Ethernet over GRE Tunnels
Ethernet over GRE (EoGRE) is an aggregation solution for aggregating Wi-Fi traffic from hotspots. This solution enables customer premises equipment (CPE) devices to bridge the Ethernet traffic coming from an end host, and encapsulate the traffic in Ethernet packets over an IP GRE tunnel. When the IP GRE tunnels are terminated on a service provider broadband network gateway, the end host’s traffic is terminated and subscriber sessions are initiated for the end host.
High Availability (HA) is supported for EoGRE IPv4 and IPv6 tunnel configuration. In addition, Client SSO is supported for IPv4 and IPv6 EoGRE tunnel clients.
For more information about designing and deploying EoGRE on controller and Cisco FlexConnect APs, see the EoGRE Deployment Guide.
EoGRE on 802.1X Authentication-based WLANs
802.1X Authentication |
Switching |
AP Mode |
EoGRE |
SimpleIP |
---|---|---|---|---|
Central+No FlexConnect Backup RADIUS Server |
Local |
Connected |
Clients can join as EoGRE. |
Clients can join as SimpleIP. |
Central+No FlexConnect Backup RADIUS Server |
Local |
Standalone |
New clients cannot join; existing clients should work. |
New clients cannot join; Existing clients should work. |
Central+No FlexConnect Backup RADIUS Server |
Local |
Boot in standalone |
Clients cannot join. |
Clients cannot join. |
Local AP Auth+No FlexConnect Backup RADIUS Server |
Local |
Connected |
Clients become SimpleIP. |
Clients join as SimpleIP. |
Local AP Auth+No FlexConnect Backup RADIUS Server |
Local |
Standalone |
Clients become SimpleIP. |
Existing and new clients work as expected. |
Local AP Auth+No FlexConnect Backup RADIUS Server |
Local |
Boot in standalone |
Clients become SimpleIP. |
Clients can join. |
Central+FlexConnect Backup RADIUS Server |
Local |
Connected |
Clients join as EoGRE. |
Existing and new clients work as expected. |
Central+FlexConnect Backup RADIUS Server |
Local |
Standalone |
Existing clients continue as EoGRE; new Client joins as SimpleIP. |
Existing and new clients work as expected. |
Central+FlexConnect Backup RADIUS Server |
Local |
Boot in standalone |
Clients become SimpleIP. |
Existing and new clients work as expected. |
EoGRE on Open Authentication-based WLANs
Note |
For open WLANs, the EoGRE profile must have only one rule, which is a * rule. Mapping of a profile that has multiple rules to an open authentication WLAN is not supported. All clients should be EoGRE clients. |
Open Authentication |
Switching |
AP Mode |
EoGRE |
---|---|---|---|
Central |
Local |
Connected |
Client will join as EoGRE. |
Central |
Local |
Standalone |
New clients cannot join. Existing clients should work. |
Central |
Local |
Boot in Standalone |
Clients cannot join. |
Changing the Tunnel Source
Prior to Release 8.2, the management IP address was used as the tunnel endpoint. Release 8.2 has enabled the specification of any L3 dynamic interface other than the management interface as a tunnel endpoint, if need be.
Support for IPv6
In Release 8.3, support is added for client IPv6 traffic and IPv6 address format for the EoGRE tunnel gateway. Client IPv6 traffic is supported on both IPv4 and IPv6 EoGRE tunnels. A maximum of eight different client IPv6 addresses are supported per client. Controllers send all the client IPv6 addresses that they have learned to the Accounting server in the accounting update message. All RADIUS or Accounting messages exchanged between controllers and tunnel gateways or RADIUS servers are outside the EoGRE tunnel.
CAPWAP |
EoGRE |
Remarks |
---|---|---|
CAPWAPv4 |
EoGREv4 |
Accounting IP expected to be CAPWAPv4 (controller IP) |
CAPWAPv4 |
EoGREv6 |
Accounting IP expected to be CAPWAPv4 (controller IP) |
CAPWAPv6 |
EoGREv4 |
Accounting IP expected to be CAPWAPv6 (controller IP) |
CAPWAPv6 |
EoGREv6 |
Accounting IP expected to be CAPWAPv6 (controller IP) |
One-to-One Mapping of WLAN with EoGRE VLAN
The EoGRE implementation for open WLANs is limited to 10 WLANs per VLAN per controller. This limitation can be overcome by having a one-to-one mapping between open WLANs and EoGRE VLANs.
