For feedback and comments:
documentation.feedback@alcatel-lucent.com

Table of Contents Previous Next Index PDF


IP/GRE Termination
In This Chapter
This section describes advanced IP/GRE termination configurations.
Topics in this section include:
 
 
Applicability
This note is applicable only to 7750 SR-7 and SR-12 systems and was tested on release 9.0R8. IP/GRE tunnel termination requires an MS-ISA equipped on IOM2-20g or IOM3-XP. IP/GRE is not supported in a 7450 ESS (even with mixed mode) or 7710 SR chassis. Also it is not supported by the MS-ISA-E (the non-encrypted version of the MS-ISA).
Note: The following syntax changes were introduced in release 10.0R8 with the support for IP-in-IP tunneling:
1.
               interface "int-gre-tunnel" tunnel create
                   sap tunnel-1.private:1 create
                       gre-tunnel "gre-tunnel-1" to 10.0.0.2 create
 
From 10.0R8 onward, the gre-tunnel parameter has been replaced by the ip-tunnel parameter together with a sub-parameter gre-header to identify this to be a GRE tunnel. In addition, the to ip-address parameter has been deprecated and replaced with the sub-parameter dest-ip.
The above configuration becomes:
                      interface "int-gre-tunnel" tunnel create
                         sap tunnel-1.private:1 create
                             ip-tunnel "gre-tunnel-1" create
                                 dest-ip 10.0.0.2
                                 gre-header
 
2.
The show gre tunnel command has been replaced by the show ip tunnel command.
Summary
The 7x50 previously only supported GRE SDP tunnels which use pseudowire encapsulation. Starting with SR-OS 8.0R5, the 7750 SR-7 and SR-12 support tunneling IPv4 packets in an IPv4 GRE tunnel. A common use case is remote access to a VPRN over a public IP network because IP/GRE tunneling allows encapsulated packets to follow a path based on the outer IP header which is useful when the inner IP packet cannot or should not be forwarded natively over this path.
This section provides configuration and troubleshooting commands for IP/GRE termination.
Overview
Generic Routing Encapsulation (GRE) allows packets of one protocol, the payload protocol, to be encapsulated by packets of another protocol called the delivery protocol. A GRE packet has an Outer Delivery Header, GRE Header and Payload Packet (Figure 230).
Figure 230: GRE Packet Format
The following information discusses the outer delivery and GRE header for outgoing traffic.
 
 
The following information discusses the outer delivery and GRE header for incoming traffic:
 
7750 SR-12/SR-7 Implementation
Encapsulation, de-encapsulation and other datapath operations related to IP/GRE are handled by the isa-tunnel MDA.
Note that for GRE tunnels configured as SDPs (which are not covered by this section), no isa-tunnel MDA is required.
Figure 231: 7x50 Implementation
From SR-OS 8.0R5, the 7750 SR-7 and SR-12 supports the IP/GRE tunnels with static routes and BGP only. IPv6, BFD, OSPF, IS-IS, RIP and multicast are not supported.
From SR-OS 9.0R1, IP/GRE tunnels have been enhanced by adding the support of OSPFv2 and BFD on private tunnel interfaces (used with static routes, OSPFv2 or BGP) and GRE protection by tunneling into an IPSec tunnel.
Figure 232: IP/GRE over IPSec Tunnel
 
Configuration
 
Tunnel ISA MDA
From SR-OS 8.0 R5, the isa-tunnel MDA supports IP/GRE and IPSec tunnels.
*A:PE-1#configure card 1 mda 1 mda-type "isa-tunnel"
To check the MDA configuration:
*A:PE-1# show mda 
=========================================================
MDA Summary
=========================================================
Slot  Mda   Provisioned   Equipped   Admin    Operational
            Mda-type      Mda-type   State    State      
---------------------------------------------------------
snip-
 1     2     isa-tunnel      isa-ms     up       up 
 
 
Tunnel Groups and Tunnel Group Restrictions
The first step of the GRE tunnel configuration is to configure a tunnel-group.
*A:PE-1# configure isa tunnel-group ?
  - tunnel-group <tunnel-group-id> [create]
  - no tunnel-group <tunnel-group-id>
 
 <tunnel-group-id>    : [1..16]
 <create>             : keyword - mandatory while creating an entry.
 
