for a native IPv6 interface. The IPv6 tunnel interface must be configured with a modified EUI-64 address because the last 32 bits in the interface identifier are constructed using the IPv4 tunnel source address.
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
||
|
Example: Device# configure terminal |
Enters global configuration mode. |
||
|
Example: Device(config)# interface tunnel 1 |
Specifies a tunnel interface and number and enters interface configuration mode. |
||
|
Example: Device(config-if)# ipv6 address 2001:0DB8:6301::/64 eui-64 |
Specifies the IPv6 address assigned to the interface and enables IPv6 processing on the interface.
|
||
|
Example: Device(config-if)# no ipv6 nd suppress-ra |
Enables sending of IPv6 device advertisements to allow client autoconfiguration. |
||
|
Example: Device(config-if)# tunnel source GigabitEthernet 1/0/1 |
Specifies the source IPv4 address or the source interface type and number for the tunnel interface.
|
||
|
Example: Device(config-if)# tunnel mode ipv6ip isatap |
Specifies an IPv6 overlay tunnel using an ISATAP address. |
||
|
Example: Device(config-if)# end |
Exits interface configuration mode and returns to privileged EXEC mode. |
Verifying Tunnel Configuration and Operation
The show and ping commands in the steps below can be used in any sequence. The following commands can be used for GRE tunnels, IPv6 manually configured tunnels, and IPv6 over IPv4 GRE tunnels.
DETAILED STEPS
Step 1 |
enable Enables privileged EXEC mode. Enter your password if prompted. Example: Device> enable |
||
Step 2 |
show interfaces tunnel number [accounting] Two routers are configured to be endpoints of a tunnel. Device A has Gigabit Ethernet interface 0/0/0 configured as the source for tunnel interface 0 with an IPv4 address of 10.0.0.1 and an IPv6 prefix of 2001:0DB8:1111:2222::1/64. Device B has Gigabit Ethernet interface 0/0/0 configured as the source for tunnel interface 1 with an IPv4 address of 10.0.0.2 and an IPv6 prefix of 2001:0DB8:1111:2222::2/64. To verify that the tunnel source and destination addresses are configured, use the show interfaces tunnel command on Device A. Example:
Device A# show interfaces tunnel 0
Tunnel0 is up, line protocol is up
Hardware is Tunnel
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 10.0.0.1 (GigabitEthernet0/0/0), destination 10.0.0.2, fastswitch TTL 255
Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled
Tunnel TTL 255
Checksumming of packets disabled, fast tunneling enabled
Last input 00:00:14, output 00:00:04, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue :0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
4 packets input, 352 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
8 packets output, 704 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
|
||
Step 3 |
ping [protocol] destination To check that the local endpoint is configured and working, use the ping command on Device A. Example: DeviceA# ping 2001:0DB8:1111:2222::2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:0DB8:1111:2222::2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms |
||
Step 4 |
show ip route [address [mask]] To check that a route exists to the remote endpoint address, use the show ip route command. Example:
DeviceA# show ip route 10.0.0.2
Routing entry for 10.0.0.0/24
Known via "connected", distance 0, metric 0 (connected, via interface)
Routing Descriptor Blocks:
* directly connected, via GigabitEthernet0/0/0
Route metric is 0, traffic share count is 1
|
||
Step 5 |
ping [protocol] destination To check that the remote endpoint address is reachable, use the ping command on Device A.
Example:
DeviceA# ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/28 ms
To check that the remote IPv6 tunnel endpoint is reachable, use the ping command again on Device A. The note regarding filtering earlier in step also applies to this example. Example:
DeviceA# ping 2001:0DB8:1111:2222::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1::2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
These steps may be repeated at the other endpoint of the tunnel. |
Configuration Examples for Implementing Tunnels
- Example: Configuring a GRE IPv4 Tunnel
- Example: Configuring GRE on IPv6 Tunnels
- Example: Configuring GRE Tunnel IP Source and Destination VRF Membership
- Example: Configuring EoMPLS over GRE
- Example: Manually Configuring IPv6 Tunnels
- Example: Configuring 6to4 Tunnels
- Example: Configuring ISATAP Tunnels
- Configuring QoS Options on Tunnel Interfaces Examples
Example: Configuring a GRE IPv4 Tunnel
The following example shows a simple configuration of GRE tunneling. Note that Gigabit Ethernet interface 0/0/1 is the tunnel source for Router A and the tunnel destination for Router B. Fast Ethernet interface 0/0/1 is the tunnel source for Router B and the tunnel destination for Router A.
