GRE Configuration Example: Cisco 881 ISR


GRE Configuration Example: Cisco 881 ISR

This example illustrates how to configure a GRE tunnel between a Cisco 881 ISR and ZENs in the Zscaler service. As shown in the figure, two GRE tunnels are configured between the gateway WAN port, fa4, which has a static public IP address, 192.0.2.2, and two ZENs in two different data centers (216.66.5.49 and 199.168.149.179).

Zscaler has assigned the following IP addresses for the GRE tunnels:

  • Tunnel Source IP: 192.0.2.2
  • Internal Range: 172.18.58.120 - 172.18.58.127

 

  • Primary Destination: 216.66.5.49
  • Internal Router IP: 172.18.58.121/30

 

  • Internal ZEN IP: 172.18.58.122/30
  • Secondary Destination: 199.168.149.179

 

  • Internal Router IP: 172.18.58.125/30
  • Internal ZEN IP: 172.18.58.126/30

The router receives ingress traffic on ports fa0, fa1, fa2 and fa3. They forward Internet traffic to the WAN gateway port, fa4, which uses the GRE tunnel interfaces tunnel 2700 and tunnel 2800 to send the Internet traffic through the GRE tunnel to the Zscaler service. The router performs NAT on the other traffic that it sends directly to the Internet.

Following are the steps and commands that were used to configure the GRE tunnels in this example, from a Cisco 881 ISR router running iOS version 15.1 to ZENs in different data centers. Refer to the Cisco documentation for information about the commands.

The sample configuration shows how to configure the following on two tunnel interfaces (tunnel 2700 and tunnel 2800) on the gateway WAN port FastEthernet4 (fa4). (Note that the tunnel names are arbitrary and you can use different tunnel names in your configuration.):

  • Tunnel 2700 with an IP address of 172.18.58.121 and its destination address is 216.66.5.49
  • Tunnel 2800 with an IP address of 172.18.58.125 and its destination address is 199.168.149.179
  • Set the max segment size (mss) to an appropriate value, depending on your network. In this example, the MSS value is set to 1300
  • NAT is not configured on the interface so the Zscaler service can log internal IP addresses and you can configure sub-locations
interface Tunnel2700
 ip address 172.18.58.121 255.255.255.252
 ip virtual-reassembly 
 ip tcp adjust-mss 1300
 tunnel source FastEthernet4
 tunnel destination 216.66.5.49
end
interface Tunnel2800
 ip address 172.18.58.125 255.255.255.252
 ip virtual-reassembly 
 ip tcp adjust-mss 1300
 tunnel source FastEthernet4
 tunnel destination 199.168.149.179
end

In Cisco iOS routers, policy-based routing (PBR) is implemented using route maps.

Note that Cisco routers forward PBR traffic in software instead of hardware, which may lead to CPU spikes. You can use 'ip route' instead of PBR to decrease CPU usage.

The following sample configuration creates an access list that specifies the outbound traffic and defines the route map that sends that traffic over Tunnel 2700 first, then Tunnel 2800:

Sample Configuration

access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq 23
access-list 101 permit tcp any any eq 22
access-list 101 permit udp any any eq 53
access-list 101 permit tcp any any eq 8800

route-map zscaler-tunnel permit 10
 match ip address 101
 set interface Tunnel2700 Tunnel2800

Note that you can exclude traffic from specific sources from being redirected to the GRE tunnel. The following example excludes traffic from a host (192.168.1.1) from being redirected to the tunnel:

access-list 101 deny ip any host 192.168.1.1
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443

In this example, we assume that the ingress traffic is received by the router on port fa-0 to fa-3 in VLAN 2. The IP addresses on these ports are assigned by DHCP and their traffic is forwarded to the GRE tunnels 2700 and 2800. NAT is performed on the remaining traffic.

interface FastEthernet0
 switchport access vlan 2
!
interface FastEthernet1
 switchport access vlan 2
!
interface FastEthernet2
 switchport access vlan 2
!
interface FastEthernet3
 switchport access vlan 2
!
interface FastEthernet4
 description $ES_WAN$
 ip address dhcp client-id FastEthernet4 hostname 10.35.3.41
 ip access-group 80 in
 ip access-group 80 out
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip access-group 100 in
 ip access-group 100 out
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address 10.65.199.129 255.255.255.128
 ip nat inside
 ip virtual-reassembly 
 ip tcp adjust-mss 1452
 ip policy route-map zscaler-tunnel 
!                                                                                                      !
 ip forward-protocol nd
 ip http server
 ip http access-class 23
 ip http authentication local
 ip http secure-server
 ip http timeout-policy idle 60 life 86400 requests 10000 
!                                                                                  !
 ip nat inside source list NAT interface FastEthernet4 overload
 ip route 0.0.0.0 0.0.0.0 10.96.13.254

!
 ip access-list extended NAT
 permit ip 10.65.199.0 0.0.0.255 any
 deny ip any any
!
                                                                                                                                                                    !
logging esm config
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 30.30.30.0 0.0.0.7
access-list 23 permit 10.65.199.0 0.0.0.255
access-list 80 permit any
access-list 100 permit ip any any
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
                                                                                                                           
access-list 101 permit tcp any any eq 23
access-list 101 permit tcp any any eq 22
access-list 101 permit udp any any eq 53
access-list 101 permit tcp any any eq 8800
access-list 120 permit ip any any
access-list 180 permit ip 10.0.0.0 0.255.255.255 any
no cdp run
route-map zscaler-tunnel permit 10
  match ip address 101
  set interface Tunnel2700 Tunnel2800
!