Chassis-mode B or higher is required.
*A:PE-11# configure isa tunnel-group 1 create 
MINOR: IPSECGRPMGR #1008 Chassis mode B or higher is required
A tunnel group can have one tunnel-ISA designated primary and optionally one tunnel-ISA designated backup. When a GRE tunnel is created it is assigned to the primary tunnel-ISA in its tunnel group. If the primary tunnel-ISA fails, the backup tunnel-ISA (if not already claimed by another tunnel-group) takes over for the failed card.
*A:PE-1>config>isa>tunnel-grp# 
 [no] backup          - Configure ISA-Tunnel-Group backup ISA
 [no] description     - Configure the ISA group description
 [no] primary         - Configure ISA-Tunnel-Group primary ISA
 [no] shutdown        - Administratively enable/disable an ISA-Tunnel-Group
 
A:PE-1>config>isa# info 
----------------------------------------------
        tunnel-group 1 create
            primary 1/2
            backup 2/1
            no shutdown
        exit
----------------------------------------------
 
The failed tunnels are re-established using a cold-standby on the backup tunnel-ISA (cold standby means the backup tunnel-ISA has no state or configuration information about the tunnels prior to the failure).
A tunnel-ISA cannot be primary for more than one tunnel group.
*A:PE-1>config>isa>tunnel-grp# primary 1/2 
MINOR: IPSECGRPMGR #1003 The specified MDA is primary in another Tunnel Group
A tunnel-ISA cannot be primary in one tunnel group and backup in another tunnel group.
*A:PE-1>config>isa>tunnel-grp# backup 1/2 
MINOR: IPSECGRPMGR #1003 The specified MDA is primary in another Tunnel Group
 
To check the isa tunnel-group:
*A:PE-1# show isa tunnel-group 
============================================================
ISA Tunnel Groups
============================================================
Tunnel    PrimaryIsa   BackupIsa   ActiveIsa  Admin   Oper          
GroupId                                       State   State         
------------------------------------------------------------
1         1/2          2/1         1/2        Up      Up          
 
To check the number of the GRE tunnels:
*A:PE-1# show gre tunnel count 
-----------------------------
GRE Tunnels: 1
 
To check all gre-tunnels:
*A:PE-1# show gre tunnel 
===============================================================================
GRE Tunnels
===============================================================================
TunnelName                       LocalAddress     SvcId       Admn
 SapId                            RemoteAddress    DlvrySvcId  Oper
  To                               Bkup RemAddr     DSCP        Oper Rem Addr
-------------------------------------------------------------------------------
gre-tunnel-1                     192.168.1.1      1           Up
 tunnel-1.private:1               192.168.0.1      2           Up
  10.0.0.2                                          None        192.168.0.1
protected-gre-tunnel             192.168.4.1      3           Up
 tunnel-1.private:5               192.168.3.1      3           Up
  10.0.0.5                                          None        192.168.3.1
-------------------------------------------------------------------------------
GRE Tunnels: 2
===============================================================================
 
To check the detailed tunnel information:
*A:PE-1# show gre tunnel "gre-tunnel-1" 
===============================================================================
GRE Tunnel Configuration Detail
===============================================================================
Service Id       : 1                    Sap Id           : tunnel-1.private:1
Tunnel Name      : gre-tunnel-1
Description      : None
Target Address   : 10.0.0.2             Delivery Service : 2
Admin State      : Up                   Oper State       : Up
Source Address   : 192.168.1.1          Oper Remote Addr : 192.168.0.1
Remote Address   : 192.168.0.1          Backup Address   : 
DSCP             : None                 
Oper Flags       : None
 
===============================================================================
GRE Tunnel Statistics: gre-tunnel-1
===============================================================================
Errors Rx        : 0                    Errors Tx        : 0
Pkts Rx          : 7                    Pkts Tx          : 7
Bytes Rx         : 532                  Bytes Tx         : 364
Key Ignored Rx   : 0                    Too Big Tx       : 0
Seq Ignored Rx   : 0                    
Vers Unsup. Rx   : 0                    
Invalid Chksum Rx: 0                    
Loops Rx         : 0                    
 
 
Interfaces
The interface toward the Internet (or WAN):
The tunnel public interface:
The delivery VPRN/IES service (the service connected to the Internet) must have at least one IP interface associated with a public tunnel SAP in order to receive and process GRE encapsulated packets.
The public tunnel SAP type has the format tunnel-id.private|public:tag (where the id corresponds to the tunnel group) as shown in the following example.
*A:PE-1>config>service>ies>if# sap ?
 
