RE: Eigrp GRE problem. from Charles Wallace Jr (wallacc) on 2013-09-04 (Ccielab archives 09/2013)

From: Charles Wallace Jr (wallacc) <wallacc_at_cisco.com>
Date: Wed, 4 Sep 2013 16:30:36 +0000

Did it, I didn't think it would make any difference, and it did not..

-----Original Message-----
From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
Sent: Wednesday, September 04, 2013 12:21 PM
To: Charles Wallace Jr (wallacc); 'ccielab_at_groupstudy.com'
Subject: Re: Eigrp GRE problem.

Take the second one out.

Its not going to work anyway

----- Original Message -----
From: Charles Wallace Jr (wallacc) [mailto:wallacc_at_cisco.com]
Sent: Wednesday, September 04, 2013 12:12 PM
To: Joseph L. Brunner; ccielab_at_groupstudy.com <ccielab_at_groupstudy.com>
Subject: RE: Eigrp GRE problem.

These two routes are my two uplink gateways. Interface Gig 0/1 and 0/2.

-----Original Message-----
From: Joseph L. Brunner [mailto:joe_at_affirmedsystems.com]
Sent: Wednesday, September 04, 2013 10:52 AM
To: Charles Wallace Jr (wallacc); ccielab_at_groupstudy.com
Subject: RE: Eigrp GRE problem.

Why the 2 static routes for your tunnel destination? (instead of 1)

ip route 10.194.172.254 255.255.255.255 10.90.147.12 ip route 10.194.172.254 255.255.255.255 10.90.147.10

what interface are these via?

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Charles Wallace Jr (wallacc)
Sent: Wednesday, September 04, 2013 9:35 AM
To: ccielab_at_groupstudy.com
Subject: Eigrp GRE problem.

Guys,

Stumped on this one, if anyone can help me figure this out, would be appreciate it. I'm trying to build a GRE tunnel between two labs, the Cisco
facility in Lawrenceville, and another out in Building 29 in San Jose. A
routine task, but both of these labs have a slightly larger allocation of addressing that is not stub like. The other tunnels we build are closer to hub and spoke.

I can build the tunnel, nothing fancy with GRE. I add static routes on both sides so that the source and destination addresses for the GRE tunnel won't be advertised by EIGRP over the link, I've even added a distribute list to block default and those source and destination addresses.

The problem comes in to play when both sides start to exchange routes. I have it narrowed down to a specific route, 10.194.168.0 that brings the entire thing down. I'm thinking its because that encompasses the tunnel source on one side, but I would think that since the static route is more specific and has a better AD metric that it would override.

Anyways, not really sure. Right now I have a distribute list that blocks the
10.194.168.0 route from going out and that keeps the tunnel up, but when I take it out, the tunnel goes down.

Attached are the two configs..

Below are the two gre/eigrp specific configs

LWR---------
interface Loopback1
ip address 10.90.147.32 255.255.255.255
ip pim sparse-mode

interface Tunnel666
description GRE tunnel to SJC29
ip address 10.0.0.18 255.255.255.252
ip mtu 1400
ip pim sparse-mode
tunnel source Loopback1
tunnel destination 10.194.172.254

router eigrp 1
network 10.90.147.0 0.0.0.127
network 10.90.250.0 0.0.0.255
redistribute eigrp 100
passive-interface default
no passive-interface GigabitEthernet0/1
no passive-interface GigabitEthernet0/2
no passive-interface Tunnel1000
no passive-interface Tunnel1001
no passive-interface Vlan69
no passive-interface Tunnel1002
no passive-interface Tunnel1003
no passive-interface Tunnel1004
!
!
router eigrp 100
distribute-list 40 out
network 10.90.147.0 0.0.0.255
redistribute connected
redistribute eigrp 1
passive-interface default
no passive-interface Vlan104
!
!
router eigrp 666
distribute-list 66 out Tunnel666
network 10.0.0.16 0.0.0.3
redistribute connected
redistribute eigrp 1
redistribute eigrp 100
passive-interface default
no passive-interface Tunnel666

ip route 10.194.172.254 255.255.255.255 10.90.147.12 ip route 10.194.172.254 255.255.255.255 10.90.147.10

access-list 66 deny 0.0.0.0
access-list 66 deny 10.194.172.254
access-list 66 deny 10.90.147.32
access-list 66 permit 10.90.147.0 0.0.0.127 access-list 66 permit 10.90.250.0 0.0.0.255
!LWR-----

