Debug Cisco Tunnels: GRE

We will debug GRE tunnels which were set in the previous post. There are two routers, basic interface configuration on Serial1/0 ports and a Tunnel interface on each router.

R1#debug tunnel
When everything is good:

R1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/21/36 ms
R1#
Tunnel0: GRE/IP encapsulated 200.0.0.1->200.0.0.2 (linktype=7, len=124)
Tunnel0 count tx, adding 0 encap bytes
Tunnel0: GRE/IP to classify 200.0.0.2->200.0.0.1 (tbl=0,"Default" len=124 ttl=254 tos=0x0)
Tunnel0: GRE/IP to classify 200.0.0.2->200.0.0.1 (tbl=0,"Default" len=124 ttl=254 tos=0x0)
Tunnel0: GRE/IP (PS) to decaps 200.0.0.2->200.0.0.1 (tbl=0,"default" len=124 ttl=254)
Tunnel0: GRE decapsulated IP packet (linktype=7, len=100)
Tunnel0: GRE/IP encapsulated 200.0.0.1->200.0.0.2 (linktype=7, len=124)
Tunnel0 count tx, adding 0 encap bytes
Tunnel0: GRE/IP to classify 200.0.0.2->200.0.0.1 (tbl=0,"Default" len=124 ttl=254 tos=0x0)
Tunnel0: GRE/IP to classify 200.0.0.2->200.0.0.1 (tbl=0,"Default" len=124 ttl=254 tos=0x0)
Tunnel0: GRE/IP
R1# (PS) to decaps 200.0.0.2->200.0.0.1 (tbl=0,"default" len=124 ttl=254)
Tunnel0: GRE decapsulated IP packet (linktype=7, len=100)
Tunnel0: GRE/IP encapsulated 200.0.0.1->200.0.0.2 (linktype=7, len=124)
Tunnel0 count tx, adding 0 encap bytes
Tunnel0: GRE/IP to classify 200.0.0.2->200.0.0.1 (tbl=0,"Default" len=124 ttl=254 tos=0x0)
Tunnel0: GRE/IP to classify 200.0.0.2->200.0.0.1 (tbl=0,"Default" len=124 ttl=254 tos=0x0)
Tunnel0: GRE/IP (PS) to decaps 200.0.0.2->200.0.0.1 (tbl=0,"default" len=124 ttl=254)
Tunnel0: GRE decapsulated IP packet (linktype=7, len=100)
Tunnel0: GRE/IP encapsulated 200.0.0.1->200.0.0.2 (linktype=7, len=124)
Tunnel0 count tx, adding 0 encap bytes
Tunnel0: GRE/IP to classify 200.0.0.2->200.0.0.1 (tbl=0,"Default" len=124 ttl=254 tos=0x0)

R1#Tunnel0: GRE/IP to classify 200.0.0.2->200.0.0.1 (tbl=0,"Default" len=124 ttl=254 tos=0x0)
Tunnel0: GRE/IP (PS) to decaps 200.0.0.2->200.0.0.1 (tbl=0,"default" len=124 ttl=254)
Tunnel0: GRE decapsulated IP packet (linktype=7, len=100)
Tunnel0: GRE/IP encapsulated 200.0.0.1->200.0.0.2 (linktype=7, len=124)
Tunnel0 count tx, adding 0 encap bytes
Tunnel0: GRE/IP to classify 200.0.0.2->200.0.0.1 (tbl=0,"Default" len=124 ttl=254 tos=0x0)
Tunnel0: GRE/IP to classify 200.0.0.2->200.0.0.1 (tbl=0,"Default" len=124 ttl=254 tos=0x0)
Tunnel0: GRE/IP (PS) to decaps 200.0.0.2->200.0.0.1 (tbl=0,"default" len=124 ttl=254)
Tunnel0: GRE decapsulated IP packet (linktype=7, len=100)

What we see here:

We sent 5 packets to R2, R1 encapsulated 5 packets, and decapsulated 5 packets. Obviously, the decapsulated packets are the reply packets from R2.

