& Switching v5 Workbook -
Advanced Technology Labs - IP
CCIE Routing
CCIE R&S v5
Routing
GRE Reliable Backup Interface
You must load the initial configuration files for the section, Basic IP
Addressing, which can be found in
. Reference the Advanced Technology Labs
With Addressing Diagram to complete this task.
Task
Configure two GRE tunnels between R4 and R5 as follows:
Tunnel45 with IPv4 addresses 155.45.0.Y/24, where Y is the router number,
sourced from VLAN 45 Ethernet link.
Tunnel100 with IPv4 addresses 155.100.0.Y/24, where Y is the router
number, sourced from VLAN 100 Ethernet link.
Configure IPv4 static routes on R5 for R4’s Loopback0 interface via both the DMVPN
cloud and Tunnel45.
Configure IPv4 static routes on R4 for R5’s Loopback0 interface via both the DMVPN
cloud and Tunnel45.
The static routes on R4 and R5 via the DMVPN cloud should have a higher
administrative distance than those on Tunnel45.
Configure the backup interface feature on R4 and R5 so that if the Tunnel100 goes
down, Tunnel45 is activated.
Tunnel100 state should be determined through GRE keepalives.
To verify this configuration, ensure that traffic between Loopback0 prefixes of R4 and
R5 is routed out DMVPN cloud:
If R4’s VLAN 100 interface is disabled, traffic is rerouted out on Tunnel45.
Configuration
R4:
interface Tunnel45
ip address 155.45.0.4 255.255.255.0
tunnel mode gre ip
tunnel source 155.1.45.4
tunnel destination 155.1.45.5
!
interface Tunnel100
ip address 155.100.0.4 255.255.255.0
tunnel mode gre ip
tunnel source 169.254.100.4
tunnel destination 169.254.100.5
keepalive 1 3
backup interface Tunnel45
!
ip route 150.1.5.5 255.255.255.255 Tunnel45 10
ip route 150.1.5.5 255.255.255.255 155.1.0.5 20
R5:
interface Tunnel45
ip address 155.45.0.5 255.255.255.0
tunnel mode gre ip
tunnel source 155.1.45.5
tunnel destination 155.1.45.4
!
interface Tunnel100
ip address 155.100.0.5 255.255.255.0
tunnel mode gre ip
tunnel source 169.254.100.5
tunnel destination 169.254.100.4
keepalive 1 3
backup interface Tunnel45
!
ip route 150.1.4.4 255.255.255.255 Tunnel45 10
ip route 150.1.4.4 255.255.255.255 155.1.0.4 20
Verification
By default, the state of a point-to-point GRE interface is determined by routing
availability for the tunnel destination. Therefore, as long as the router has a route for
the tunnel destination, the tunnel interface state will be UP. This, however, does not
account for possible transit problems or devices filtering GRE which is IP protocol
number 47. To fix the problem, GRE keepalives can be enabled on point-to-point
GRE tunnels. GRE keepalives are implemented in such a way that it can be enabled
on one side of the tunnel only, which means only that side can track end-to-end
GRE connectivity between the tunnel endpoints and update the GRE interface
status accordingly. GRE keepalives are enabled with the interface-level command
keepalive <interval> <number_of_retries>
, with interval defining the frequency in
seconds for sending keepalives and retries defining the maximum number of
keepalives being sent after the first failed keepalive before the tunnel interface state
changes to DOWN.. So with configuration
keepalive 1 3
, the router will send a GRE
keepalive every 1 second; upon the first failed keepalive it will send an additional 3
keepalives, and if all failed, the interface goes into DOWN state.
The state of multipoint GRE tunnel interfaces, such as those used in DMVPN
scenarios, cannot be monitored through GRE keepalives, because there is no single
destination for the tunnel. The mGRE tunnel interface is always in the UP state. In
DMVPN setups, the spoke mGRE tunnel interface can be determined by the spoke
being able to successfully register to the hub or not via NHRP if the
if-state nhrp
interface-level command is configured, but this is not possible for the hub, so the
hub interface is always in the UP state.
