interface tunnel

interface tunnel <number>

autogenerate peer <peer-mac-address>

description <string>

inter-tunnel-flooding

ip

access group in <acl-name>

address {internal | pool tunnel-pool <pool-name> |{<ipaddr> <netmask>}}

ospf

area <area-id>

authentication message-digest

cost <value>

dead-interval <value>

hello-interval <value>

message-digest-key <id> <pwd>

priority <value>

retransmit-interval <value>

transmit-delay <value>

ipv6 address X:X:X:X::X

mtu <mtu>

no ...

openflow-enable

shutdown

trusted [vlan add <word>|remove <word>|<word>]

tunnel

destination <ip-addr>|{ipv6 <ipv6-addr>}

keepalive icmp <ipaddr> <next-hop>

keepalive cisco|{<interval> <retries>}

mode gre {ip|ipv6|<num>}

source

controller-ip

ipv6 {controller-ip|loopback|{vlan <vlanid>}|<ipv6-addr>}

loopback

vlan <vlanid>

<ip-addr>

vlan add <word>|remove <word>|<word>

Description

This command configures a Layer-2 or Layer-3 GRE tunnel between a managed device and another GRE-capable device. The default is an IPv4 Layer-3 GRE tunnel (tunnel mode gre ip).

In Layer-3 GRE tunnels, IPv6 encapsulated in IPv4 and IPv4 encapsulated in IPv6 are not supported. The only Layer-3 GRE modes supported are IPv4 encapsulated in IPv4 and IPv6 encapsulated in IPv6.

You can direct traffic into the tunnel using a static route (by specifying the tunnel as the next hop for a static route) or a session-based ACL.

Parameter

Description

<number>

Tunnel Identification number.

The tunnel ID used here does not have to match the tunnel ID used in the other managed device.

Range: 1-16777215

autogenerate peer <peer-mac-address>

Auto generates the tunnel endpoint for the specified peer device.

description

String that describes this tunnel.

inter-tunnel-flooding

Enables inter-tunnel flooding.

Default: Enabled

ip access group in <acl-name>

Attach a route ACL to a L3 GRE tunnel interface.

When you associate a routing ACL to inbound traffic on a managed device terminating a L3 GRE tunnel, that ACL can forward traffic as normal, route traffic to a nexthop router on a nexthop list, or redirect traffic over an L3 GRE tunnel or tunnel group. For more information on creating a routing ACL, see ip access-list route.

ip address {internal | pool tunnel-pool <pool-name> |{<ipaddr> <netmask>}}

IP address of the Layer 3 tunnel. This represents the entrance to the tunnel.

NOTE: This address should be a unique, non-routable IP address.

Enter one of the following values:

  • internal: IP address is allocated from the Remote-Node pool.
  • pool tunnel-pool <pool-name>: IP address is allocated from the specified tunnel pool.
  • <ipaddr>: An IPv4 address.

NOTE: The IP address should not be part of any subnet in your network, nor does it have to be routable in your network. It is used as a gateway for routing your private subnets (i.e., non-routable VLANs) within the GRE tunnel.

  • <netmask>: IP subnet mask.

ipv6

IPv6 address of the Layer-3 GRE tunnel.

NOTE: This IP address can be configured only for a Layer-3 GRE tunnel (refer to the "mode gre" parameter below for details).

mtu

MTU size for the interface.

Range: 1024 - 9216

Default: Enabled, IPv4: 1100, IPv6: 1500

no

Negates any configured parameter.

openflow-enable

Enables OpenFlow on the tunnel.

Default: Disabled

shutdown

Causes a hard shutdown of the interface.

trusted [vlan {add <word>}|{remove <word>}|<word>]

When Trusted is enabled:
Any device can send any traffic through the GRE tunnel without having to be authenticated. Trusted VLANs are supported on a single Layer-2 GRE tunnel.

Use vlan add <word> to add VLANs to the current trusted list.

Default: Disabled

NOTE: <word> represents a VLAN range.

Use vlan remove <word> to remove VLANs from the current trusted list.

NOTE: <word> represents a VLAN range.