  tunnel-id      - tunnel-<id>.<private|public>:<tag>
 
*A:PE-1>config>service>ies# info 
----------------------------------------------
           interface "int-tunnel-public" create
                address 192.168.1.2/30
                tos-marking-state untrusted
                sap tunnel-1.public:1 create
                exit
            exit
            no shutdown
 
 
Mask /32 is not supported on the public tunnel.
*A:PE-1>config>service>ies# interface "tunnel-public" sap tunnel-1.public:1 create 
INFO: PIP #1288 Cannot bind when there are /32 or /128 addresses configured
The tunnel private interface:
 
 
The private tunnel SAP has the format tunnel-id.private|public:tag (where the id corresponds to the tunnel-group) as shown in the following CLI example where an unprotected GRE tunnel is configured under the SAP.
*A:PE-1>config>service>vprn>if# sap ?
 
  tunnel-id      - tunnel-<id>.<private|public>:<tag>
 
*A:PE-1>config>service>vprn# info 
---------------------------------------------------------------
 ---snip--
            interface "int-gre-tunnel" tunnel create
                address 10.0.0.1/30
                ip-mtu 1476
                bfd 100 receive 100 multiplier 3
                sap tunnel-1.private:1 create
                    gre-tunnel "gre-tunnel-1" to 10.0.0.2 create
---snip---
 
It is not mandatory to have the same tag (internal dot1q) in private and public GRE tunnels.
sap tunnel-1.private:1 <=> sap tunnel-1.public:2
 
 
Unprotected GRE Tunnel Configuration
To associate an unprotected GRE tunnel with a private tunnel SAP the gre-tunnel command is configured under the SAP context.
 
*A:PE-1>config>service>vprn# info 
---------------------------------------------------------------
---snip--
            interface "gre-tunnel" tunnel create
                address 10.0.0.1/30
                ip-mtu 1476
                sap tunnel-1.private:1
                    gre-tunnel "gre-tunnel" to 10.0.0.2
---snip---
 
The to keyword followed by the private IP address of the remote tunnel endpoint is mandatory.
If this remote IP address is not within the subnet of the local private endpoint then the tunnel will not come up.
Under the gre-tunnel command, configure the following parameters:
 
*A:PE-1>config>service>vprn# info 
---------------------------------------------------------------
---snip--
            interface "gre-tunnel" tunnel create
                address 10.0.0.1/30
                ip-mtu 1476
                bfd 100 receive 100 multiplier 3
                sap tunnel-1.private:1 create
                    gre-tunnel "gre-tunnel-1" to 10.0.0.2 create
                        source 192.168.1.1
                        remote-ip 192.168.0.1
                        delivery-service 2
                        dscp af22
                        no shutdown
                    exit
 
*A:PE-1>config>service>vprn>if>sap# gre-tunnel "gre-tunnel-2" to 10.0.0.2 create 
MINOR: SVCMGR #5120 Only one GRE tunnel allowed per SAP
 
 
IP/GRE Tunneling via Static Route
A static route can reference the GRE tunnel directly (by next-hop IP address) or the GRE tunnel can be the resolved next-hop for an indirect static route (Figure 233).
Figure 233: GRE for Remote Access to a VPRN Service
The details of both ends on the GRE tunnel, at site A and PE-1, are shown in Figure 234.
Figure 234: IP/GRE Tunneling via Static Route
The following shows the configuration of PE-1.
A:PE-1# configure service vprn 1 
A:PE-1>config>service>vprn# info 
----------------------------------------------
            route-distinguisher 64496:1
            vrf-target target:64496:1
            interface "int-gre-tunnel" tunnel create
                address 10.0.0.1/30
                ip-mtu 1476
                sap tunnel-1.private:1 create
                    gre-tunnel "gre-tunnel-1" to 10.0.0.2 create
                        source 192.168.1.1
                        remote-ip 192.168.0.1
                        delivery-service 2
                        no shutdown
                    exit
                exit
            exit
            static-route 172.16.1.1/32 next-hop 10.0.0.2 
 
To check the static route status:
*A:PE-1# show router 1 static-route 
===============================================================================
Static Route Table (Service: 1)  Family: IPv4
===============================================================================
Prefix                                        Tag         Met    Pref Type Act
   Next Hop                                    Interface                   
-------------------------------------------------------------------------------
172.16.1.1/32                                 0           1      5    NH   Y
   10.0.0.2                                    int-gre-tunnel         
-------------------------------------------------------------------------------
No. of Static Routes: 1
 