Enable IPSLAs to monitor the tunnels. You can set a threshold for HTTP page load times so traffic can switch from the primary to the secondary tunnel when the threshold is exceeded. Zscaler recommends that you use the ZEN IP address as the IP address that is used for monitoring, to ensure that the IP address is reachable and routable through the tunnel. This SLA is defined as #1 & #2, which may conflict with an existing SLA that uses the same number. If so, we recommend changing the sequence number to avoid conflicts. Additionally, Zscaler recommends that you specify the following URL gateway.zscaler_cloud.net/vpntest. In the example below, the cloud name is zscalertwo.net. For information on how to determine your Zscaler cloud name, see What is my cloud name?

ip sla 1
http raw http://172.18.58.122
timeout 300
threshold 300
http-raw-request
GET http://gateway.zscalertwo.net/vpntest HTTP/1.0\r\n
User-Agent: Cisco IP SLA\r\n
end\r\n
\r\n
\r\n
\r\n
exit
ip sla reaction-configuration 1 react rtt threshold-value 300 1 threshold-type consecutive 3
ip sla schedule 1 life forever start-time now                                                                                     
ip sla 2
http raw http://172.18.58.126
timeout 300
threshold 300
http-raw-request
GET http://gateway.zscalertwo.net/vpntest HTTP/1.0\r\n 
User-Agent: Cisco IP SLA\r\n
end\r\n
\r\n
\r\n
\r\n
exit
ip sla reaction-configuration 2 react rtt threshold-value 300 1 threshold-type consecutive 3
ip sla schedule 2 life forever start-time now

Troubleshooting the Configuration

Following are some sample commands that you can use to monitor and troubleshoot the GRE tunnel.

Ping the Zscaler internal tunnel IP address to validate the tunnel is up and routing is correct.

ping 172.18.58.122
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.58.122, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
ping 172.18.58.126
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.58.126, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

Ensure that the tunnel interface and protocol are up using show int tunnel command as shown below:

show int tun 2800
Tunnel2800 is up, line protocol is up
 Hardware is Tunnel
 Internet address is 172.18.58.125/30
 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
 Encapsulation TUNNEL, loopback not set
 Keepalive set (5 sec), retries 3
 Tunnel source 192.0.2.2 (FastEthernet4), destination 199.168.149.179
 \ Tunnel Subblocks:
     src-track:
       Tunnel2800 source tracking subblock associated with FastEthernet4
       Set of tunnels with source FastEthernet4, 19 members (includes iterators), on interface <OK>
 Tunnel protocol/transport GRE/IP
  Key disabled, sequencing disabled
 \ Checksumming of packets disabled
 Tunnel TTL 255, Fast tunneling enabled
 Tunnel transport MTU 1476 bytes
 Tunnel transmit bandwidth 8000 (kbps)
 Tunnel receive bandwidth 8000 (kbps)
 Last input never, output 00:00:02, output hang never
 Last clearing of "show interface" counters never
 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 1
 Queueing strategy: fifo
 Output queue: 0/0 (size/max)
 5 minute input rate 0 bits/sec, 0 packets/sec
 5 minute output rate 0 bits/sec, 0 packets/sec
   5450 packets input, 3690507 bytes, 0 no buffer
   Received 0 broadcasts (0 IP multicasts)
   0 runts, 0 giants, 0 throttles
   0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
   588861 packets output, 29175729 bytes, 0 underruns
   0 output errors, 0 collisions, 0 interface resets
   0 output buffer failures, 0 output buffers swapped out

View the track status.

VPN-test#show track
Track 1
  IP SLA 1 reachability
  Reachability is Down
    3 changes, last change 00:16:23
  Latest operation return code: Timeout
Track 2
  IP SLA 2 reachability
  Reachability is Up
    2 changes, last change 01:01:27
  Latest operation return code: OK
  Latest RTT (millisecs) 1

View the SLA statistics.

VPN-test#show ip sla statistics
IPSLAs Latest Operation Statistics

IPSLA operation id: 1
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *02:29:07.511 UTC Sat May 19 2012
Latest operation return code: Timeout
Number of successes: 0
Number of failures: 2
Operation time to live: Forever

IPSLA operation id: 2
Latest RTT: 1 milliseconds
Latest operation start time: *02:29:10.719 UTC Sat May 19 2012
Latest operation return code: OK
Number of successes: 2
Number of failures: 0
Operation time to live: Forever

Ensure that the router applies the route-map to the appropriate traffic:

show route-map zscaler-tunnel
route-map zscaler-tunnel, permit, sequence 10
 Match clauses:
   ip address (access-lists): 101
 Set clauses:
   interface Tunnel2700 Tunnel2800
 Policy routing matches: 76258 packets, 17131024 bytes