A one-to-one mapping of a WLAN with an EoGRE VLAN can be achieved by overriding the EoGRE VLAN configuration within the WLAN. All the existing rules are still applicable, but when the EoGRE VLAN override option is enabled, the VLAN ID that you specify will be overridden with the EoGRE VLAN ID that is configured in the tunnel profile that is mapped to the WLAN.
The order of precedence is as follows:
-
If the AAA override option is enabled on the WLAN, the AAA values are applied.
-
If the EoGRE VLAN configuration override option is enabled, the EoGRE VLAN configuration values are applied on the VLAN ID that is specified.
-
Network Access Identifier (NAI) is matched in the EoGRE profile rule.
Restrictions for EoGRE Tunneling
-
On Cisco vWLC, EoGRE tunneling is supported only in local switching mode.
-
EoGRE feature is not supported in Cisco Aironet 702, 801, 802, 1520 Access Points.
-
It is not possible to edit or delete a tunnel profile if the profile is associated with a WLAN. You must first dissociate the profile from the WLAN and then edit or delete the profile.
-
It is not possible to edit or delete a tunnel gateway if the gateway is already associated with a domain. You must first dissociate the tunnel gateway from the domain and then edit or delete the tunnel gateway.
-
It is not possible to edit or delete a domain if the domain is already associated with a tunnel profile rule. You must first dissociate the domain from the tunnel profile rule and then edit or delete the domain.
-
If the domain is modified on the fly, the client associated with the domain is deauthenticated.
-
We recommend that you do not have firewall that could block ICMP packets.
-
Tunnel Gateway (TGW) as AAA and RADIUS realm feature on WLAN should not be used together.
-
Tunnel Gateway (TGW) as AAA is not supported on EoGRE for FlexConnect APs.
-
Tunnel EoGRE gateway statistics are not synced to the standby controller.
-
Due to SNMP limitation, tunnel gateway names can be up to 127 characters only.
-
For open WLANs, the profile must have only one rule, which is a * rule. Mapping of a profile that has multiple rules to an open authentication WLAN is not supported.
-
EoGRE client gets IPV6 address from local switching VLAN.
-
Broadcast/Multicast traffic on Local Switching VLAN reaches EoGRE clients.
-
FlexConnect+Bridge Mode is not supported.
-
Standalone mode: EoGRE client Fast Roaming is not supported.
-
WebAuth is not supported.
-
FlexConnect AP Local Authentication is not supported.
-
FlexConnect AP Backup RADIUS server is not supported.
-
EoGRE client with Static IP is not supported.
-
FlexConnect ACL on the WLAN does not work for EoGRE clients.
-
After Fault Tolerance, client type is SimpleIP. It is changed to EoGRE after a period of 30 seconds.
-
MTU of AP gateway should be 1500 bytes.
-
Lightweight APs support Path MTU only for EoGREv6. For EoGREv4, it is not supported.
-
For EoGRE clients, the TrustSec SGT/Policy Enforcement might not work as expected because it is not supported for any tunneled traffic, including the Layer3 mobility tunnel.
For tunneled traffic, the source SGT tag is not encoded in the CMD header (CMD header itself not added); the unknown SGACL policy (0,DGT) is applied at the policy enforcement point.
-
EoGRE IPv6 Restrictions:
-
EoGRE client gets IPv6 address from local switching VLAN
-
DHCP Option 82 configuration is not supported on IPv6 clients.
-
Applications such as RADIUS, FTP, TFTP, SFTP, LDAP, SXP, syslog, and so on, are supported on only management IPv6 address.
-
Dynamic IPv6 AP-manager interface is not supported.
-
Dynamic interface with IPv6 supports only as tunnel interface.
-
Maximum number of dynamic interface to which IPv6 address can be assigned is16.
-
The IPv6 link local addresses are common for all switched virtual interfaces (SVI) on a switch. Due to this, configuring an IPv6 address on dynamic address fails. To overcome this issue, you must explicitly configure link local address on the uplink switch for SVI. Each SVI should have unique link local address configuration.