 
IP/GRE Tunneling via BGP Peering
In this section, the configuration has BGP running inside the GRE tunnel (the only supported routing protocol in SR-OS 8.0R5).
*A:PE-1>config>service>vprn# info 
----------------------------------------------
            router-id 192.0.2.2
            autonomous-system 64496
            route-distinguisher 64496:1
            vrf-target target:64496:1
            interface "int-gre-tunnel" tunnel create
                address 10.0.0.1/30
                ip-mtu 1476
                sap tunnel-1.private:1 create
                    gre-tunnel "gre-tunnel-1" to 10.0.0.2 create
                        source 192.168.1.1
                        remote-ip 192.168.0.1
                        delivery-service 2
                        no shutdown
                    exit
                exit
            static-route 172.16.1.1/32 next-hop 10.0.0.2
            bgp
                local-as 64496
                router-id 192.0.2.2
                group "group-1"
                    type internal
                    local-as 64496
                    local-address 172.32.1.1
                    neighbor 172.16.1.1
                    exit
                exit
                no shutdown
            exit
It is mandatory to configure the autonomous-system under the VPRN otherwise the BGP neighboring will not be established.
To check the BGP status:
*A:PE-1# show router 1 bgp neighbor 
===============================================================================
BGP Neighbor
===============================================================================
Peer  : 172.16.1.1
Group : group-1
-------------------------------------------------------------------------------
Peer AS              : 64496            Peer Port            : 179  
Peer Address         : 172.16.1.1
Local AS             : 64496            Local Port           : 49554
Local Address        : 172.32.1.1
Peer Type            : Internal         
State                : Established      Last State           : Active
---snip---
IP/GRE Tunneling via OSPFv2 Peering
From SR-OS 9.0R1, OSPFv2 can be run on IES and VPRN IP interfaces associated with private GRE tunnel SAPs.
All OSPF features are supported including area 0 and non-area 0 support, virtual links, authentication, BFD, configurable protocol timers.
*A:PE-1>config>service>vprn# info 
----------------------------------------------
            router-id 192.0.2.2
            route-distinguisher 64496:1
            vrf-target target:64496:1
            interface "int-gre-tunnel" tunnel create
                address 10.0.0.1/30
                ip-mtu 1476
                bfd 100 receive 100 multiplier 3
                sap tunnel-1.private:1 create
                    gre-tunnel "gre-tunnel-1" to 10.0.0.2 create
                        source 192.168.1.1
                        remote-ip 192.168.0.1
                        delivery-service 2
                        no shutdown
                    exit
                exit
            exit
            ospf
                area 0.0.0.0
                    interface "int-gre-tunnel"
                    exit
                    interface "int-CE-1"
                        interface-type point-to-point
                    exit
                exit
            exit
            no shutdown
 
To check the OSPF status:
*A:PE-1# show router 1 ospf neighbor 
===============================================================================
OSPF Neighbors
===============================================================================
Interface-Name                   Rtr Id          State      Pri  RetxQ   TTL
   Area-Id
-------------------------------------------------------------------------------
int-gre-tunnel                   192.0.2.1       Full       1    0       30
   0.0.0.0
-------------------------------------------------------------------------------
No. of Neighbors: 1
===============================================================================
 
 
To check the OSPF routes:
*A:PE-1# show router 1 route-table protocol ospf 
===============================================================================
Route Table (Service: 1)
===============================================================================
Dest Prefix[Flags]                            Type    Proto    Age         Pref
      Next Hop[Interface Name]                                   Metric    
-------------------------------------------------------------------------------
172.16.1.1/32                                 Remote  OSPF     00h04m58s   10
       10.0.0.2                                                     10
-------------------------------------------------------------------------------
 
IP/GRE Tunneling Protection using IPSec Tunnel Mode
To provide protection against the potential threats (such as spoofing) the GRE packets can be encrypted and authenticated using IPSec.
In SR-OS 9.0R1 GRE packets receive IPSec protection by forwarding them, after encapsulation by one tunnel-ISA, into an IPSec tunnel supported by another (or the same) tunnel-ISA.
Note that when configuring GRE protection by an IPSec tunnel:
In the following example the GRE tunnel and its protecting IPSec tunnel belong to the same tunnel group.
Figure 235: Example GRE over IPSec Tunnel
 
