Tunnels

In computer networking, a tunnel is a virtual point-to-point connection that allows for the encapsulation of one type of network protocol within another. Tunnels can be used to connect networks that are physically separated by a public network, such as the Internet, or to create secure connections between remote locations.

Tunnels are commonly used to provide secure remote access to private networks, as well as to connect geographically dispersed networks. They are also used in conjunction with other network technologies, such as virtualization, to provide additional security and flexibility.

SoodarOS support many Layer 2 and Layer 3 tunnels, including: GRE, IPIP, VXLAN and VPLS

Layer 3 Tunnels

Layer 3 Tunnels Includes:

  • GRE

  • IPIP

GRE

A GRE tunnel is a type of tunneling protocol that encapsulates one protocol over another protocol to create a virtual point-to-point connection between two network endpoints. In GRE tunneling, a tunnel is established between two routers or endpoints, and the router at one end encapsulates the payload packets of one protocol inside the payload of another protocol before transmitting them over the tunnel to the other end.

The GRE header provides the necessary information to enable the transport of the encapsulated packets over the tunnel. The GRE header includes a protocol type field that identifies the payload protocol, a checksum field to ensure data integrity, a key field for security purposes, and a sequence number field to ensure data order. GRE tunnels can be used to transport any network-layer protocol, including IPv4, IPv6, and multicast traffic.

One of the primary applications of GRE tunneling is to create secure virtual private network (VPN) connections over the Internet. GRE tunnels are often used in combination with other tunneling protocols such as IPsec to provide security and encryption for data transmitted over the tunnel. GRE tunnels can also be used to connect remote branch offices or to provide connectivity between cloud-based services and on-premises networks.

IPIP

IP-IP tunnel, also known as IP-in-IP tunnel or IPIP tunnel, is a type of tunneling protocol that encapsulates one IP packet within another IP packet. The protocol allows for the creation of a virtual point-to-point link between two network nodes over an IP network.

In an IP-IP tunnel, the original IP packet is encapsulated in a new IP packet and transmitted over the network. The original packet becomes the payload of the new packet, with the source and destination addresses of the original packet becoming the new IP packet’s tunnel endpoints. The new IP packet is then transmitted across the network to the receiving endpoint, where it is decapsulated, revealing the original packet. Security measures, such as encryption and authentication, can also be implemented to protect tunnel traffic from unauthorized access.

Create L3 Tunnel

interface tunnel [vrf VRF] (0-1023)

The interface tunnel command is used in network configuration to create a tunnel interface. A tunnel interface is a logical interface that is used to encapsulate one protocol inside another protocol.

  • (0-1023): is used to identify the tunnel interface.

  • VRF: (Optional) specifies the name of the VRF (Virtual Routing and Forwarding) instance to which the tunnel interface belongs.

tunnel source <A.B.C.D|X:X::X:X>

The tunnel source command is used to specify the source IP address of a tunnel interface

  • <A.B.C.D|X:X::X:X>: specifies the source IP address of the tunnel. It can be an IPv4 or IPv6 address.

It is important to configure the correct source IP address for the tunnel, as this will determine which interface the encapsulated packets appear to originate from on the receiving end.

tunnel destination <A.B.C.D|X:X::X:X>

The command is used to configure the tunnel endpoint address for a GRE or IP-IP tunnel.

  • A.B.C.D: specifies the IPv4 address of the destination endpoint.

  • X:X::X:X: specifies the IPv6 address of the destination endpoint.

tunnel vrf VRF

The command is used to configure the VRF in which the tunnel lookup for its destination.

  • VRF: specifies the VRF name to look up the destination from.

tunnel mode ipip

The command is used to configure a tunnel with the IP-IP encapsulation method.

tunnel mode ipsec

The command is used to configure a tunnel with the protected IP-IP encapsulation method. An IPSec tunnel is an IP-IP tunnel that should always be protected.

tunnel mode gre

The command is used to configure the tunneling protocol as GRE (Generic Routing Encapsulation) on a network device.

tunnel protection ipsec profile IPSECPROFILE

The command is used to configure a tunnel with IPsec encryption. It specifies an IPsec profile that is applied to the tunnel for securing the data that is transmitted over the tunnel.

  • profile IPSECPROFILE: This specifies the name of the IPsec profile that will be used for the tunnel. The IPsec profile defines the security policies and algorithms that are used for securing the data that is transmitted over the tunnel.