Wrong tunnel destination

With debug tunnel command, we will see after configuration change:

R1(config-if)#tunnel destination 200.0.0.3
FIBtunnel: Tu0: cli request terminated early: no
FIBtunnel: Tu0: cli request generated fib update: IPv4 punt change no, IPv6 punt change no, mode change no
FIBtunnel: Tu0: GRE/IP (0) punt ipv4: no (lc no), ipv6 no (lc no) [BEFORE]
FIBtunnel: Tu0: GRE/IP (0) punt ipv4: no (lc no), ipv6 no (lc no) [AFTER]
FIBtunnel: Tu0: stacking IP 0.0.0.0 to Default:200.0.0.3


R1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:

Tunnel0: GRE/IP encapsulated 200.0.0.1->200.0.0.3 (linktype=7, len=124)
Tunnel0 count tx, adding 0 encap bytes.
Tunnel0: GRE/IP encapsulated 200.0.0.1->200.0.0.3 (linktype=7, len=124)
Tunnel0 count tx, adding 0 encap bytes.
Tunnel0: GRE/IP encapsulated 200.0.0.1->200.0.0.3 (linktype=7, len=124)
Tunnel0 count tx, adding 0 encap bytes.
Tunnel0: GRE/IP encapsulated 200.0.0.1->200.0.0.3 (linktype=7, len=124)
Tunnel0 count tx, adding 0 encap bytes.
Tunnel0: GRE/IP encapsulated 200.0.0.1->200.0.0.3 (linktype=7, len=124)
Tunnel0 count tx, adding 0 encap bytes.
Success rate is 0 percent (0/5)

Packets are encapsulated and sent, but no response from the other side.

Point-to-Point Frame Relay with Cisco router as Frame Relay Switch

In this tutorial, I will show you, how to use a Cisco router as a frame relay switch. It can be usefull if you study for your CCNA or CCNP exam and you need a frame relay switch, although you can use GNS3's Frame Relay switch, it can be a little buggy.

The topology used:

FRSW is the Frame Relay switch, which is connected to London, Budapest and Baltimore.

PVCs:
P2P 102 London Baltimore
P2P 201 Baltimore London
P2P 103 London Budapest
P2P 301 Budapest London

Step1

In this step we will enable Frame Relay switching on router FRSW, then we create the appropriate DLCIs.

FRSW(config)#frame-relay switching

On the serial interface 1/0, 1/1, 1/3 configure frame-relay:

FRSW(config)#int serial 1/0
FRSW(config-if)#encapsulation frame-relay
FRSW(config-if)#frame-relay lmi-type cisco
FRSW(config-if)#clock rate 64000
FRSW(config-if)#frame-relay intf-type dce
FRSW(config-if)#no shutdown

FRSW(config)#int serial 1/1
FRSW(config-if)#encapsulation frame-relay
FRSW(config-if)#frame-relay lmi-type cisco
FRSW(config-if)#clock rate 64000
FRSW(config-if)#frame-relay intf-type dce
FRSW(config-if)#no shutdown

FRSW(config)#int serial 1/3
FRSW(config-if)#encapsulation frame-relay
FRSW(config-if)#frame-relay lmi-type cisco
FRSW(config-if)#clock rate 64000
FRSW(config-if)#frame-relay intf-type dce
FRSW(config-if)#no shutdown

Then create the routes on each interfaces, the command is:

frame-relay route INDLCI interface OUTINTERFACE OUTDLCI

so..

FRSW(config)#int serial 1/0
FRSW(config-if)#frame-relay route 103 interface s1/1 301
FRSW(config-if)#frame-relay route 102 interface s1/3 201

FRSW(config)#int serial 1/1
FRSW(config-if)#frame-relay route 301 interface serial 1/0 103
FRSW(config)#int ser1/3
FRSW(config-if)#frame-relay route 201 interface serial 1/0 102

Step2: Configure Nodes

London:

London(config)#int ser1/0
London(config-if)#encapsulation frame-relay
London(config-if)#no sh

London(config)#int ser1/0.103 point-to-point
London(config-subif)#ip addr 192.168.3.1 255.255.255.0
London(config-subif)#frame-relay interface-dlci 103
London(config-subif)#no sh

London(config)#int ser1/0.102 point-to-point
London(config-subif)#ip addr 192.168.1.1 255.255.255.0
London(config-subif)#frame-relay interface-dlci 102
London(config-subif)#no sh

Budapest:

Budapest(config)#int ser1/0
Budapest(config-if)#encapsulation frame-relay
Budapest(config-if)#no sh

Budapest(config)#int ser1/0.301 point-to-point
Budapest(config-subif)#ip addr 192.168.3.2 255.255.255.0
Budapest(config-subif)#frame-relay interface-dlci 301
Budapest(config-subif)#no sh