The design problem in this case is that R4 and R5 cannot actively determine
whether the DMVPN path is still functional. Based on the NHRP entries and possibly
IPsec state if configured with DMVPN, both hub and spokes will know if there is hub-
to-spoke connectivity or not. However, this does not affect the mGRE interface,
which is always in the UP state; and if static routing is configured over DMVPN, this
may result in traffic blackholing. If dynamic routing is used over DMVPN cloud and
problems appear in the transit path, this will trigger the routing protocol to converge
over alternate paths if available.
In this case, the problem is fixed through the use of backup interface functionality.
Point-to-point GRE Tunnel100 interface is using the same source and destination
IPv4 addresses as the DMVPN network between R4 and R5. By implementing GRE
keepalive, any problems in the transit path that may affect the DMVPN network will
be detected by Tunnel100 and cause the interface status to go DOWN. When
Tunnel100 interface goes DOWN, this will trigger the backup interface, which is
Tunnel45 to go UP, which also activates the static route configured over Tunnel45.
Verify that the backup interface is correctly configured, and Tunnel45 waits for
Tunnel100 to go DOWN to become active.
R5#show backup
Primary Interface
Secondary Interface
Status
-------------------------
-------------------------
------
Tunnel100
Tunnel45
normal operation
!R5#sho ip interface brief | i Tunnel
Tunnel0
155.1.0.5
YES manual upup
Tunnel45
155.45.0.5
YES manual standby modedown
Tunnel100
155.100.0.5
YES manual upup
!R4#show backup
Primary Interface
Secondary Interface
Status
-------------------------
-------------------------
------
Tunnel100
Tunnel45
normal operation
!R4#sho ip interface brief | i Tunnel
Tunnel0
155.1.0.4
YES manual upup
Tunnel45
155.45.0.4
YES manual standby modedown
Tunnel100
155.100.0.4
YES manual upup
Verify that traffic for Loopback0 is primarily routed over DMVPN cloud.
R5#show ip route 150.1.4.4
Routing entry for 150.1.4.4/32 Known via "static",distance 20
, metric 0 (connected)
Routing Descriptor Blocks:* 155.1.0.4
Route metric is 0, traffic share count is 1
!R5#ping 150.1.4.4 source loopback0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds:
Packet sent with a source address of 150.1.5.5 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/6 ms
!R5#traceroute 150.1.4.4 source loopback0
Type escape sequence to abort.
Tracing the route to 150.1.4.4
VRF info: (vrf in name/id, vrf out name/id)1 155.1.0.4 7 msec * 8 msec
Enable debugging on R5 and disable R4’s VLAN 100 interface; note that Tunnel45
is activated.
R5#debug backup
Backup events debugging is on
!R4#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.R4(config)#interface gigabitEthernet1.100
R4(config-subif)#shutdown
!R5#
BACKUP(Tunnel100): event = primary interface went down
BACKUP(Tunnel100): changed state to "waiting to backup"
BACKUP(Tunnel100): event = timer expired on primary
BACKUP(Tunnel100): secondary interface (Tunnel45) made active
BACKUP(Tunnel100): changed state to "backup mode"
!
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel45, changed state to up
BACKUP(Tunnel45): event = secondary interface came up
%LINK-3-UPDOWN: Interface Tunnel45, changed state to up
Verify that the backup interface is now active.
R5#show backup
Primary Interface
Secondary Interface
Status
-------------------------
-------------------------
------
Tunnel100
Tunnel45
backup mode
!R5#sho ip interface brief | i Tunnel
Tunnel0
155.1.0.5
YES manual upup
Tunnel45
155.45.0.5
YES manual upup
Tunnel100
155.100.0.5
YES manual updown
Verify that traffic between Loopback0 is now routed over GRE Tunnel45; although
both DMVPN and Tunnel45 interfaces are active, static route is preferred via
Tunnel45 due to lower administrative distance.