See also

Profile

Warning

Currently, the protection mode is only supported in P2P tunnels.

Note

When a tunnel is in protected mode, It is put in shutdown mode until the IPSec SAs are established.

Note

When IPSec SAs protecting a tunnel are gone, the tunnel immediately shuts down. Reestablishing SAs make tunnel available again.

Logging

Debugging logs can be set in case of need.

debug tunnel event

log data plane installation processes and results

GRE configuration example

In the first peer we have:

soodar1(config)# interface tunnel 10
soodar1(config-if)# tunnel source 200.1.2.1
soodar1(config-if)# tunnel destination 200.1.2.2
soodar1(config-if)# tunnel mode gre
soodar1(config-if)# ip address 192.168.1.1/32

In the second peer we have:

soodar2(config)# interface tunnel 10
soodar2(config-if)# tunnel source 200.1.2.2
soodar2(config-if)# tunnel destination 200.1.2.1
soodar2(config-if)# tunnel mode gre
soodar2(config-if)# ip address 192.168.1.2/32

And then, we add IP routes:

soodar1(config)# ip route 2.1.1.0/24 tunnel10

soodar2(config)# ip route 1.1.1.0/24 tunnel10

GRE-MP configuration example

Currently, only NHRP static mapping is available.

In the first peer we have:

soodar1(config)# interface tunnel 10
soodar1(config-if)# tunnel source 200.1.2.1
soodar1(config-if)# tunnel mode gre multipoint
soodar1(config-if)# ip address 192.168.1.1/32
soodar1(config-if)# ip nhrp map 192.168.1.2 200.1.2.2

In the second peer we have:

soodar2(config)# interface tunnel 10
soodar2(config-if)# tunnel source 200.1.2.2
soodar2(config-if)# tunnel mode gre multipoint
soodar2(config-if)# ip address 192.168.1.2/32
soodar2(config-if)# ip nhrp map 192.168.1.1 200.1.2.1

And then, we add IP routes:

soodar1(config)# ip route 2.1.1.0/24 192.168.1.2

soodar2(config)# ip route 1.1.1.0/24 192.168.1.1

Layer 2 tunnels

VXLAN

VXLAN, or Virtual Extensible LAN, is a network virtualization technology used to extend Layer 2 Ethernet networks over an IP-based network infrastructure. It is designed to address the scalability issues that arise in large cloud computing environments.

The basic idea behind VXLAN is to encapsulate Ethernet frames in UDP packets, with an additional VXLAN header added to the packet. The VXLAN header contains a VNI (VXLAN Network Identifier) that is used to identify the virtual network that the packet belongs to.

The VXLAN tunnel endpoint (VTEP) is the device responsible for encapsulating and decapsulating Ethernet frames into VXLAN packets. VTEPs can be implemented in software or hardware and can be located on hypervisors, switches, routers, or servers.

VXLAN also supports multicast and unicast traffic forwarding. Multicast traffic is forwarded using multicast group addresses, while unicast traffic is forwarded to a specific VTEP address.

VXLAN allows for network virtualization at scale, providing a way to create virtual networks that span across physical data center boundaries. It enables workload mobility, allowing virtual machines to be migrated between data centers without the need for manual IP address reconfiguration. Additionally, VXLAN can help overcome the limitations of VLANs, such as the maximum number of VLAN IDs and the scalability issues associated with large Layer 2 domains.

interface nve (0-100000000)

The command is used to create and configure a Network Virtualization Endpoint (NVE) interface. NVE is a technology used for virtualizing network segments over a Layer 3 infrastructure.

  • (0-100000000): specifies the NVE interface number. The interface number can be any number between 0 and 100000000.

Example :

soodar(config)# interface nve 40
source-ip <A.B.C.D|X:X::X:X>

This command is used to specify the source IP address for the VXLAN tunnel endpoint (VTEP) that is associated with the NVE interface.

  • <A.B.C.D|X:X::X:X>: is the IPv4 or IPv6 address that will be used as the source address for the VTEP.

ingress-replication A.B.C.D

The ingress-replication command is used to specify the IP address for the ingress replication. Ingress replication is a VXLAN technology used to forward traffic between two VXLAN VTEPs when multicast is not available in the underlay network. In ingress replication, the traffic is replicated by the source VTEP and sent to all the destination VTEPs directly. The ingress replication method is also known as “head-end replication.”

