Wireless Access

Hello,

I'm looking to familiarise myself with GRE tunnels ahead of some work I'm doing for a customer next month. What I'm looking to tunnel a L2 VLAN carrying guest traffic from one site to another across the WAN as a temporary measure.

In order to test this in the lab I've created an arbitrary VLAN (207) on two controllers in my lab, and am attempting to pass traffic between them. I have the following configuration:

Controller 1:

interface tunnel 2071
        description "Tunnel Interface"
        tunnel mode gre 1
        tunnel source 192.168.38.10
        tunnel destination 192.168.38.11
        tunnel keepalive
        trusted
        tunnel vlan 207
!

 Controller 2: 

interface tunnel 2071
        description "Tunnel Interface"
        tunnel mode gre 1
        tunnel source 192.168.38.11
        tunnel destination 192.168.38.10
        tunnel keepalive
        trusted
        tunnel vlan 207
!

 As these are both arbitrary VLANs I've done operstate up on both to bring them online, and the tunnel is showing as up. However I can't see anything matching it in the datapath tunnel table, and I can't ping the VLAN 207 interface on the other controller through the tunnel.

Have I missed something here?

You typically cannot ping the ip address on tunnel endpoints.  Type "show ip route" on the commandline to see if there is a route to that ip address.  You can also trying to add a static route that points to the tunnel interface for the ip address on the other side of the VLAN.

Thanks Colin. I wondered if it was the case that you couldn't ping the IP address on the tunnel endpoints as it looks to be working other than that. I will get something physically connected to one of the controllers in VLAN 207 and see if I can ping that.

I had a look in the routing table and I've got the following entries pertaining to VLAN 207 and the tunnel:

C    172.16.207.0/24 is directly connected, VLAN207
C    0.0.0.0 is directly connected, Tunnel 2071

Is that what you'd expect to see for a L2 tunnel?

Many thanks

An L2 tunnel typically does not have an ip address, so I don't expect the routing table to change, as a result.  If there is something on the other side of the tunnel that you cannot reach, you might have to create a static route to it.  A layer 2 tunnel is typically just to bridge traffic from one endpoint to another or to allow two devices to share a single VLAN.

Hi Colin,

Thanks for your help on this one. That makes sense. As soon as I get a chance I'll lab this up with a device connected at one end and make sure it works like that.

I have a follow-up question. Can I achieve the following with L2 tunnels and tunnel-groups, without looping the network?

If not, we are running GRE at each site anyway. How reliable is GRE termination on VIPs? I was advised it was very flaky, but that was some time ago. The code version is 6.4.2.5, if that helps.

Many thanks,

GRE tunneling and termination is very good.  Quite a few large customers use this to put guest traffic into a DMZ.  Your design looks fine.  http://community.arubanetworks.com/t5/Controller-Based-WLANs/Create-GRE-tunnel-between-VRRP/ta-p/180486