R5#show ip route 150.1.4.4
Routing entry for 150.1.4.4/32 Known via "static",distance 10
, metric 0 (connected)
Routing Descriptor Blocks:* directly connected, via Tunnel45
Route metric is 0, traffic share count is 1
!R5#show ip static route
Codes: M - Manual static, A - AAA download, N - IP NAT, D - DHCP,
G - GPRS, V - Crypto VPN, C - CASA, P - Channel interface processor,
B - BootP, S - Service selection gateway
DN - Default Network, T - Tracking object
L - TL1, E - OER, I - iEdge
D1 - Dot1x Vlan Network, K - MWAM Route
PP - PPP default route, MR - MRIPv6, SS - SSLVPN
H - IPe Host, ID - IPe Domain Broadcast
U - User GPRS, TE - MPLS Traffic-eng, LI - LIIN
IR - ICMP Redirect
Codes in []: A - active, N - non-active, B - BFD-tracked, D - Not Tracked, P - permanent
Static local RIB for default
M 150.1.4.4/32 [10/0] via Tunnel45 [A]
M[20/0] via 155.1.0.4 [N]
!R5#ping 150.1.4.4 source loopback0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.4.4, timeout is 2 seconds:
Packet sent with a source address of 150.1.5.5 !!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
!R5#traceroute 150.1.4.4 source loopback0
Type escape sequence to abort.
Tracing the route to 150.1.4.4
VRF info: (vrf in name/id, vrf out name/id)1 155.45.0.4 5 msec * 2 msec
When R4’s VLAN 100 interface is re-enabled, Tunnel100 interface is re-activated as
GRE keepalives are functional and all traffic is re-routed over the DMVPN cloud.
R4#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.R4(config)#interface gigabitEthernet1.100
R4(config-subif)#no shutdown
!R5#show backup
Primary Interface
Secondary Interface
Status
-------------------------
-------------------------
------
Tunnel100
Tunnel45
normal operation
!R5#show ip route 150.1.4.4
Routing entry for 150.1.4.4/32
Known via "static", distance 20, metric 0 (connected)
Routing Descriptor Blocks:* 155.1.0.4
Route metric is 0, traffic share count is 1
!R5#traceroute 150.1.4.4 source loopback0
Type escape sequence to abort.
Tracing the route to 150.1.4.4
VRF info: (vrf in name/id, vrf out name/id)1 155.1.0.4 3 msec * 4 msec
Verify that GRE tunnel keepalives are enabled on Tunnel100.
R5#show interfaces tunnel100
Tunnel100 is up, line protocol is up
Hardware is Tunnel
Internet address is 155.100.0.5/24
Backup interface Tunnel45, failure delay 0 sec, secondary disable delay 0 sec,
kickin load not set, kickout load not set
MTU 17868 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not setKeepalive set (1 sec), retries 3
Tunnel source 169.254.100.5, destination 169.254.100.4
Tunnel protocol/transport GRE/IP
Key disabled, sequencing disabled
Checksumming of packets disabled
Tunnel TTL 255, Fast tunneling enabled
Tunnel transport MTU 1476 bytes
!R5#debug tunnel keepalive
Tunnel keepalive debugging is on
!Tunnel100: sending keepalive, 169.254.100.4->169.254.100.5 (len=24 ttl=255), counter=1
Tunnel100: keepalive received, 169.254.100.4->169.254.100.5 (len=24 ttl=253), resetting counter
Tunnel100: sending keepalive, 169.254.100.4->169.254.100.5 (len=24 ttl=255), counter=1
Tunnel100: keepalive received, 169.254.100.4->169.254.100.5 (len=24 ttl=253), resetting counter
Tunnel100: sending keepalive, 169.254.100.4->169.254.100.5 (len=24 ttl=255), counter=1
Tunnel100: keepalive received, 169.254.100.4->169.254.100.5 (len=24 ttl=253), resetting counter