Is bridging supported on GRE tunneled interfaces?

[NinjaTurtle777]

I have one 2611 that has the Serial 0/0, Serial 0/1 and FastEthernet 0/0 interfaces as part of a bridge group. I need to add FastEthernet 0/1 into this bridge group. Not a problem. I also need the FastEthernet 0/1 to act as a GRE tunnel interface. Can I do this? Or Do I need another router to accomplish the tunneling?

Thanks!!!!!

 

[BuckWeet]

GRE interfaces are software based. Do you want the GRE to bridge or the fastE interface to bridge?

 

[NinjaTurtle777]

Thanks for the reply. I need to push Distributed Interactive Simulation (DIS) broadcast across some Layer 3 devices (TACLANE units), across a WAN, back to another TACLANE and finally to a router that I can bridge to other devices. The DIS protocol uses UDP broadcasts. So I have to turn my routers into bridges to forward the broadcast. No a bid deal. In the past we have used Layer 2 CSU’s and encryption units to pas the data along. Layer 3 devices will do nothing with an UDP broadcast. So, I have to use a GRE tunnel to encapsulate the broadcast into a Layer 3 wrapper. On my 2611 router I have bridge group 1. The serial 0/0, serial 0/1, fastethernet 0/0 and fastethernet 0/1 interfaces are part of this bridge group. Can I make the fastethernet 0/1 interface the local end of a GRE tunnel even though it is part of the bridge group?? (ip tunnel add tunnelname mode gre remote xxx.xxx.xxx.xxx local xxx.xxx.xxx.xxx ttl 255)


Thanks a lot.

 

[BuckWeet]

Depending on what version of IOS you're running now, Cisco doesn't support bridging over GRE anymore if I remember correctly. What you could do is use multicast.

Refer to this doco below

http://www.cisco.com/en/US/docs/ios...TSD_Products_Configuration_Guide_Chapter.html

This lets you join broadcast segments using multicast. Much better then bridging.


BuckWeet

 

[green6]

Hi NinjaTurtle,

Hey, did you ever figure out how to get your DIS app through the TACLANE?
I've done a lot of work with TACLANEs and am curious if you found a solution.
I've GRE tunneled through TACLANEs to facilitate multicast video traffic but I've never had to attempt pushing broadcast traffic through a TACLANE.
Here is an interesting article on UDP Broadcast Flooding,

http://www.cisco.com/en/US/docs/internetworking/case/studies/cs006.html.

Curiously,

Jimi

 

[NinjaTurtle777]

Jimi:

I need a little help with GRE tunnels. My end goal is to push DIS UDP broadcasts and other TCP traffic from LAN A to LAN B. I need to push these broadcasts across some layer 3 encryption devices. So, I need to encapsulate the layer 2 UDP DIS broadcasts in a Layer 3 wrapper. This way I can route them across the Layer 3 devices on both ends. The bridge router A receive DIS broadcasts from their serial interfaces (s0/0,s0/1) and from a local fe0/0 interface (LAN A). These are the broadcasts that I need to push to LAN B. These interfaces on Bridge Router A are part of bridge group 1. I need to add the other fe0/1 interface to the bridge group 1, this way fe0/1 can receive the DIS broadcasts. I then need to connect fe0/1 on bridge router A to the fe0/0 interface on the GRE Router A. The fe0/1 interface on Bridge Router A will forward DIS broadcasts to the fe0/0 interface on GRE Router A. No problem so far. Now the reason why I have a separate bridge and GRE router is that you cannot (at least I was told) establish a GRE tunnel on a bridged interface.

So, right now I have some broadcast hitting the fe0/0 interface on the GRE router. This router will do nothing with the broadcast unless I create a GRE tunnel from GRE Router A to GRE Router B. The connection between the Layer 3 encryption devices is already established and working.

Here are the conceptual IP's:

Bridged Router A:

Fe/0/0: 10.10.1.1/24
Fe0/1: 10.10.2.1/24

GRE Router A

Fe0/0: 10.10.2.2/24
Fe0/1: 10.10.3.1/24

GRE Router B

Fe0/0: 10.10.7.1/24
Fe0/1: 10.10.8.1/24

Bridged Router B:

Fe0/0: 10.10.8.2/24
Fe0/1: 10.10.9.1/24

Here is a little diagram:

LANA--SwA--(fe0/0)BridgeRouterA(fe0/1)--(fe0/0)GRERouterA(fe0/1)--L3Device--WAN--L3Device--(fe0/0)GRERouterB(fe0/1)--(fe0/0)BridgeRouterB(fe0/1)--SwB--LANB

So, I need to create a tunnel so that any broadcasts that hit 10.10.2.2 are sent to 10.10.8.1 and then to 10.10.8.2. I have seen GRE tunnel examples done different ways.