 
IPSec Configuration
An ike-policy and ipsec-transform must be configured as shown below.
*A:PE-1>config>ipsec# info 
----------------------------------------------
        ike-policy 1 create
            dh-group 5
        exit
        ipsec-transform 1 create
            esp-encryption-algorithm aes256
        exit
----------------------------------------------
 
The public/private side of the GRE tunnel and the private side of the IPSec tunnel are in the same VPRN, as shown in the following configuration example.
*A:PE-1# configure service vprn 3 
*A:PE-1>config>service>vprn# info 
----------------------------------------------
            ipsec
                security-policy 1 create
                    entry 1 create
                        local-ip 192.168.4.0/24
                        remote-ip 192.168.3.0/24
                    exit
                exit
            exit
            route-distinguisher 64496:3
            vrf-target target:64496:3
            interface "int-private-ipsec-1" tunnel create
                sap tunnel-1.private:3 create
                    ipsec-tunnel "ipsec-tunnel-for-gre-tunnel" create
                        security-policy 1
                       local-gateway-address 10.2.2.1 peer 10.1.1.1 delivery-service 4
                        dynamic-keying
                            ike-policy 1
                            pre-shared-key "ALU"
                            transform 1
                        exit
                        no shutdown
                    exit
                exit
            exit
            interface "int-public-gre-1" create
                address 192.168.4.2/24
                sap tunnel-1.public:4 create
                exit
            exit
            interface "int-private-gre-1" tunnel create
                address 10.0.0.6/30
                sap tunnel-1.private:5 create
                    gre-tunnel "protected-gre-tunnel" to 10.0.0.5 create
                        source 192.168.4.1
                        remote-ip 192.168.3.1
                        delivery-service 3
                        no shutdown
                    exit
                exit
            exit
            static-route 192.168.3.0/24 ipsec-tunnel "ipsec-tunnel-for-gre-tunnel"
            no shutdown
 
The following displays a configuration example of the public side of the IPSec tunnel:
*A:PE-1>config>service>ies# info 
----------------------------------------------
            interface "public-ipsec-1" create
                address 10.2.2.2/24
                tos-marking-state untrusted
                sap tunnel-1.public:3 create
                exit
            exit
 
To check the GRE tunnel:
*A:PE-1# show gre tunnel 
===============================================================================
GRE Tunnels
===============================================================================
TunnelName                       LocalAddress     SvcId       Admn
 SapId                            RemoteAddress    DlvrySvcId  Oper
  To                               Bkup RemAddr     DSCP        Oper Rem Addr
-------------------------------------------------------------------------------
protected-gre-tunnel             192.168.4.1      3           Up
 tunnel-1.private:5               192.168.3.1      3           Up
  10.0.0.5                                          None        192.168.3.1
-------------------------------------------------------------------------------
 
To check the GRE tunnel info:
*A:PE-1# show gre tunnel "gre-tunnel-1"  
===============================================================================
GRE Tunnel Configuration Detail
===============================================================================
Service Id       : 1                    Sap Id           : tunnel-1.private:1
Tunnel Name      : gre-tunnel-1
Description      : None
Target Address   : 10.0.0.2             Delivery Service : 2
Admin State      : Up                   Oper State       : Up
Source Address   : 192.168.1.1          Oper Remote Addr : 192.168.0.1
Remote Address   : 192.168.0.1          Backup Address   : 
DSCP             : None                 
Oper Flags       : None
 
===============================================================================
GRE Tunnel Statistics: gre-tunnel-1
===============================================================================
Errors Rx        : 0                    Errors Tx        : 0
Pkts Rx          : 9164                 Pkts Tx          : 14176
Bytes Rx         : 703812               Bytes Tx         : 750429
Key Ignored Rx   : 0                    Too Big Tx       : 0
Seq Ignored Rx   : 0                    
Vers Unsup. Rx   : 0                    
Invalid Chksum Rx: 0                    
Loops Rx         : 0                    
 
By default the IPSec tunnel is down if it is not used by any traffic.
*A:PE-1# show ipsec tunnel 
===============================================================================
IPsec Tunnels
===============================================================================
TunnelName                       LocalAddress      SvcId        Admn   Keying
  SapId                            RemoteAddress     DlvrySvcId   Oper   Sec
                                                                         Plcy
-------------------------------------------------------------------------------
ipsec-tunnel-for-gre-tunnel      10.2.2.1          3            Up     Dynamic
  tunnel-1.private:3               10.1.1.1          4            Down   1
-------------------------------------------------------------------------------
Once it is used by any traffic the status will be changed to be up.
*A:PE-1# ping router 3 10.0.0.5 
PING 10.0.0.5 56 data bytes
64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=4.64ms.
64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=4.54ms.
64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=4.42ms.
64 bytes from 10.0.0.5: icmp_seq=4 ttl=64 time=5.01ms.
64 bytes from 10.0.0.5: icmp_seq=5 ttl=64 time=4.40ms.
 