Router A
interface Tunnel 0 ip address 10.1.1.2 255.255.255.0 tunnel source GigabitEthernet 0/0/1 tunnel destination 192.168.3.2 tunnel mode gre ip ! interface GigabitEthernet 0/0/1 ip address 192.168.4.2 255.255.255.0
Router B
interface Tunnel 0 ip address 10.1.1.1 255.255.255.0 tunnel source FastEthernet 0/0/1 tunnel destination 192.168.4.2 tunnel mode gre ip ! interface FastEthernet 0/0/1 ip address 192.168.3.2 255.255.255.0
The following example configures a GRE tunnel running both IS-IS and IPv6 traffic between Router A and Router B:
Router A
ipv6 unicast-routing clns routing ! interface Tunnel 0 no ip address ipv6 address 2001:0DB8:1111:2222::1/64 ipv6 router isis tunnel source GigabitEthernet 0/0/0 tunnel destination 10.0.0.2 tunnel mode gre ip ! interface GigabitEthernet 0/0/0 ip address 10.0.0.1 255.255.255.0 ! router isis network 49.0000.0000.000a.00
Router B
ipv6 unicast-routing clns routing ! interface Tunnel 0 no ip address ipv6 address 2001:0DB8:1111:2222::2/64 ipv6 router isis tunnel source GigabitEthernet 0/0/0 tunnel destination 10.0.0.1 tunnel mode gre ip ! interface GigabitEthernet 0/0/0 ip address 10.0.0.2 255.255.255.0 ! router isis network 49.0000.0000.000b.00 address-family ipv6 redistribute static exit-address-family
Example: Configuring GRE on IPv6 Tunnels
The following example shows how to configure a GRE tunnel over an IPv6 transport. Gigabit Ethernet interface 0/0/0 is configured with an IPv6 address, and this is the source address used by the tunnel interface. The destination IPv6 address of the tunnel is specified directly. In this example, the tunnel carries both IPv4 and IS-IS traffic.
interface tunnel 0 ip address 10.1.1.1 255.255.255.0 ip router isis tunnel source GigabitEthernet 0/0/0 tunnel destination 2001:DB8:1111:2222::1 tunnel mode gre ipv6 ! interface FastEthernet 0/0 no ip address ipv6 address 2001:DB8:1111:1111::1/64 ! router isis net 49.0001.0000.0000.000a.00
Example: Configuring GRE Tunnel IP Source and Destination VRF Membership
In this example, packets received on Fast Ethernet interface 0/0/1 using VRF1, are forwarded out of the tunnel through Fast Ethernet interface 1/0/0 using VRF2. The figure below shows a simple tunnel scenario.
