You are here: Home > CLI Commands > Just_CLI_Topics > interface tunnel

interface tunnel

interface tunnel <number>

autogenerate peer <peer-mac-address>

description <string>

inter-tunnel-flooding

ip

access group in <aclAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.-name>

address {internal | pool tunnel-pool <pool-name> |{<ipaddr> <netmask>Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses.}}

ospf

area <area-id>

authentication message-digest

cost <value>

dead-interval <value>

hello-interval <value>

message-digest-key <id> <pwd>

priority <value>

retransmit-interval <value>

transmit-delay <value>

ipv6 address X:X:X:X::X

mtu <mtu>

no ...

openflow-enable

shutdown

trusted [vlan add <word>|remove <word>|<word>]

tunnel

destination <ip-addr>|{ipv6 <ipv6-addr>}

keepalive icmp <ipaddr> <next-hop>

keepalive cisco|{<interval> <retries>}

mode gre {ip|ipv6|<num>}

source

controller-ip

ipv6 {controller-ip|loopback|{vlan <vlanid>}|<ipv6-addr>}

loopback

vlan <vlanid>

<ip-addr>

vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. add <word>|remove <word>|<word>

Description

This command configures a Layer-2 or Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel between a managed device and another GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network.-capable device.

Syntax

Parameter

Description

Range

Default

<number>

Tunnel Identification number.

The tunnel ID used here does not have to match the tunnel ID used in the other managed device.

1-16777215

autogenerate peer <peer-mac-address>

Auto generates the tunnel endpoint for the specified peer device.

description

String that describes this tunnel.

inter-tunnel-flooding

Enables inter-tunnel flooding.

Enabled

ip access group in <acl-name>

Attach a route ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to a L3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel interface.

When you associate a routing ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. to inbound traffic on a managed device terminating a L3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel, that ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. can forward traffic as normal, route traffic to a nexthop router on a nexthop list, or redirect traffic over an L3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel or tunnel group. For more information on creating a routing ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port., see ip access-list route.

ip address {internal | pool tunnel-pool <pool-name> |{<ipaddr> <netmask>}}

IP address of the Layer 3 tunnel. This represents the entrance to the tunnel.

NOTE: This address should be a unique, non-routable IP address.

Enter one of the following values:

internal: IP address is allocated from the Remote-Node pool.

pool tunnel-pool <pool-name>: IP address is allocated from the specified tunnel pool.

<ipaddr>: An IPv4 address.

NOTE: The IP address should not be part of any subnetSubnet is the logical division of an IP network. in your network, nor does it have to be routable in your network. It is used as a gatewayGateway is a network node that allows traffic to flow in and out of the network. for routing your private subnetsSubnet is the logical division of an IP network. (i.e., non-routable VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN.) within the GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel.

<netmask>Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses.: IP subnetSubnet is the logical division of an IP network. mask.

ipv6

IPv6 address of the Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel.

NOTE: This IP address can be configured only for a Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel (refer to the "mode gre" parameter below for details).

mtu

MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. size for the interface.

1024 - 9216

Enabled

IPv4: 1100

IPv6: 1500

no

Negates any configured parameter.

openflow-enable

Enables OpenFlowOpenFlow is an open communications interface between control plane and the forwarding layers of a network. on the tunnel.

disabled

shutdown

Causes a hard shutdown of the interface.

trusted [vlan {add <word>}|{remove <word>}|<word>]

When Trusted is enabled:
Any device can send any traffic through the GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel without having to be authenticated. Trusted VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are supported on a single Layer-2 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel.

Use vlan add <word> to add VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to the current trusted list.

NOTE: <word> represents a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. range.

Use vlan remove <word> to remove VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. from the current trusted list.

NOTE: <word> represents a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. range.

When Trusted is disabled:
Any device that is a source of traffic and is sent through the tunnel must be authenticated to be able to send the traffic. If the device is not authenticated, traffic from that device will be subject to the restrictions of the Initial Role specified in the Wired Access AAAAuthentication, Authorization, and Accounting. AAA is a security framework to authenticate users, authorize the type of access based on user credentials, and record authentication events and information about the network access and network resource consumption. Profile. This is the default. Untrusted VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. are supported on a single Layer-2 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel.

For related information, see aaa authentication wired.

Disabled

tunnel

Configures tunneling. The default is an IPv4 Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel.

mode gre ip

destination <ip-addr>|{ipv6 <ipv6-addr>}

The destination IP address (IPv4 or IPv6) for the GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel endpoint.

keepalive icmp

Enables sending periodic ICMPInternet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. (ping) keepaliveSignal sent at periodic intervals from one device to another to verify that the link between the two devices is working. If no reply is received, data will be sent by a different path until the link is restored. A keepalive can also be used to indicate that the connection should be preserved so that the receiving device does not consider it timed out and drop it. frames on the tunnel to determine the status of the tunnel (up or down).