To check the IPSec tunnel:
*A:PE-1# show ipsec tunnel 
===============================================================================
IPsec Tunnels
===============================================================================
TunnelName                       LocalAddress      SvcId        Admn   Keying
  SapId                            RemoteAddress     DlvrySvcId   Oper   Sec
                                                                         Plcy
-------------------------------------------------------------------------------
ipsec-tunnel-for-gre-tunnel      10.2.2.1          3            Up     Dynamic
  tunnel-1.private:3               10.1.1.1          4            Up     1
-------------------------------------------------------------------------------
IPsec Tunnels: 1
===============================================================================
 
 
 
BFD Support on Private Tunnel Interfaces
The SR-OS 9.0R1 introduces support for BFD on IP interfaces associated with private GRE tunnel SAPs. The BFD state of the interface can be used by static routes, OSPFv2 and/or BGP configured on the interface. It is not used to trigger a switch over to the backup remote IP address of the GRE tunnel.
The following displays a static-route example:
*A:PE-1>config>service>vprn# info 
----------------------------------------------
            router-id 192.0.2.2
            route-distinguisher 64496:1
            vrf-target target:64496:1
            interface "int-gre-tunnel" tunnel create
                address 10.0.0.1/30
                ip-mtu 1476
                bfd 100 receive 100 multiplier 3
                sap tunnel-1.private:1 create
                    gre-tunnel "gre-tunnel-1" to 10.0.0.2 create
                        source 192.168.1.1
                        remote-ip 192.168.0.1
                        delivery-service 2
                        no shutdown
                    exit
                exit
            exit
            static-route 172.16.1.1/32 next-hop 10.0.0.2 bfd-enable
 
To check the BFD session:
*A:PE-1# show router 1 bfd session 
===============================================================================
BFD Session
===============================================================================
Interface                     State                 Tx Intvl  Rx Intvl  Multipl
  Remote Address              Protocols             Tx Pkts   Rx Pkts   Type
-------------------------------------------------------------------------------
gre-tunnel                    Up (3)                100       100       3
   10.0.0.2                   static                N/A       N/A       cpm-np
-------------------------------------------------------------------------------
No. of BFD sessions: 1
===============================================================================
 
 
 
 
 
The following displays an OSPF example:
*A:PE-1>config>service>vprn# info 
----------------------------------------------
            router-id 192.0.2.2
            route-distinguisher 64496:1
            vrf-target target:64496:1
            interface "int-gre-tunnel" tunnel create
                address 10.0.0.1/30
                ip-mtu 1476
                bfd 100 receive 100 multiplier 3
                sap tunnel-1.private:1 create
                    gre-tunnel "gre-tunnel-1" to 10.0.0.2 create
                        source 192.168.1.1
                        remote-ip 192.168.0.1
                        delivery-service 2
                        no shutdown
                    exit
                exit
            exit
            ospf
                area 0.0.0.0
                    interface "int-gre-tunnel"
                        bfd-enable 
                    exit
---snip--
 
To check the BFD session:
*A:PE-1# show router 1 bfd session 
===============================================================================
BFD Session
===============================================================================
Interface                     State                 Tx Intvl  Rx Intvl  Multipl
  Remote Address              Protocols             Tx Pkts   Rx Pkts   Type
-------------------------------------------------------------------------------
int-gre-tunnel                Up (3)                100       100       3
   10.0.0.2                   ospf2                 N/A       N/A       cpm-np
-------------------------------------------------------------------------------
 