SJC29-----
interface Loopback0
ip address 10.194.172.254 255.255.255.255 ip igmp join-group 239.204.0.156 ip igmp join-group 239.201.0.122 !
interface Tunnel666
description GRE tunnel to AS lab LWR 5.1 ip address 10.0.0.17 255.255.255.252 ip mtu 1400 ip pim sparse-mode tunnel source Loopback0 tunnel destination 10.90.147.32

router eigrp 1200
distribute-list 10 out Tunnel10
distribute-list 67 out GigabitEthernet0/0 network 10.0.0.0 redistribute static redistribute eigrp 666 !
!
router eigrp 666
distribute-list 66 out Tunnel666
network 10.0.0.0
redistribute connected
redistribute eigrp 1200
passive-interface default
no passive-interface Tunnel666
!

ip route 10.90.147.32 255.255.255.255 10.194.172.173
access-list 66 deny 0.0.0.0
access-list 66 deny 10.194.168.0
access-list 66 deny 10.194.172.254
access-list 66 deny 10.90.147.32
access-list 66 permit any
access-list 67 deny 10.90.147.32
access-list 67 permit any
!SJC29-----
User Access Verification

Password:
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to use.

-----------------------------------------------------------------------

3945-TUN-SJ29#sh run
Building configuration...

3945-TUN-SJ29#

3945-TUN-SJ29#sh run
Building configuration...