Disabled

<ipaddr>

IP address of the ping destination.

<next-hop>

Router IP address belonging to any of the L2 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel -vlansVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. . This parameter is mandatory only for L2 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel .

Disabled

keepalive cisco|{<interval> <retries>}

Enables sending of periodic keepaliveSignal sent at periodic intervals from one device to another to verify that the link between the two devices is working. If no reply is received, data will be sent by a different path until the link is restored. A keepalive can also be used to indicate that the connection should be preserved so that the receiving device does not consider it timed out and drop it. frames on the tunnel to determine the tunnel status (up or down).

You can optionally set the interval at which keepaliveSignal sent at periodic intervals from one device to another to verify that the link between the two devices is working. If no reply is received, data will be sent by a different path until the link is restored. A keepalive can also be used to indicate that the connection should be preserved so that the receiving device does not consider it timed out and drop it. frames are sent, and the number of times the frames are resent before a tunnel is considered to be down.

NOTE: Executing the no tunnel keepalive command disables the keepaliveSignal sent at periodic intervals from one device to another to verify that the link between the two devices is working. If no reply is received, data will be sent by a different path until the link is restored. A keepalive can also be used to indicate that the connection should be preserved so that the receiving device does not consider it timed out and drop it. frames, but retains the configured interval and retry values.

The <cisco> option enables keepaliveSignal sent at periodic intervals from one device to another to verify that the link between the two devices is working. If no reply is received, data will be sent by a different path until the link is restored. A keepalive can also be used to indicate that the connection should be preserved so that the receiving device does not consider it timed out and drop it. interoperability for Layer-3 tunnels between managed devices and Cisco network devices. Aruba sets the keepaliveSignal sent at periodic intervals from one device to another to verify that the link between the two devices is working. If no reply is received, data will be sent by a different path until the link is restored. A keepalive can also be used to indicate that the connection should be preserved so that the receiving device does not consider it timed out and drop it. packet’s GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. protocol field to 0x801; however, Cisco sets the GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. protocol field to 0. When the cisco option is enabled, the Arubamanaged device automatically sets the GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. protocol value to 0.

The <interval> option sets the number of seconds at which the keepaliveSignal sent at periodic intervals from one device to another to verify that the link between the two devices is working. If no reply is received, data will be sent by a different path until the link is restored. A keepalive can also be used to indicate that the connection should be preserved so that the receiving device does not consider it timed out and drop it. frames are sent. Range is 1 second to 86400 seconds and default is 10 seconds.

The <retries> option sets the number of consecutive times that the keepalives fail before the tunnel is considered to be down. Range is 0 to 1024 and default is 3.

Disabled

mode gre {ip|ipv6|<num>}

This parameter specifies the tunnel encapsulation method as GRE and allows you to specify whether it is a Layer-2 or Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel.

ip: Specifies an IPv4 Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel. The protocol number is set to 0x0800 and is not configurable. Traffic is redirected into the tunnel using a static route or a session ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. policy. The managed device encapsulates the Layer-3 packet only.

ipv6: Specifies an IPv6 Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel. The protocol number is set to 0x86DD and is not configurable. Traffic is redirected into the tunnel using a static route or a session ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. policy. The managed device encapsulates the Layer-3 packet only.

<num>: A 16-bit protocol number that uniquely identifies a GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel. The number format is numeric. The managed devices at both endpoints of the tunnel must be configured with the same protocol number. The protocol number does not necessarily have to match the protocol number of the encapsulated frame. The managed device encapsulates the entire frame, including the Layer-2 header.

source

controller-ip

ipv6 {controller-ip|loopback|{vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. <vlanid>}|<ipv6-addr>}

loopback

{vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. <vlanid>}

<ip-addr>

The local endpoint of the tunnel on the controller. This can be one of the following:

controller-ip: IPv4 address of the managed device.

ipv6: Specify one of the following IPv6 options:

controller-ip: Specify the IPv6 address of the managed device.

loopback: Specify the IPv6 loopback interface configured on the managed device.

vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. <vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. -id>: Specify the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface ID.

<ipv6-addr>: Specify the IPv6 address.

loopback: Specify the loopback interface configured on the managed device.

vlanVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. <vlanid>: Specify the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface ID.