When Trusted is disabled:
Any device that is a source of traffic and is sent through the tunnel must be authenticated to be able to send the traffic. If the device is not authenticated, traffic from that device will be subject to the restrictions of the Initial Role specified in the Wired Access AAA Profile. This is the default. Untrusted VLANs are supported on a single Layer-2 GRE tunnel.

For related information, see aaa authentication wired.

tunnel

Configures tunneling. The default is an IPv4 Layer-3 GRE tunnel.

Default: mode gre ip

destination <ip-addr>|{ipv6 <ipv6-addr>}

The destination IP address (IPv4 or IPv6) for the GRE tunnel endpoint.

keepalive icmp

Enables sending periodic ICMP (ping) keepalive frames on the tunnel to determine the status of the tunnel (up or down).

Default: Disabled

<ipaddr>

IP address of the ping destination.

<next-hop>

Router IP address belonging to any of the L2 GRE tunnel -vlans . This parameter is mandatory only for L2 GRE tunnel.

Default: Disabled

keepalive cisco|{<interval> <retries>}

Enables sending of periodic keepalive frames on the tunnel to determine the tunnel status (up or down).

You can optionally set the interval at which keepalive frames are sent, and the number of times the frames are resent before a tunnel is considered to be down.

Default: Disabled

NOTE: Executing the no tunnel keepalive command disables the keepalive frames, but retains the configured interval and retry values.

The <cisco> option enables keepalive interoperability for Layer-3 tunnels between managed devices and Cisco network devices. Aruba sets the keepalive packet’s GRE protocol field to 0x801; however, Cisco sets the GRE protocol field to 0. When the cisco option is enabled, the Arubamanaged device automatically sets the GRE protocol value to 0.

The <interval> option sets the number of seconds at which the keepalive frames are sent. Range is 1 second to 86400 seconds and default is 10 seconds.

The <retries> option sets the number of consecutive times that the keepalives fail before the tunnel is considered to be down. Range is 0 to 1024 and default is 3.

mode gre {ip|ipv6|<num>}

This parameter specifies the tunnel encapsulation method as GRE and allows you to specify whether it is a Layer-2 or Layer-3 GRE tunnel.

ip: Specifies an IPv4 Layer-3 GRE tunnel. The protocol number is set to 0x0800 and is not configurable. Traffic is redirected into the tunnel using a static route or a session ACL policy. The managed device encapsulates the Layer-3 packet only.

ipv6: Specifies an IPv6 Layer-3 GRE tunnel. The protocol number is set to 0x86DD and is not configurable. Traffic is redirected into the tunnel using a static route or a session ACL policy. The managed device encapsulates the Layer-3 packet only.

<num>: A 16-bit protocol number that uniquely identifies a GRE tunnel. The number format is numeric. The managed devices at both endpoints of the tunnel must be configured with the same protocol number. The protocol number does not necessarily have to match the protocol number of the encapsulated frame. The managed device encapsulates the entire frame, including the Layer-2 header.

source

controller-ip

ipv6 {controller-ip|loopback|{vlan <vlanid>}|<ipv6-addr>}

loopback

{vlan <vlanid>}

<ip-addr>

The local endpoint of the tunnel on the controller. This can be one of the following:

controller-ip: IPv4 address of the managed device.

ipv6: Specify one of the following IPv6 options:

  • controller-ip: Specify the IPv6 address of the managed device.
  • loopback: Specify the IPv6 loopback interface configured on the managed device.
  • vlan <vlan -id>: Specify the VLAN interface ID.
  • <ipv6-addr>: Specify the IPv6 address.
  • loopback: Specify the loopback interface configured on the managed device.
  • vlan <vlanid>: Specify the VLAN interface ID.
  • <ip-addr>: Specify an IPv4 address.

vlan {add <word>|remove <word>|<word>}

Specify the VLANs to be included in this tunnel.

  • add <word>: The VLANs to be added to the current list. Separate the VLANs by a comma (,)
  • remove <word>: The VLANs to be removed from the current list. Separate the VLANs by a comma (,)
  • <word>: The VLANs that should be part of the current list. Separate the VLANs by a comma (,)

NOTE: You can configure a VLAN only if the tunnel mode is set to Layer-2 (mode gre <16-bit protocol number>). If the tunnel mode is not set to Layer-2 mode, the system displays an error message: Tunnel is an IP [v6] GRE Tunnel. Change the mode before adding this.