Baltimore

Baltimore(config)#int ser1/0
Baltimore(config-if)#encapsulation frame-relay
Baltimore(config-if)#no sh

Baltimore(config)#int ser1/0.201 point-to-point 
Baltimore(config-subif)#ip addr 192.168.1.2 255.255.255.0
Baltimore(config-subif)#frame-relay interface-dlci 201
Baltimore(config-subif)#no sh

Step3: Test

Ping London from Baltimore:

Baltimore#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms

Ping London from Budapest:

Budapest#ping 192.168.3.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms

Step4: Set up routing

Budapest:

Budapest(config)#ip route 0.0.0.0 0.0.0.0 192.168.3.1

Baltimore:

Baltimore(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.1

Debug Cisco Tunnels: Basic Configuration

Tunnels are part of both CCNA and CCNP exams, so it is important to know them, and to know, what to do when they don't want to work. Here I collect the basic configurations for the tunnels which we will debug. I will not explain the configuration, if you need further explanation, please visit www.cisco.com and read the official manuals.

Basic Configuration

R1

hostname R1

interface Serial1/0
 description LinkToR2
 ip address 200.0.0.1 255.255.255.252
 serial restart-delay 0
 no sh

line con 0
 logging synchronous

R2

hostname R2

interface Serial1/0
 description LinkToR1
 ip address 200.0.0.2 255.255.255.252
 serial restart-delay 0
 no sh

line con 0
 logging synchronous

GRE

R1

 interface Tunnel0
  description Tunnel
  ip address 192.168.1.1 255.255.255.0
  tunnel source Serial1/0
  tunnel destination 200.0.0.2

R2

 interface Tunnel0
  description Tunnel
  ip address 192.168.1.2 255.255.255.0
  tunnel source Serial1/0
  tunnel destination 200.0.0.1

Verification:

show logging
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

R1#show ip interface brief | include Tunnel0
Tunnel0                    192.168.1.1     YES manual up                    up

R2#show ip interface brief | include Tunnel0
Tunnel0                    192.168.1.2     YES manual up                    up

R1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/19/20 ms

R2#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/20 ms

IPsec

R1

ip access-list extended IPSEC
 permit gre host 200.0.0.1 host 200.0.0.2

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key secretpassw0rd address 200.0.0.2

crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac

crypto map MAP 10 ipsec-isakmp
 set peer 200.0.0.2
 set transform-set TRANSFORM
 match address IPSEC

interface Serial 1/0
 crypto map MAP

interface Tun0
 crypto map MAP

R2

ip access-list extended IPSEC
 permit gre host 200.0.0.2 host 200.0.0.1

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp key secretpassw0rd address 200.0.0.1

crypto ipsec transform-set TRANSFORM esp-3des esp-md5-hmac

crypto map MAP 10 ipsec-isakmp
 set peer 200.0.0.1
 set transform-set TRANSFORM
 match address IPSEC

interface Serial 1/0
 crypto map MAP

interface Tun0
 crypto map MAP


Verification:
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON

R1#ping 192.168.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/21/28 ms

R2#ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/24/52 ms

( Before checking the counters, it could be a good idea to reset them: clear ip access-list counters )

R2#sh ip access-lists
Extended IP access list IPSEC
    10 permit gre host 200.0.0.2 host 200.0.0.1 (15 matches)

R1#sh ip access-lists
Extended IP access list IPSEC
    10 permit gre host 200.0.0.1 host 200.0.0.2 (15 matches)



So you just got a working IPsec over GRE tunnel, in the next posts, they will be unfunctional, so we have to repair them.

During CCNP study

VOIP Kodekek sávszélesség-igénye

Sávszélesség-igény egyszerű kiszámítása:


(  (kódoló sebessége)+(1000/időhossz csomagolás)*(RTP(12bájt)+IP(20bájt)+UDP(8bájt) overhead)*8  )/1000


Példa:

GSM (13 kbit/sec), 20ms: 28.625 kbit/sec
GSM (13 kbit/sec), 60ms: 18.208 kbit/sec
PCM, (64kbit/sec), 20 ms: 79,625 kbit/sec
PCM, (64kbit/sec), 60 ms: 69,208 kbit/sec
G.721 (ADPCM) (32kbit/sec), 20 ms: 47.625 kbit/sec
G.721 (ADPCM) (32kbit/sec), 60 ms: 37.208 kbit/sec