On GRE Router A can I:

Ip tunnel add tunnel0 mode gre remote 10.10.7.1 local 10.10.3.1 ttl 255
Ip link set tunnel0 up
Ip addr add 10.10.2.2 dev tunnel0
Ip route add 10.10.8.1/24 dev tunnel0

Then on GRE Router B:

Ip tunnel add tunnel1 mode gre remote 10.10.3.1 local 10.10.7.1 ttl 255
Ip link set tunnel1 up
Ip addr add 10.10.8.1 dev tunnel1
Ip route add 10.10.2.2/24 dev tunnel1

Will this Work???

Thank you.....

 

[green6]

Well, it should work as far as tunneling goes but... the question is can you bridge across a tunnel.

I see two options for tunnelling, GRE-Router to GRE-Router or Bridge-Router to Bridge-Router.
If you go Bridge-Router to Bridge-Router you'll need to make sure you have the necessary routes in your TACLANEs.

Keep in mind the tunnel interfaces require unique IP addresses just as if they were a physical interface. I usually use a /30 on each end.

The big question is can you bridge tunnel interfaces? I really don't know.
If you have a lab you can give it a try eh?

One thing I'm confused about, you say, "So, I need to encapsulate the layer 2 UDP DIS broadcasts in a Layer 3 wrapper."
Is it an L2 (ethernet broadcast) or an L3 (UDP) broadcast? Quite different and if it's L2 you might want to consider EtherIP tunnelling, but as with GRE I'm not sure if you can get broadcasts across the tunnel.

Sorry I can't give you a definitive answer but it looks like you are on the right track.

Jimi

 

[NinjaTurtle777]

You bring up a great point. To be honest I do not know if it is a Layer 2 Ethernet broadcast or a Layer 3 IP broadcast. I do not even have the equipment to set up a lab and test with yet. I have to do this all on paper. I should not mix my terminology up. Layer 2 = ff.ff.ff.ff.ff.ff and layer 3 = 255.255.255.255.

I do know someone who deals with DIS and I hope he has a saved capture of the DIS traffic. This will help me out a lot.

As far as the GRE tunnel using a bridged interface……all my research says that you cannot do it. I cannot modify my bridged router. This router forwards/receives DIS traffic to/from other locations. I have one free FE interface (well, I can always install more). I was going to make this free interface part of the bridge group on the bridged router. I was then going to attach this interface to my “GRE Router” and start the tunnel from there. This way the GRE tunnel is not part of a bridged interface.

I did read a paper from a Navel Post Graduate school that stated:

“IP broadcast, which is commonly used in DIS environments, cannot be used over the Internet unless it is encapsulated.”


So, an IP broadcast would still have to be encapsulated to be routed across TACLANE units, right? The TACLANE units would use the GRE tunnel’s local/remote IP address for routing….

Does this make sense, or I am way off base…..

 

[NinjaTurtle777]

I was given authorization to put Wireshark on the network. I ran a mini DIS simulation exercise with the remote end.

DIS does use Layer 3 IP broadcast. The broadcasts are sent to all nodes on a Class C network. So, the Src = 10.10.10.37 and the Dst = 154.16.32.255

I should have done before I started posting, newbie mistake.

According to my research, I still need to encapsulate it.

I did find a little snippet of info that mentioned that tunneling is used for DIS, but no details were given.

 

[green6]

Very good, I love Wireshark.
That makes sense, subnet broadcast, otherwise known as "ip directed-broadcast".

Newer IOS versions disable directed-broadcasts by default. I believe you have to turn it on per interface, but, again I'm not sure if you can enable it on a GRE interface.
If I had a lab I'd test it out for you but I'm not working currently. I had an awesome lab at my last job working with the military but I had to take a break.

As you know, for your GRE tunnels you would need to configure a source and destination tunnel address on each router. I usually configured the source/destination as the interfaces directly connected to the TACLANE on either end. So for your GRE-A router the source tunnel address would be FE0/1 destined for GRE-B router interface FE0/0. For GRE-B router the source tunnel address would be FE0/0 destined for GRE-A router interface FE0/1. And as I mentioned previously the GRE tunnel interface has a unique IP address just like any other interface. Your TACLANES of course need to have routes to each routers directly connected interfaces but as they are directly connected they should already be configured on the TACLANEs. The TACLANES would not need routes for other subnets as the packets will be encapsulated with a GRE header which makes up the tunnel.

I suspect you will also need to turn on directed broadcasts on the interfaces between the Bridge-Routers and the GRE-Routers.

Oh yeah, and don't forget, the GRE Routers need to have some sort of routing information specifying the remote subnets are reachable through the GRE tunnels.
Static routes will work but you can also run a routing protocol through GRE tunnels as well. I've run EIGRP through GRE tunnels through TACLANEs in other scenarious.
I specifically used GRE-through-TACLANEs as a method of passing multicast through a TACLANE without having to go through the hassle of setting up the TACLANE for multicast.
(A real pain if you haven't already had to do it.)

Thanks for letting me brainstorm with you on this. It's a great excercise and an intriguing issue. If you don't mind keep me posted on your progress. I will be going back to work soon and may be faced with a similar issue.

Hope my long reply helps, if you need clarification on any point let me know.

Good luck,

Jimi

 

[green6]

Sorry, I wasn't paying attention, looks like you already have your GRE tunnel up between sites.