Current configuration : 8874 bytes
!
! Last configuration change at 02:19:13 UTC Wed Sep 4 2013 ! NVRAM config last updated at 02:19:17 UTC Wed Sep 4 2013 !
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 3945-TUN-SJ29
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$G1h0$BUPpVW7DMLZjgdAINAiPR/ enable password Sp0rts !
no aaa new-model
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2545994155 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2545994155
revocation-check none
rsakeypair TP-self-signed-2545994155
!
!
crypto pki certificate chain TP-self-signed-2545994155 certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32353435 39393431 3535301E 170D3131 31313137 31313139
  34345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35343539
  39343135 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A054 FEA7C45D 3EB006C4 E4FCA914 7F168B6B 56C83293 28B5641F 5F14022E
  17979AF6 192931E2 8DD43BD4 BCAFD141 5CAAC3DA 27F04A6F 86CAFCC2 7C8972B7
  132C3DF1 F9B796D4 A8E0477E 8BED2908 CAF33F9C F67357E9 1263BCC2 A96F94F6
  81FFAB62 6C623940 3C804F7F 4680161B A5D86B07 DE745580 18915C6F 2645A007
  79010203 010001A3 7C307A30 0F060355 1D130101 FF040530 030101FF 30270603
  551D1104 20301E82 1C333934 352D5455 4E2D534A 32392E79 6F757264 6F6D6169
  6E2E636F 6D301F06 03551D23 04183016 80142C6B F62A0860 44C3D4ED 417EC17F
  D40D8966 9677301D 0603551D 0E041604 142C6BF6 2A086044 C3D4ED41 7EC17FD4
  0D896696 77300D06 092A8648 86F70D01 01040500 03818100 28A0F53D E987978A
  44871594 245E6215 376A465E 28ADD47E 9782BB33 B8925E72 97C8292C 8453F00E
  05C3225C CD9E19C4 9E54C39B 899590C3 A6A09AFF 9D617A18 F03741F9 4968B138
  D7023D20 0324819A 44DED567 8EF7529A 5FC437DF 9C5BFD84 EA511BC2 5880715F
  52159AA6 ED2DED96 E75CC415 DC23B00D 6E3864B9 DEF2C4A6
        quit
no ipv6 cef
ip source-route
ip cef
!
!
ip multicast-routing
!
!
ip domain name yourdomain.com
ip host cisco-capwap-controller 10.194.205.52 ip host pas.aptilo.com 10.194.168.21 ip host wifi.vzw.vzwwifi.com 10.194.168.21 ip name-server 171.70.168.183 !
multilink bundle-name authenticated
!
!
!
!
!
voice-card 0
!
!
!
!
!
!
license udi pid C3900-SPE150/K9 sn FOC14454VBW hw-module pvdm 0/0 !
hw-module sm 1
!
!
!
!
redundancy
!
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.194.172.254 255.255.255.255 ip igmp join-group 239.204.0.156 ip igmp join-group 239.201.0.122 !
!
interface Tunnel1
description GRE tunnel to Niels cube in Boulder office ip address 10.0.0.5 255.255.255.252 ip pim sparse-mode keepalive 10 3 tunnel source 10.194.172.174 tunnel destination 10.129.16.143 !
!
interface Tunnel2
description GRE tunnel to Niels home office ip address 10.0.0.9 255.255.255.252 ip pim sparse-mode keepalive 10 3 tunnel source 10.194.172.174 tunnel destination 10.19.37.101 !
!
interface Tunnel6
description GRE tunnel to Jordans home office ip address 10.0.0.13 255.255.255.252 ip pim sparse-mode keepalive 10 3 tunnel source 10.194.172.174 tunnel destination 10.98.68.73 !
!
interface Tunnel10
description mGRE headend
ip address 10.0.3.1 255.255.255.0
no ip redirects
ip pim nbma-mode
ip pim sparse-mode
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 600
ip nhrp registration timeout 30
no ip split-horizon eigrp 1200
tunnel source 10.194.172.254
tunnel mode gre multipoint
!
!
interface Tunnel666
description GRE tunnel to AS lab LWR 5.1 ip address 10.0.0.17 255.255.255.252 ip mtu 1400 ip pim sparse-mode tunnel source Loopback0 tunnel destination 10.90.147.32 !
!
interface GigabitEthernet0/0
description Nexus-Core1 Eth2/2
ip address 10.194.172.174 255.255.255.252 ip pim sparse-mode duplex auto speed auto !
!
interface GigabitEthernet0/1
description Connection To Core
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
!
interface SM1/0
no ip address
shutdown
!Application: Online on SME
!
!
interface SM1/1
no ip address
shutdown
!
!
!
router eigrp 1200
distribute-list 10 out Tunnel10
distribute-list 67 out GigabitEthernet0/0 network 10.0.0.0 redistribute static redistribute eigrp 666 !
!
router eigrp 666
distribute-list 66 out Tunnel666
network 10.0.0.0
redistribute connected
redistribute eigrp 1200
passive-interface default
no passive-interface Tunnel666
!
ip forward-protocol nd
!
ip pim rp-address 10.194.173.113 ipmc-public-hd-groups override ip pim rp-address 10.194.172.249 ipmc-general-anycast-rp-groups override ip pim rp-address 10.131.131.1 wnbu-special ip pim rp-address 4.255.254.254 ipmc-corp-feeds ip pim rp-address 10.193.0.73 DevQA-anycast ip pim rp-address 10.192.0.65 ipmc-public-hd-groups-DevQA override ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 !
ip dns server
ip route 10.0.3.3 255.255.255.255 Tunnel10 ip route 10.90.147.32 255.255.255.255 10.194.172.173 !
ip access-list standard DevQA-anycast
permit 239.193.64.0 0.0.63.255
ip access-list standard garage-hd-groups permit 225.2.2.0 0.0.0.255 ip access-list standard ipmc-corp-feeds permit 239.255.0.0 0.0.255.255 ip access-list standard ipmc-general-anycast-rp-groups permit 239.255.255.255 permit 239.0.0.251 permit 224.0.1.0 0.0.0.255 permit 224.0.23.0 0.0.0.255 permit 239.193.0.0 0.0.63.255 ip access-list standard ipmc-public-hd-groups permit 239.255.255.255 permit 239.100.255.255 permit 239.200.0.0 0.0.255.255 permit 239.204.0.0 0.0.255.255 permit 239.201.0.0 0.0.255.255 permit 239.100.16.0 0.0.15.255 ip access-list standard ipmc-public-hd-groups-DevQA permit 239.194.0.0 0.0.255.255 ip access-list standard wnbu-special permit 239.100.0.0 0.0.255.255 permit 239.205.0.0 0.0.255.255 permit 239.0.0.0 0.0.255.255 !
access-list 10 deny 10.194.172.254
access-list 10 deny 10.0.3.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 66 deny 0.0.0.0
access-list 66 deny 10.194.168.0
access-list 66 deny 10.194.172.254
access-list 66 deny 10.90.147.32
access-list 66 permit any
access-list 67 deny 10.90.147.32
access-list 67 permit any
!
!
!
!
nls resp-timeout 1
cpd cr-id 1
!
snmp-server community public RO
!
control-plane
!
!
!
!
!
!
!
!
!
gatekeeper
shutdown
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