<ip-addr>: Specify an IPv4 address.

vlan {add <word>|remove <word>|<word>}

Specify the VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to be included in this tunnel.

add <word>: The VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to be added to the current list. Separate the VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. by a comma (,)

remove <word>: The VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. to be removed from the current list. Separate the VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. by a comma (,)

<word>: The VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. that should be part of the current list. Separate the VLANsVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. by a comma (,)

NOTE: You can configure a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. only if the tunnel mode is set to Layer-2 (mode gre <16-bit protocol number>). If the tunnel mode is not set to Layer-2 mode, the system displays an error message: Tunnel is an IP [v6] GRE Tunnel. Change the mode before adding this.

Usage Guidelines

You can configure a Layer-2 or Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel between an Aruba managed device and another GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network.-capable device. The default is an IPv4 Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel (tunnel mode gre ip).

 

In Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels, IPv6 encapsulated in IPv4 and IPv4 encapsulated in IPv6 are not supported. The only Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. modes supported are IPv4 encapsulated in IPv4 and IPv6 encapsulated in IPv6.

You can direct traffic into the tunnel using a static route (by specifying the tunnel as the next hop for a static route) or a session-based ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port.. For details, refer to Configuring GRE Tunnels.

Configuration Examples

Layer-2 GRE Tunnel

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command configures a Layer-2 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel:

MN-1 Configuration

(host) [mynode] (config)# interface tunnel 101

description “IPv4 Layer-2 GRE 101"

tunnel mode gre 1

tunnel source vlan 101

tunnel destination 192.168.1.1

tunnel keepalive

trusted

tunnel vlan 101

trusted vlan 101

MN-2 Configuration

(host) [mynode] (config)# interface tunnel 201

description “IPv4 Layer-2 GRE 201"

tunnel mode gre 1

tunnel source vlan 201

tunnel destination 192.168.2.1

tunnel keepalive

trusted

tunnel vlan 201

trusted vlan 201

IPv4 Layer-3 GRE Tunnel

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command examples configure a Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel for IPv4 between two managed devices.

MN-1 Configuration

(MN-1) (host) [mynode] (config) #interface tunnel 301

(host) [mynode] (config-submode) #description “IPv4 L3 GRE 301"

(host) [mynode] (config-submode) #tunnel mode gre ip

(host) [mynode] (config-submode) #ip address 192.1.1.1 255.255.255.255

(host) [mynode] (config-submode) #tunnel source vlan 301

(host) [mynode] (config-submode) #tunnel destination 20.20.20.249

(host) [mynode] (config-submode) #tunnel vlan 301

(host) [mynode] (config-submode) #trusted vlan 301

MN-2 Configuration

(MN-2) (host) [mynode] (config) #interface tunnel 401

(host) [mynode] (config-submode) #description “IPv4 L3 GRE 401"

(host) [mynode] (config-submode) #tunnel mode gre ip

(host) [mynode] (config-submode) #ip address 168.1.1.2 255.255.255.255

(host) [mynode] (config-submode) #tunnel source vlan 401

(host) [mynode] (config-submode) #tunnel destination 10.10.10.249

(host) [mynode] (config-submode) #tunnel vlan 401

(host) [mynode] (config-submode) #trusted vlan 401

IPv6 Layer-3 GRE Tunnel

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command examples configure a Layer-3 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel for IPv6 between two managed devices.

MN-1 Configuration

(MN-1) (host) [mynode] (config) #interface tunnel 501

(host) [mynode] (config-submode) #description “IPv6 Layer-3 GRE 501"

(host) [mynode] (config-submode) #tunnel mode gre ipv6

(host) [mynode] (config-submode) #ip address 2001:1:2:1::1

(host) [mynode] (config-submode) #tunnel source vlan 501

(host) [mynode] (config-submode) #tunnel destination 2001:1:2:2020::1

(host) [mynode] (config-submode) #tunnel vlan 501

(host) [mynode] (config-submode) #trusted vlan 501

MN-2 Configuration

(MN-2) (host) [mynode] (config) #interface tunnel 601

(host) [mynode] (config-submode) #description “IPv6 Layer-3 GRE 601"

(host) [mynode] (config-submode) #tunnel mode gre ipv6

(host) [mynode] (config-submode) #ip address 2001:1:2:1::2

(host) [mynode] (config-submode) #tunnel source vlan 601

(host) [mynode] (config-submode) #tunnel destination 2001:1:2:1010::1

(host) [mynode] (config-submode) #tunnel vlan 601

(host) [mynode] (config-submode) #trusted vlan 601

Command History

Release

Modification

ArubaOS 8.5.0.0

The keepalive icmp <ipaddr> <next-hop> parameter was introduced.

ArubaOS 8.4.0.0

Added the optional sub-parameters vlan {add <word>}|{remove <word>}|<word> to the trusted parameter.

ArubaOS 8.2.0.0

Updated the new syntax as access group in <acl-name>.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system.

Config mode on Mobility Master.

/*]]>*/