You are not "off-base", actually it looks like you are quite close to making it work.

You might consider the "ip directed-broadcast" function and see if it fits your needs.

I read up a little on DIS but haven't found a lot of techinical detail.
I did read that there were other methods of passing data, other than broadcasts. I suspect there is a multicast option,? might be worth looking into.

Jimi

 

[NinjaTurtle777]

Actually it is just a conceptual configuration, since I don’t have the equipment yet. I really wish I had a lab to play with rather than just doing a paper technical solution. The GRE configuration that I wrote up is how I thought the tunnels should be set up. Now, I have never done this before so I might be way off base. You mentioned that you start and terminate your GRE tunnels on the router interface that is connected to the TACLANE units PT interface, right? So, in order for me to “get” the packets to the start of the tunnel from the interface that is connected to the bridged router (Bolded Part):

LANA--SwA--(fe0/0)BridgeRouterA(fe0/1)?(fe0/0)GRERouterA(fe0/1)--L3Device--WAN--L3Device--(fe0/0)GRERouterB(fe0/1)--(fe0/0)BridgeRouterB(fe0/1)--SwB—LANB

I need to either:

1. Create a default route ( ip route 0.0.0.0 0.0.0.0 fe0/1 ) on GRE Router A
2. Make fe0/1 part of the same broadcast domain as fe0/0 on the GRE Router A

Now as far as the other way:

LANA--SwA--(fe0/0)BridgeRouterA(fe0/1)? (fe0/0)GRERouterA(fe0/1)--L3Device--WAN--L3Device--(fe0/0)GRERouterB(fe0/1)--(fe0/0)BridgeRouterB(fe0/1)--SwB—LANB

That is easy, the GRE tunnel terminates at fe0/1 on the GRE Router and after this the packet will have its original IP broadcast header. Fe0/0 on GRE Router A is part of that broadcast domain, so the broadcast packet should make it to LAN A after the GRE tunnel terminates.

Does that make sense???

 

[NinjaTurtle777]

Darn:

I did a cut and paste from Word and none of the bolded text or arrows showed up.

I wish this forum would support images…..

Anyway, I need to “get” the broadcast packets from GRE RouterA fe0/0 to the GRE tunnel, which starts at GRE RouterA fe 0/1. GRE RouterA fe0/0 is already part of the broadcast domain. So, in order to route these packets to the tunnel I have to either:

1. Create a default route ( ip route 0.0.0.0 0.0.0.0 fe0/1 ) on GRE Router A
2. Make fe0/1 part of the same broadcast domain as fe0/0 on the GRE Router A

And the same for the other end….


Will this work?

 

[green6]

Yeah, I think that will work but on your GRE routers you need two different route statements.
For example:
On GRE-A a specific route points to the PT of your TL to reach the GRE-B router FE0/0 interface. You need this route to build the GRE Tunnel from GRE-A to GRE-B.
Then of course you do the same on the GRE-B side pointing to GRE-A, interface FE0/1.
Next you have to route your subnets through the tunnel interface. Just treat the tunnel interface like any ordinary physical interface and either configure static routes or run a routing protocol through the tunnel.

I've only configured GRE tunnels on 2800 and 7200 routers so I'm not sure if this config would be the same as on your 2611s but you can verify against the Cisco website easy enough. Here is a typical tunnel interface config:
interface tunnel1
ip address 1.1.1.1 255.255.255.252
tunnel source 10.x.x.x
for example, this would be your GRE-A router interface connected to the TL
tunnel destination 20.x.x.x
and this would be GRE-B interface FE0/0.
Of course, you would do the exact opposite on the GRE-B router using 1.1.1.2/30 for the tunnel interface ip address.

Hope I'm not going over details that you already know.

Now you have to route traffic through interface tunnel1 tunnel. Although, in your situation, it might be enough to use the ip directed-broadcast command on the tunnel interface as you are only attempting to transport DIS UDP broadcast and not normal unicast traffic. You'll also probably need to use the ip directed-broadcast on the interface that connects the GRE routers to the Bridge routers. Unless adding the interface to the Bridge group is working. Not sure about that particular detail as I don't have any experience with bridging through a router.

Once the GRE Tunnel is up it's easy to route traffic through the tunnel, including multicast, but I'm still unable to find any information that specifically indicates that a GRE tunnel can process broadcasts.

It's funny, when I search Google for broadcasts through GRE tunnels I keep coming up with your original request as posted on Tek-Tips and some other forum.

One thing you have to keep in mind when using GRE tunnels through the TL is the packet size increases. GRE adds a new header onto the original IP packet resulting in increase packet size. I believe the GRE header adds an extra 24 bytes; 16 bytes of new source and destination IPs and 4 bytes for the GRE header.

I don't know how large the DIS packets are, maybe not big enough to worry about, but if there is a problem you can tweak the TACLANE around the MTU size if needed.

If you can configure the ip directed-broadcast command on a tunnel interface I don't see why this shouldn't work.

I really wish I was back in my lab, I'd set this up to see if it works. I'm dying to know...

Good luck and let me know how it works out,

Jimi