Examples

Layer-2 GRE Tunnel

The following CLI command configures a Layer-2 GRE tunnel:

MN-1 Configuration

(host) [mynode] (config)# interface tunnel 101

description “IPv4 Layer-2 GRE 101"

tunnel mode gre 1

tunnel source vlan 101

tunnel destination 192.168.1.1

tunnel keepalive

trusted

tunnel vlan 101

trusted vlan 101

MN-2 Configuration

(host) [mynode] (config)# interface tunnel 201

description “IPv4 Layer-2 GRE 201"

tunnel mode gre 1

tunnel source vlan 201

tunnel destination 192.168.2.1

tunnel keepalive

trusted

tunnel vlan 201

trusted vlan 201

IPv4 Layer-3 GRE Tunnel

The following CLI command examples configure a Layer-3 GRE tunnel for IPv4 between two managed devices.

MN-1 Configuration

(MN-1) (host) [mynode] (config) #interface tunnel 301

(host) [mynode] (config-submode) #description “IPv4 L3 GRE 301"

(host) [mynode] (config-submode) #tunnel mode gre ip

(host) [mynode] (config-submode) #ip address 192.1.1.1 255.255.255.255

(host) [mynode] (config-submode) #tunnel source vlan 301

(host) [mynode] (config-submode) #tunnel destination 20.20.20.249

(host) [mynode] (config-submode) #tunnel vlan 301

(host) [mynode] (config-submode) #trusted vlan 301

MN-2 Configuration

(MN-2) (host) [mynode] (config) #interface tunnel 401

(host) [mynode] (config-submode) #description “IPv4 L3 GRE 401"

(host) [mynode] (config-submode) #tunnel mode gre ip

(host) [mynode] (config-submode) #ip address 168.1.1.2 255.255.255.255

(host) [mynode] (config-submode) #tunnel source vlan 401

(host) [mynode] (config-submode) #tunnel destination 10.10.10.249

(host) [mynode] (config-submode) #tunnel vlan 401

(host) [mynode] (config-submode) #trusted vlan 401

IPv6 Layer-3 GRE Tunnel

The following CLI command examples configure a Layer-3 GRE tunnel for IPv6 between two managed devices.

MN-1 Configuration

(MN-1) (host) [mynode] (config) #interface tunnel 501

(host) [mynode] (config-submode) #description “IPv6 Layer-3 GRE 501"

(host) [mynode] (config-submode) #tunnel mode gre ipv6

(host) [mynode] (config-submode) #ip address 2001:1:2:1::1

(host) [mynode] (config-submode) #tunnel source vlan 501

(host) [mynode] (config-submode) #tunnel destination 2001:1:2:2020::1

(host) [mynode] (config-submode) #tunnel vlan 501

(host) [mynode] (config-submode) #trusted vlan 501

MN-2 Configuration

(MN-2) (host) [mynode] (config) #interface tunnel 601

(host) [mynode] (config-submode) #description “IPv6 Layer-3 GRE 601"

(host) [mynode] (config-submode) #tunnel mode gre ipv6

(host) [mynode] (config-submode) #ip address 2001:1:2:1::2

(host) [mynode] (config-submode) #tunnel source vlan 601

(host) [mynode] (config-submode) #tunnel destination 2001:1:2:1010::1

(host) [mynode] (config-submode) #tunnel vlan 601

(host) [mynode] (config-submode) #trusted vlan 601

Command History

Release

Modification

ArubaOS 8.5.0.0

The keepalive icmp <ipaddr> <next-hop> parameter was introduced.

ArubaOS 8.4.0.0

Added the optional sub-parameters vlan {add <word>}|{remove <word>}|<word> to the trusted parameter.

ArubaOS 8.2.0.0

Updated the new syntax as access group in <acl-name>.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platforms

License

Command Mode

All platforms

Base operating system.

Config mode on Mobility Conductor.