-
The IP packets on IPv6 tunnels has a maximum size limit of 1280 bytes on controller.
-
-
When AAA override for a WLAN is enabled, the domain passed through AAA server should be attached to a second WLAN. This is applicable for APs that are in Local and FlexConnect modes. This is required so that the gateways mapped to the domain in AAA server become operational in Local mode in controller and are downloaded to AP in FlexConnect mode.
-
Clients connecting to Wave 2 APs get an IP address from the native VLAN in the conditions described in CSCvu46349.
Configuring EoGRE on the Controller (GUI)
Procedure
Step 1 |
Create tunnel gateways and configure heartbeats: |
Step 2 |
Create a tunnel profile: |
Step 3 |
Define a tunnel profile rule:
|
Step 4 |
Specify tunnel parameters: |
Step 5 |
Create RADIUS Authentication or Accounting servers or both by specifying the tunnel gateway IP addresses that you specified in Step 1 as the server IP addresses, and enable Tunnel Proxy. For instructions on how to create RADIUS servers, see the Configuring RADIUS chapter under Security Solutions. |
Step 6 |
Associate the tunnel profile to the WLAN:
|
Step 7 |
Verify if the tunnel is correctly configured:
|
Step 8 |
Verify the gateway statistics:
|
Configuring EoGRE on the Controller (CLI)
Procedure
Configuring EoGRE for FlexConnect APs (GUI)
-
Ensure that the APs are in FlexConnect mode.
-
The tunnel configurations made for the controller also applies to Cisco FlexConnect APs when the tunnel profile is associated with a WLAN.
-
Path MTU discovery is supported on FlexConnect APs
Procedure
Step 1 |
Choose . |
||
Step 2 |
Click the WLAN ID. |
||
Step 3 |
In the Advanced tab under FlexConnect, enable FlexConnect Local Switching.
|
||
Step 4 |
Save the configuration. |
||
Step 5 |
To view the statistics per gateway, choose Get Statistics. and click |
Configuring EoGRE for FlexConnect APs (CLI)
-
Ensure that the APs are in FlexConnect mode.
-
The tunnel configurations made for controller also applies to Cisco FlexConnect APs when the tunnel profile is associated with a WLAN.
Procedure
Step 1 |
Enable Local Switching on FlexConnect APs associated with a WLAN by entering this command: |
||
Step 2 |
Monitor the EoGRE configurations by entering this command:
|
One-to-One Mapping of WLAN with EoGRE VLAN (GUI)
Before you begin
-
Ensure that you have created an EoGRE tunnel profile.
-
Ensure that the WLAN is in disabled state before you proceed with this procedure.
Procedure
Step 1 |
Choose WLANs and click the WLAN ID. |
Step 2 |
Click the Advanced tab and scroll down to the Tunneling section. |
Step 3 |
Select the tunnel profile. |
Step 4 |
Check the EoGRE VLAN Override check box to enable the EoGRE VLAN override feature on the WLAN. |
Step 5 |
In the EoGRE VLAN Override ID field, enter the VLAN ID that should be overridden with the EoGRE VLAN ID configured in the tunnel profile. |
Step 6 |
Save the configuration. |
One-to-One Mapping of WLAN with EoGRE VLAN (CLI)
Before you begin
-
Ensure that you have created an EoGRE tunnel profile.
-
Ensure that the WLAN is in disabled state before you proceed with this procedure.
Procedure
Step 1 |
Enable the EoGRE VLAN override feature on a WLAN by entering this command: config wlan tunnel eogre-vlan-override wlan-id enable |
Step 2 |
Configure the VLAN ID that should be overridden with the EoGRE VLAN ID configured in the tunnel profile by entering this command: config wlan tunnel eogre-vlan-override wlan-id vlan-id |
Step 3 |
Monitor the configuration on the WLAN by entering this command: show wlan wlan-id |
Step 4 |
View the client details, including the EoGRE VLAN ID being used, by entering this command: show client detail client-mac-addr |
What to do next
You can troubleshoot issues related to this feature by using the debug client client-mac-addr command: