Multiples tunnels over the same interfaces.

Problema: Cuando traté de levantar dos túneles GRE sobre la misma interfaz física (con el mismo tunnel source y mismo tunnel destination) solo uno de los dos levantó.

En el forum de Cisco encontré varios casos parecidos, el que más de acercaba decía:

“I am attempting to create two GRE tunnels, both tunnels have the same source and destination. No problem creating the first tunnel but creating the second I get the error\warning
Warning: Using same source IP for more than one IP/GRE tunnels
may cause software switching packets for tunnels using
this address. If possible, use a unique tunnel source for Interface Tunnelxxx”

Pasted from <https://supportforums.cisco.com/discussion/11877351/multiple-gre-tunnels-same-sourcedestination&gt;

Dentro de las soluciones propuestas, las dos mejores son:
-Cambiar los tunnels source y destination utilizando interfaces loopbacks.
-Usar “tunnel key”

Topología:

Configuración inicial:

R1:
!
hostname R1
!
no ip domain lookup
!
interface Ethernet1/0
ip address 10.22.26.1 255.255.255.224
!
interface Ethernet1/1
ip address 10.22.8.1 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
logging synchronous
!

R2:
!
hostname R2
!
no ip domain lookup
!
interface Ethernet1/0
ip address 10.22.26.2 255.255.255.224
!
interface Ethernet1/1
ip address10.22.9.1 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
logging synchronous
!

Comprobación inicial:

R1#sh ip route
Gateway of last resort is not set
10.22.0.0/16 is variably subnetted, 5 subnets, 4 masks
C 10.22.8.0/24 is directly connected, Ethernet1/1
L 10.22.8.1/32 is directly connected, Ethernet1/1
O 10.22.9.0/24 [110/20] via 10.22.26.2, 01:14:24, Ethernet1/0
C 10.22.26.0/27 is directly connected, Ethernet1/0
L 10.22.26.1/32 is directly connected, Ethernet1/0

Configuración del primer tunnel:

Añadido en R1:
!
interface Tunnel100
ip address 10.22.26.130 255.255.255.252
ip ospf cost 10
keepalive 10 3
tunnel source Ethernet1/0
tunnel destination 10.22.26.2
!

Añadido en R2:
!
interface Tunnel100
ip address 10.22.26.129 255.255.255.252
ip ospf cost 10
keepalive 10 3
tunnel source Ethernet1/0
tunnel destination 10.22.26.1
!

Comprobación:

*Jun 26 11:22:56.227: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to up
*Jun 26 11:22:56.771: %SYS-5-CONFIG_I: Configured from console by console
R1#
*Jun 26 11:23:35.263: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to down
R1#
*Jun 26 11:28:05.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to up
*Jun 26 11:28:05.603: %OSPF-5-ADJCHG: Process 1, Nbr 10.22.26.2 on Tunnel100 from LOADING to FULL, Loading Done

R1#sh ip route
Gateway of last resort is not set
10.22.0.0/16 is variably subnetted, 7 subnets, 4 masks
C 10.22.8.0/24 is directly connected, Ethernet1/1
L 10.22.8.1/32 is directly connected, Ethernet1/1
O 10.22.9.0/24 [110/20] via 10.22.26.129, 00:00:43, Tunnel100
                             [110/20] via 10.22.26.2, 01:39:08, Ethernet1/0
C 10.22.26.0/27 is directly connected, Ethernet1/0
L 10.22.26.1/32 is directly connected, Ethernet1/0
C 10.22.26.128/30 is directly connected, Tunnel100
L 10.22.26.130/32 is directly connected, Tunnel100
R1#sh ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Tu100 1 0 10.22.26.130/30 10 P2P 1/1
Et1/1 1 0 10.22.8.1/24 10 DR 0/0
Et1/0 1 0 10.22.26.1/27 10 DR 1/1

Configuración del segundo tunnel:

Añadido en R1:
!
interface Tunnel101
ip address 10.22.26.134 255.255.255.252
ip ospf cost 10
keepalive 10 3
tunnel source Ethernet1/0
tunnel destination 10.22.26.2
!

Añadido en R2:
!
interface Tunnel101
ip address 10.22.26.133 255.255.255.252
ip ospf cost 10
keepalive 10 3
tunnel source Ethernet1/0
tunnel destination 10.22.26.1
!

Comprobación del problema:

*Jun 26 11:46:54.531: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel101, changed state to up
R1(config-if)#
*Jun 26 11:47:03.651: %OSPF-5-ADJCHG: Process 1, Nbr 10.22.26.2 on Tunnel101 from LOADING to FULL, Loading Done
R1(config-if)#^Z
*Jun 26 11:47:10.523: %SYS-5-CONFIG_I: Configured from console by console
R1#
*Jun 26 11:47:25.275: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed state to down
*Jun 26 11:47:25.303: %OSPF-5-ADJCHG: Process 1, Nbr 10.22.26.2 on Tunnel100 from FULL to DOWN, Neighbor Down: Interface down or detached

Mientras uno levanta, el otro se cae.

1ra Solución:
-Cambiar los tunnels source y destination utilizando interfaces loopbacks.

R1(cambios de configuración):
!
hostname R1
!
no ip domain lookup
!
interface Loopback0
ip address 10.22.26.240 255.255.255.255
!
interface Loopback1
ip address 10.22.26.241 255.255.255.255
!
interface Tunnel100
ip address 10.22.26.130 255.255.255.252
ip ospf cost 10
keepalive 10 3
tunnel source Loopback0
tunnel destination 10.22.26.242
!
interface Tunnel101
ip address 10.22.26.134 255.255.255.252
ip ospf cost 10
keepalive 10 3
tunnel source Loopback1
tunnel destination 10.22.26.243
!
interface Ethernet1/0
ip address 10.22.26.1 255.255.255.224
!
interface Ethernet1/1
ip address 10.22.8.1 255.255.255.0
!
router ospf 1
network 10.22.8.0 0.0.0.255 area 0
network 10.22.26.0 0.0.0.31 area 0
network 10.22.26.128 0.0.0.3 area 0
network 10.22.26.132 0.0.0.3 area 0
!
ip route 10.22.26.242 255.255.255.255 10.22.26.2
ip route 10.22.26.243 255.255.255.255 10.22.26.2
!
line con 0
logging synchronous
!

R2(cambios de configuración):
!
hostname R2
!
no ip domain lookup
!
interface Loopback0
ip address 10.22.26.242 255.255.255.255
!
interface Loopback1
ip address 10.22.26.243 255.255.255.255
!
interface Tunnel100
ip address 10.22.26.129 255.255.255.252
ip ospf cost 10
keepalive 10 3
tunnel source Loopback0
tunnel destination 10.22.26.240
!
interface Tunnel101
ip address10.22.26.133 255.255.255.252
ip ospf cost 10
keepalive 10 3
tunnel source Loopback1
tunnel destination10.22.26.241
!
interface Ethernet1/0
ip address10.22.26.2 255.255.255.224
!
interface Ethernet1/1
ip address10.22.9.1 255.255.255.0
!
router ospf 1
network10.22.9.0 0.0.0.255 area 0
network10.22.26.0 0.0.0.31 area 0
network10.22.26.128 0.0.0.3 area 0
network10.22.26.132 0.0.0.3 area 0
!
ip route10.22.26.240 255.255.255.25510.22.26.1
ip route10.22.26.241 255.255.255.25510.22.26.1
!
line con 0
logging synchronous
!

Comprobación:

R1#sh ip route
Gateway of last resort is not set
10.22.0.0/16 is variably subnetted, 13 subnets, 4 masks
C 10.22.8.0/24 is directly connected, Ethernet1/1
L 10.22.8.1/32 is directly connected, Ethernet1/1
O 10.22.9.0/24 [110/20] via10.22.26.133, 00:04:04, Tunnel101
                             [110/20] via10.22.26.129, 00:05:27, Tunnel100
                             [110/20] via10.22.26.2, 00:10:19, Ethernet1/0
C 10.22.26.0/27 is directly connected, Ethernet1/0
L 10.22.26.1/32 is directly connected, Ethernet1/0
C 10.22.26.128/30 is directly connected, Tunnel100
L 10.22.26.130/32 is directly connected, Tunnel100
C 10.22.26.132/30 is directly connected, Tunnel101
L 10.22.26.134/32 is directly connected, Tunnel101
C 10.22.26.240/32 is directly connected, Loopback0
C 10.22.26.241/32 is directly connected, Loopback1
S 10.22.26.242/32 [1/0] via10.22.26.2
S 10.22.26.243/32 [1/0] via10.22.26.2
R1#sh ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Tu101 1 0 10.22.26.134/30 10 P2P 1/1
Tu100 1 0 10.22.26.130/30 10 P2P 1/1
Et1/0 1 0 10.22.26.1/27 10 DR 1/1
Et1/1 1 0 10.22.8.1/24 10 DR 0/0

Funciona!

2da Solución:
-Usar “tunnel key”

tunnel key
To enable an ID key for a tunnel interface, use the tunnel key command in interface configuration mode. To remove the ID key, use the no form of this command.

Pasted from <http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/command/ir-cr-book/ir-t2.html#wp4886133000&gt;

This document describes the IPsec secured GRE based VPN
demultiplexing problem statement. When two or more IPsec SAs are
used to protect GRE encapsulated VPN network between the same pair of
edge router, the current GRE based VPN does not support the edge
router to demultiplex data for different IPsec SA. GRE key provides
one solution to demultiplex the VPNs secured by IPsec.

Pasted from <http://tools.ietf.org/html/draft-ma-softwire-ipsec-gre-demultiplexing-ps-00&gt;

R1(cambios de configuración):
!
hostname R1
!
no ip domain lookup
!
interface Tunnel100
ip address10.22.26.130 255.255.255.252
ip ospf cost 10
keepalive 10 3
tunnel source Ethernet1/0
tunnel destination10.22.26.2
tunnel key 2
!
interface Tunnel101
ip address10.22.26.134 255.255.255.252
ip ospf cost 10
keepalive 10 3
tunnel source Ethernet1/0
tunnel destination10.22.26.2
tunnel key 3
!
interface Ethernet1/0
ip address10.22.26.1 255.255.255.224
!
interface Ethernet1/1
ip address10.22.8.1 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
logging synchronous
!

R2(cambios de configuración):
!
hostname R2
!
no ip domain lookup
!
interface Tunnel100
ip address10.22.26.129 255.255.255.252
ip ospf cost 10
keepalive 10 3
tunnel source Ethernet1/0
tunnel destination10.22.26.1
tunnel key 2
!
interface Tunnel101
ip address10.22.26.133 255.255.255.252
ip ospf cost 10
keepalive 10 3
tunnel source Ethernet1/0
tunnel destination10.22.26.1
tunnel key 3
!
interface Ethernet1/0
ip address10.22.26.2 255.255.255.224
!
interface Ethernet1/1
ip address10.22.9.1 255.255.255.0
!
router ospf 1
network 0.0.0.0 255.255.255.255 area 0
!
line con 0
logging synchronous
!

Comprobación:

R1#sh ip route
Gateway of last resort is not set
10.22.0.0/16 is variably subnetted, 9 subnets, 4 masks
C 10.22.8.0/24 is directly connected, Ethernet1/1
L 10.22.8.1/32 is directly connected, Ethernet1/1
O 10.22.9.0/24 [110/20] via10.22.26.133, 00:03:58, Tunnel101
                            [110/20] via10.22.26.129, 00:03:00, Tunnel100
                            [110/20] via10.22.26.2, 00:28:49, Ethernet1/0
C 10.22.26.0/27 is directly connected, Ethernet1/0
L 10.22.26.1/32 is directly connected, Ethernet1/0
C 10.22.26.128/30 is directly connected, Tunnel100
L 10.22.26.130/32 is directly connected, Tunnel100
C 10.22.26.132/30 is directly connected, Tunnel101
L 10.22.26.134/32 is directly connected, Tunnel101
R1#sh ip ospf interface brief
Interface PID Area IP Address/Mask Cost State Nbrs F/C
Tu101 1 0 10.22.26.134/30 10 P2P 1/1
Tu100 1 0 10.22.26.130/30 10 P2P 1/1
Et1/0 1 0 10.22.26.1/27 10 DR 1/1
Et1/1 1 0 10.22.8.1/24 10 DR 0/0

3ra Solución:
Crear subinterfaces de la física.
No lo voy a probar pero funciona!

La mejor parece ser el tunnel key!!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s