It is strongly suggested that you create a new username with a privilege level of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword> no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class 23 in privilege level 15 password cisco login transport input telnet ssh line vty 5 15 access-class 23 in privilege level 15 login local transport input telnet ssh !
scheduler allocate 20000 1000
ntp master 2
ntp server 171.68.10.80 prefer
end

3945-TUN-SJ29#
username: wallacc
password:

2911-1>en
Password:
2911-1#sh run

Building configuration...

Current configuration : 6380 bytes
!
! Last configuration change at 01:21:31 UTC Wed Sep 4 2013 by wallacc ! NVRAM config last updated at 00:42:11 UTC Wed Sep 4 2013 by wallacc ! NVRAM config last updated at 00:42:11 UTC Wed Sep 4 2013 by wallacc version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption !
hostname 2911-1
!
boot-start-marker
boot-end-marker
!
!
enable password aslab
!
aaa new-model
!
!
aaa authentication login default group tacacs+ line local !
!
!
!
!
aaa session-id common
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip multicast-routing
!
!
ip domain name cisco.com
ip name-server 64.102.6.247
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0 !
!
license udi pid CISCO2911/K9 sn FTX1709AHA9 !
!
vtp domain aslabsesg
vtp mode transparent
username aslab privilege 15 secret 5 $1$XGtB$SPQYfIbcPYyPzrlrzAyS6.
!
!
vlan 69
!
vlan 104
name linktotaclab
!
ip ssh authentication-retries 5
ip ssh version 1
!
!
!
!
interface Loopback1
ip address 10.90.147.32 255.255.255.255 ip pim sparse-mode !
interface Loopback666
ip address 10.90.147.126 255.255.255.255 !
interface Loopback667
ip address 10.90.147.125 255.255.255.255 !
interface Loopback668
ip address 10.90.147.124 255.255.255.255 !
interface Loopback669
ip address 10.90.147.123 255.255.255.255 !
interface Loopback670
ip address 10.90.147.122 255.255.255.255 !
interface Tunnel666
description GRE tunnel to SJC29
ip address 10.0.0.18 255.255.255.252
ip mtu 1400
ip pim sparse-mode
tunnel source Loopback1
tunnel destination 10.194.172.254
!
interface Tunnel1000
description ambrose
bandwidth 16000
ip address 10.90.147.21 255.255.255.252 no ip redirects ip mtu 1400 ip pim sparse-mode ip nhrp map multicast dynamic ip nhrp network-id 1000 ip nhrp holdtime 100 tunnel source Loopback666 tunnel mode gre multipoint !
interface Tunnel1001
description charles
bandwidth 16000
ip address 10.90.147.17 255.255.255.252 no ip redirects ip mtu 1500 ip pim dr-priority 100 ip pim sparse-mode ip nhrp map multicast dynamic ip nhrp network-id 1001 ip nhrp holdtime 100 tunnel source Loopback667 tunnel mode gre multipoint !
interface Tunnel1002
description india
bandwidth 16000
ip address 10.90.147.25 255.255.255.252 no ip redirects ip mtu 1400 ip pim sparse-mode ip nhrp map multicast dynamic ip nhrp network-id 1002 ip nhrp holdtime 100 tunnel source Loopback668 tunnel mode gre multipoint !
interface Tunnel1003
description scottwerlein
bandwidth 16000
ip address 10.90.147.29 255.255.255.252 no ip redirects ip mtu 1400 ip pim sparse-mode ip nhrp map multicast dynamic ip nhrp network-id 1003 ip nhrp holdtime 100 tunnel source Loopback669 tunnel mode gre multipoint !
interface Tunnel1004