  • A.B.C.D: is the IP address of the NVE that will receive replicated traffic from the source VTEP.

Note

Currently, only one address can be used for replication.

Note

SoodarOS does not support multicast for VXLAN.

member vni (1-16777214)

The command is used in the context of an NVE (Network Virtualization Endpoint) interface to configure a VNI (VXLAN Network Identifier) as a member of the interface. A VNI is an identifier used to differentiate multiple VXLAN overlay networks running on the same physical network infrastructure.

  • (1-16777214): Specifies the VNI number to be added to the NVE interface. The range is from 1 to 16777214.

Note

For now, each NVE interface can associate to 1 VNI

member vni (1-16777214) associate-vrf

Associate NVE to VNI number and VRF that use this VNI number. Now tunnel lookup its ingress-replication’s path from the VRF that shares the same VNI with the tunnel.

Note

Each VRF can associate to 1 VNI

Example :

soodar(config)# interface nve 10
soodar(config-if)# source-ip 200.1.3.1
soodar(config-if)# ingress-replication 156.25.4.89
soodar(config-if)# member vni 40
soodar(config-if)# bridge-group 120
soodar(config-if)# int ge0
soodar(config-if)# no shutdown
soodar(config-if)# bridge-group 120

soodar(config)# vrf green
soodar(config-vrf)# vni 40
soodar(config)# int ge1
soodar(config-if)# ip vrf forwarding green
soodar(config-if)# ip address 200.1.3.1/24
soodar(config)# interface nve 10
soodar(config-if)# source-ip 200.1.2.1
soodar(config-if)# ingress-replication 200.1.3.3
soodar(config-if)# member vni 40 associate-vrf
soodar(config-if)# bridge-group 120
soodar(config-if)# int ge0
soodar(config-if)# no shutdown
soodar(config-if)# bridge-group 120

Logging

Debugging logs can be set in case of need.

debug vxlan event

log data plane installation processes and results

VPLS

Virtual Private LAN Service( VPLS) is a method to extend LANs on the network. SoodarOS Supports VPLS on an MPLS core network. First, we need to create a mpls-tunnel interface to achieve this. This interface acts as a pseudowire by adding another MPLS label to its passing traffic. Using a TLDP( Targeted LDP) session, the tunnel label can be negotiated between two routers.

Note

To use VPLS, the connection should be full-mesh. If three router r1, r2 and r3 are going to form a VPLS, 3 connection is needed: r1-r2, r2-r3 and r1-r3

interface mpls-tunnel

Creates a mpls-tunnel interface

l2vpn NAME type vpls

Create an L2VPN using VPLS technology

member pseudowire PW

Add a mpls-tunnel to this L2VPN and enter member pseudowire configuration mode. PW is mpls-tunnel’s name

neighbor lsr-id A.B.C.D

Target’s LSR-ID of this pseudowire.

Note

We should have a route to target’s LSR-ID to establish a targeted session.

pw-id (1-4294967295)

An ID to distinguish pseudowires. If PW-IDs differ, the session will not be established.

Example :

soodar(config)# interface ge3
soodar(config-if)# bridge-group 200
soodar(config-if)# no shutdown
soodar(config)# interface mpls-tunnel0
soodar(config-if)# bridge-group 200 split-horizon group 100
soodar(config-if)# no shutdown
soodar(config)# interface mpls-tunnel1
soodar(config-if)# bridge-group 200 split-horizon group 100
soodar(config-if)# no shutdown
soodar(config)# mpls ldp
soodar(config-ldp)# router-id 222.1.1.1
soodar(config)# l2vpn exemplary-vpls type vpls
soodar(config-l2vpn)# member pseudowire mpls-tunnel0
soodar(config-l2vpn-pw)# neighbor lsr-id 222.7.7.7
soodar(config-l2vpn-pw)# pw-id 170
soodar(config-l2vpn)# member pseudowire mpls-tunnel1
soodar(config-l2vpn-pw)# neighbor lsr-id 222.14.14.14
soodar(config-l2vpn-pw)# pw-id 1140

Note

Note how mpls-tunnels share the same split-horizon group id. It’s to prevent loops in packets( since bridge flooding is enabled and our topology is full-mesh).

Logging

Debugging logs can be set in case of need.

debug vpls event

log data plane installation processes and results