Figure 4 | GRE Tunnel Diagram |
The following example shows the configuration for the tunnel in the figure above:
ip vrf1 rd 1:1 ip vrf2 rd 1:2 interface loopback 0 ip vrf forwarding vrf1 ip address 10.7.7.7 255.255.255.255 interface tunnel 0 ip vrf forwarding vrf2 ip address 10.3.3.3 255.255.255.0 tunnel source loopback 0 tunnel destination 10.5.5.5 tunnel vrf1 interface GigabitEthernet 0/0/0 ip vrf forwarding vrf2 ip address 10.1.1.1 255.255.255.0 interface GigabitEthernet 0/0/1 ip vrf forwarding vrf1 ip address 10.2.2.2 255.255.255.0 ip route vrf1 10.5.5.5 255.255.255.0 GigabitEthernet 0/0/1
Example: Configuring EoMPLS over GRE
Router A Configuration
vrf definition VPN1 rd 100:1 address-family ipv4 route-target both 100:1 exit-address-family ! mpls label protocol ldp mpls ldp neighbor 209.165.200.224 targeted mpls ldp router-id Loopback0 force ! interface tunnel 0 ip address 209.165.200.225 255.255.255.224 mpls label protocol ldp mpls ip keepalive 10 3 tunnel source TenGigabitEthernet 2/1/0 tunnel destination 209.165.200.226 ! interface Loopback 0 ip address 209.165.200.230 255.255.255.224 ! interface TenGigabitEthernet 2/1/0 mtu 9216 ip address 209.165.200.235 255.255.255.224 ! interface TenGigabitEthernet 9/1 no ip address ! interface TenGigabitEthernet 9/1.11 vrf forwarding VPN1 encapsulation dot1Q 300 ip address 209.165.200.237 255.255.255.224 ! interface TenGigabitEthernet 9/2 mtu 9216 no ip address xconnect 209.165.200.239 200 encapsulation mpls ! router bgp 65000 bgp log-neighbor-changes neighbor 209.165.200.240 remote-as 65000 neighbor 209.165.200.240 update-source Loopback0 neighbor 209.165.200.245 remote-as 100 ! address-family vpnv4 neighbor 209.165.200.240 activate neighbor 209.165.200.240 send-community extended ! address-family ipv4 vrf VPN1 no synchronization neighbor 209.165.200.247 remote-as 100 neighbor 209.165.200.248 activate neighbor 209.165.200.249 send-community extended ! ip route 209.165.200.251 255.255.255.224 tunnel 0 ip route 209.165.200.254 255.255.255.224 209.165.200.256 Router B Configuration vrf definition VPN1 rd 100:1 address-family ipv4 route-target both 100:1 exit-address-family ! mpls ldp neighbor 209.165.200.229 targeted mpls label protocol ldp mpls ldp router-id Loopback0 force ! interface tunnel 0 ip address 209.165.200.230 255.255.255.224 mpls label protocol ldp mpls ip keepalive 10 3 tunnel source TenGigabitEthernet 3/3/0 tunnel destination 209.165.200.232 ! interface Loopback 0 ip address 209.165.200.234 255.255.255.224 ! interface TenGigabitEthernet 2/1/1 mtu 9216 no ip address xconnect 209.165.200.237 200 encapsulation mpls ! interface TenGigabitEthernet 2/3/1 mtu 9216 no ip address ! interface TenGigabitEthernet 2/3.11/1 vrf forwarding VPN1 encapsulation dot1Q 300 ip address 209.165.200.239 255.255.255.224 ! interface TenGigabitEthernet 3/3/0 mtu 9216 ip address 209.165.200.240 255.255.255.224 ! router bgp 65000 bgp log-neighbor-changes neighbor 209.165.200.241 remote-as 65000 neighbor 209.165.200.241 update-source Loopback0 neighbor 209.165.200.244 remote-as 200 ! address-family vpnv4 neighbor 209.165.200.241 activate neighbor 209.165.200.241 send-community extended exit-address-family ! address-family ipv4 vrf VPN1 no synchronization neighbor 209.165.200.246 remote-as 200 neighbor 209.165.200.246 activate neighbor 209.165.200.246 send-community extended exit-address-family ¡ ip route 209.165.200.226 255.255.255.224 tunnel 0 ip route 209.165.200.229 255.255.255.224 209.165.200.235
Example: Manually Configuring IPv6 Tunnels
The following example shows how to manually configure an IPv6 tunnel between Router A and Router B. In the example, tunnel interface 0 for both Router A and Router B is manually configured with a global IPv6 address. The tunnel source and destination addresses are also manually configured.
Router A
interface GigabitEthernet 0/0/0 ip address 192.168.99.1 255.255.255.0 interface tunnel 0 ipv6 address 2001:0db8:c18:1::3/126 tunnel source GigabitEthernet 0/0/0 tunnel destination 192.168.30.1 tunnel mode ipv6ip
Router B
interface GigabitEthernet 0/0/0 ip address 192.168.30.1 255.255.255.0 interface tunnel 0 ipv6 address 2001:0db8:c18:1::2/126 tunnel source GigabitEthernet 0/0/0 tunnel destination 192.168.99.1 tunnel mode ipv6ip
Example: Configuring 6to4 Tunnels
The following example shows how to configure a 6to4 tunnel on a border router in an isolated IPv6 network. The IPv4 address is 192.168.99.1, which translates to the IPv6 prefix of 2002:c0a8:6301::/48. The IPv6 prefix is subnetted into 2002:c0a8:6301::/64 for the tunnel interface: 2002:c0a8:6301:1::/64 for the first IPv6 network and 2002:c0a8:6301:2::/64 for the second IPv6 network. The static route ensures that any other traffic for the IPv6 prefix 2002::/16 is directed to tunnel interface 0 for automatic tunneling.
interface GigabitEthernet 0/0/0 description IPv4 uplink ip address 192.168.99.1 255.255.255.0 ! interface GigabitEthernet 0/0/1 description IPv6 local network 1 ipv6 address 2002:c0a8:6301:1::1/64 ! interface GigabitEthernet 0/0/2 description IPv6 local network 2 ipv6 address 2002:c0a8:6301:2::1/64 ! interface tunnel 0 description IPv6 uplink no ip address ipv6 address 2002:c0a8:6301::1/64 tunnel source GigabitEthernet 0/0/0 tunnel mode ipv6ip 6to4 ! ipv6 route 2002::/16 tunnel0
Example: Configuring ISATAP Tunnels
The following example shows how the tunnel source defined on Gigabit Ethernet interface 0/0/0 and the tunnel mode command are used to configure the ISATAP tunnel. Router advertisements are enabled to allow client autoconfiguration.
interface tunnel 1 tunnel source GigabitEthernet 0/0/0 tunnel mode ipv6ip isatap ipv6 address 2001:0DB8::/64 eui-64 no ipv6 nd suppress-ra
Configuring QoS Options on Tunnel Interfaces Examples
The following sample configuration applies GTS directly on the tunnel interface. In this example, the configuration shapes the tunnel interface to an overall output rate of 500 kb/s.
interface Tunnel 0 ip address 10.1.2.1 255.255.255.0 traffic-shape rate 500000 125000 125000 1000 tunnel source 10.1.1.1 tunnel destination 10.2.2.2
The following sample configuration shows how to apply the same shaping policy to the tunnel interface with the MQC commands:
policy-map tunnel class class-default shape average 500000 125000 125000 ! interface Tunnel 0 ip address 10.1.2.1 255.255.255.0 service-policy output tunnel tunnel source 10.1.35.1 tunnel destination 10.1.35.2
Policing Example
When an interface becomes congested and packets start to queue, you can apply a queueing method to packets that are waiting to be transmitted. Logical interfaces--tunnel interfaces in this example--do not inherently support a state of congestion and do not support the direct application of a service policy that applies a queueing method. Instead, you must apply a hierarchical policy. Create a "child" or lower-level policy that configures a queueing mechanism, such as low-latency queueing, with the priority command and CBWFQ with the bandwidth command.
policy-map child class voice priority 512
Create a "parent" or top-level policy that applies class-based shaping. Apply the child policy as a command under the parent policy because admission control for the child class is done according to the shaping rate for the parent class.
policy-map tunnel class class-default shape average 2000000 service-policy child
Apply the parent policy to the tunnel interface.
interface tunnel 0 service-policy tunnel
In the following example, a tunnel interface is configured with a service policy that applies queueing without shaping. A log message is displayed noting that this configuration is not supported.
Router(config)# interface tunnel1 Router(config-if)# service-policy output child Class Based Weighted Fair Queueing not supported on this interface
Additional References
The following sections provide references related to implementing tunnels.
Related Documents
Related Topic |
Document Title |
---|---|
All Cisco IOS XE commands |
|
Tunnel commands: complete command syntax, command mode, defaults, command history, usage guidelines, and examples |
Cisco IOS Interface and Hardware Component Command Reference |
IPv6 commands: complete command syntax, command mode, defaults, command history, usage guidelines, and examples |
Cisco IOS IPv6 Command Reference |
Cisco IOS XE Interface and Hardware Component configuration modules |
Cisco IOS XE Interface and Hardware Component Configuration Guide, Release 2 |
Cisco IOS XE IPv6 configuration modules |
Cisco IOS XE IPv6 Configuration Guide, Release 2 |
Cisco IOS XE Quality of Service Solutions configuration modules |
Cisco IOS XE Quality of Service Solutions Configuration Guide |
Cisco IOS XE Multiprotocol Label Switching configuration modules |
Cisco IOS XE Multiprotocol Label Switching Configuration Guide |
Configuration example for a VRF-aware dynamic multipoint VPN (DMVPN) |
"Dynamic Multipoint VPN (DMVPN)" configuration module in the Cisco IOS XE Security Configuration Guide: Secure Connectivity |
Standards/RFCs
Standard |
Title |
---|---|
No new or modified standards are supported, and support for existing standards has not been modified. |
-- |
RFC 791 |
Internet Protocol |
RFC 1191 |
Path MTU Discovery |
RFC 1323 |
TCP Extensions for High Performance |
RFC 1483 |
Multiprotocol Encapsulation over ATM Adaptation Layer 5 |
RFC 2003 |
IP Encapsulation Within IP |
RFC 2018 |
TCP Selective Acknowledgment Options |
RFC 2460 |
Internet Protocol, Version 6 (IPv6) |
RFC 2473 |
Generic Packet Tunneling in IPv6 Specification |
RFC 2474 |
Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers |
RFC 2516 |
A Method for Transmitting PPP over Ethernet (PPPoE) |
RFC 2547 |
BGP/MPLS VPNs |
RFC 2780 |
IANA Allocation Guidelines for Values in the Internet Protocol and Related Headers |
RFC 2784 |
Generic Routing Encapsulation (GRE) |
RFC 2890 |
Key and Sequence Number Extensions to GRE |
RFC 2893 |
Transition Mechanisms for IPv6 Hosts and Routers |
RFC 3056 |
Connection of IPv6 Domains via IPv4 Clouds |
RFC 3147 |
Generic Routing Encapsulation over CLNS Networks |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Implementing Tunnels
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 5 | Feature Information for Implementing Tunnels |
Feature Name |
Releases |
Feature Information |
---|---|---|
EoMPLS over GRE |
Cisco IOS XE Release 2.5 |
The EoMPLS over GRE feature allows you to tunnel Layer 2 traffic through a Layer 3 MPLS network. This feature also helps to create the GRE tunnel as hardware-based switched, and with high performance that encapsulates EoMPLS frames within the GRE tunnel. No new commands were introduced or modified by this feature. |
GRE Tunnel IP Source and Destination VRF Membership |
Cisco IOS XE Release 2.2 |
The GRE Tunnel IP Source and Destination VRF Membership feature allows you to configure the source and destination of a tunnel to belong to any VPN VRF table. The following command was introduced or modified: tunnel vrf. |
GRE Tunnel Keepalive |
Cisco IOS XE Release 2.1 |
The GRE Tunnel Keepalive feature provides the capability of configuring keepalive packets to be sent over IP-encapsulated GRE tunnels. You can specify the rate at which keepalives will be sent and the number of times that a device will continue to send keepalive packets without a response before the interface becomes inactive. GRE keepalive packets may be sent from both sides of a tunnel or from just one side. The following command was introduced by this feature: keepalive (tunnel interfaces) . |
IP over IPv6 Tunnels |
Cisco IOS XE Release 2.4 |
The following commands were modified by this feature: tunnel destination, tunnel mode, and tunnel source. |
IP Precedence for GRE Tunnels |
Cisco IOS XE Release 2.1 |
This feature was introduced on Cisco ASR 1000 Aggregation Services Routers. |
IP Tunnel-- SSO |
Cisco IOS XE Release 3.6 |
High availability support was added to IP Tunnels. No new commands were introduced or modified by this feature. |
Tunnel ToS |
Cisco IOS XE Release 2.1 |
The Tunnel ToS feature allows you to configure the ToS and Time-to-Live (TTL) byte values in the encapsulating IP header of tunnel packets for an IP tunnel interface on a router. The Tunnel ToS feature is supported in Cisco Express Forwarding, fast switching, and process switching forwarding modes. The following commands were introduced or modified by this feature: show interfaces tunnel, tunnel tos, tunnel, and ttl. |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.