The following displays a BGP example:
*A:PE-1>config>service>vprn# info 
----------------------------------------------
            router-id 192.0.2.2
            autonomous-system 64496
            route-distinguisher 64496:1
            vrf-target target:64496:1
            interface "int-gre-tunnel" tunnel create
                address 10.0.0.1/30
                ip-mtu 1476
                bfd 100 receive 100 multiplier 3
                sap tunnel-1.private:1 create
                    gre-tunnel "gre-tunnel-1" to 10.0.0.2 create
                        source 192.168.1.1
                        remote-ip 192.168.0.1
                        delivery-service 2
                        no shutdown
                    exit
                exit
            exit
            static-route 172.16.1.1/32 next-hop 10.0.0.2
            bgp
                local-as 64496
                router-id 192.0.2.2
                group "group-1"
                    type internal
                    local-as 64496
                    local-address 172.32.1.1
                    neighbor 172.16.1.1
                        bfd-enable
                    exit
                exit
                no shutdown
            exit
To check the BFD session:
*A:PE-1# show router 1 bfd session 
===============================================================================
BFD Session
===============================================================================
Interface                     State                 Tx Intvl  Rx Intvl  Multipl
  Remote Address              Protocols             Tx Pkts   Rx Pkts   Type
-------------------------------------------------------------------------------
int-CE-1                      Up (3)                100       100       3
   172.16.1.1                 bgp                   N/A       N/A       cpm-np
-------------------------------------------------------------------------------
No. of BFD sessions: 1
===============================================================================
 
 
 
IP/GRE Termination – Advanced Topics
 
DSCP Value of Outer Delivery Header
interface "gre-tunnel" tunnel create
    address 10.0.0.1/30
    sap tunnel-1.private:200 create
       gre-tunnel "gre-tunnel" to 10.0.0.2
          source 192.168.11.2
          remote-ip 192.168.10.2
          delivery-service 21
          dscp af41 
 
The log filter output: TOS=88 (DSCP=af41) in the public network.
Maximum entries configured : 1000
Number of entries logged   : 2
2010/12/13 18:26:15  Ip Filter: 10:10  Desc: 
SAP: 1/1/1  Direction: Egress  Action: Forward
Src MAC: 1c-2c-01-01-00-01  Dst MAC: 1c-2d-01-01-00-01  EtherType: 0800
Src IP: 192.168.11.2 Dst IP: 192.168.10.2 Flags: 0  TOS: 88  TTL: 254
 
IP-MTU
It is possible to configure the IP MTU of a private tunnel SAP interface. This sets the maximum IP packet size payload (including IP header) that can be sent into the tunnel (it applies to the packet size before the tunnel encapsulation is added).
vprn 1 customer 1 create
            router-id 172.17.1.1
            autonomous-system 650000
            route-distinguisher 65000:1
            interface "gre-tunnel" tunnel
                address 10.0.0.1/30
                ip-mtu 1476
                sap tunnel-1.private:201
 
 
 
When an IPv4 packet needs to be forwarded to the tunnel and is larger than IP MTU bytes:
The IP-MTU range supported is from 512 to 9000 bytes.
To display information about the tunnel operational MTU.
*A:PE-1# show router 1 interface  "gre-tunnel" detail  | match MTU 
IP Oper MTU      : 1476                 ICMP Mask Reply   : True
 
 
Statistics and Accounting
Collect-stats can be configured under public and private SAPs.
For Public SAPs:
*A:PE-1>config>service>ies>if# sap tunnel-1.public:2 collect-stats
 
For Private SAPs:
*A:PE-1>config>service>vprn>if# sap tunnel-1.private:2 collect-stats 
 
 
Filtering, Policing and QoS
An ip-filter and QoS policy can be applied to the ingress and egress traffic of the private and public SAPS.
Public SAPs:
*A:PE-1>config>service>vprn>if# info 
----------------------------------------------
---snip---
                sap tunnel-1.private:1 create
                    ingress
                        qos 10 
                        filter ip 1
                    exit
                    egress
                        qos 10
                        filter ip 1
                    exit
 
Private SAPs:
*A:PE-1>config>service>ies>if# info 
----------------------------------------------
                address 192.168.1.2/30
                tos-marking-state untrusted
                sap tunnel-1.public:1 create
                    ingress
                        qos 10 
                        filter ip 1
                    exit
                    egress
                        qos 10
                        filter ip 1
                    exit
 
Mirroring
The public and private SAPs can be mirrored.
*A:PE-1# show debug 
debug
    mirror-source 99
        sap tunnel-1.private:3 egress ingress
        sap tunnel-1.public:1 egress ingress
        no shutdown
    exit
exit
Conclusion
This section provides configuration and show commands for IP/GRE termination.