description charles desk
bandwidth 16000
ip address 10.90.250.17 255.255.255.252 no ip redirects ip mtu 1400 ip pim sparse-mode ip nhrp map multicast dynamic ip nhrp network-id 1004 ip nhrp holdtime 100 tunnel source Loopback670 tunnel mode gre multipoint !
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.90.147.11 255.255.255.254 ip pim sparse-mode duplex auto speed auto !
interface GigabitEthernet0/2
ip address 10.90.147.13 255.255.255.254 ip pim sparse-mode duplex auto speed auto !
interface GigabitEthernet0/0/0
switchport access vlan 104
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface GigabitEthernet0/1/0
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
switchport access vlan 69
no ip address
!
interface Vlan1
no ip address
!
interface Vlan69
ip address 10.90.147.100 255.255.255.254 !
interface Vlan104
ip address 10.90.147.114 255.255.255.254 ip pim dr-priority 200 ip pim sparse-mode !
!
router eigrp 1
network 10.90.147.0 0.0.0.127
network 10.90.250.0 0.0.0.255
redistribute eigrp 100
passive-interface default
no passive-interface GigabitEthernet0/1 no passive-interface GigabitEthernet0/2 no passive-interface Tunnel1000 no passive-interface Tunnel1001 no passive-interface Vlan69 no passive-interface Tunnel1002 no passive-interface Tunnel1003 no passive-interface Tunnel1004 !
!
router eigrp 100
distribute-list 40 out
network 10.90.147.0 0.0.0.255
redistribute connected
redistribute eigrp 1
passive-interface default
no passive-interface Vlan104
!
!
router eigrp 666
distribute-list 66 out Tunnel666
network 10.0.0.16 0.0.0.3
redistribute connected
redistribute eigrp 1
redistribute eigrp 100
passive-interface default
no passive-interface Tunnel666
!
ip forward-protocol nd
!
ip pim rp-address 10.90.147.117 ANYCASTgrp override ip pim rp-address 10.90.147.49 PRIORITYCASTgrp override ip pim rp-address 10.131.131.1 wnbu-special override ip http server no ip http secure-server !
ip route 10.194.172.254 255.255.255.255 10.90.147.12 ip route 10.194.172.254 255.255.255.255 10.90.147.10 !
ip access-list standard ANYCASTgrp
permit 239.255.255.250
permit 239.100.255.255
permit 239.192.0.0 0.0.0.255
permit 239.67.0.0 0.0.255.255
permit 239.193.0.0 0.0.0.255
ip access-list standard PRIORITYCASTgrp
permit 239.66.0.0 0.0.255.255
ip access-list standard wnbu-special
permit 239.100.0.0 0.0.0.255
!
access-list 40 deny 10.90.147.0 0.0.0.7
access-list 40 permit 10.90.147.0 0.0.0.127 access-list 40 permit 10.90.250.0 0.0.0.255 access-list 40 permit 150.158.0.0 0.0.255.255
access-list 66 deny 0.0.0.0
access-list 66 deny 10.194.172.254
access-list 66 deny 10.90.147.32
access-list 66 permit 10.90.147.0 0.0.0.127 access-list 66 permit 10.90.250.0 0.0.0.255 !
!
tacacs-server host 171.70.168.112
tacacs-server host 173.38.203.29
!
!
!
control-plane
!
!
!
line con 0
line aux 0
transport input telnet ssh
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 password aslab transport input telnet ssh line vty 5 1114 password aslab transport input telnet ssh !
scheduler allocate 20000 1000
ntp master
ntp server 10.81.254.131
end

2911-1#

Blogs and organic groups at http://www.ccie.net
Received on Wed Sep 04 2013 - 16:30:36 ART

This archive was generated by hypermail 2.2.0 : Tue Oct 01 2013 - 06:36:35 ART