Best practice – GRE Tunnels, specific routes

I’ve known this one for a long time, but once and a great while, I set one up and forget to do this.  I know what I did wrong the instant I see this error…

%TUN-5-RECURDOWN: Tunnel0 temporarily disabled due to recursive routing

The message varies by platform but it all means the same thing.  Let’s take a look at a quick example so you see what I mean…

image

Let’s say you have a design like this.  The top router is going to have DHCP enabled on it’s southern interface and learn an IP address from a cable modem with an active internet connection.  When it learns an IP (provided the default gateway option is set in the DHCP response) the router will insert a static 0’s route called a ‘floating static’.  That is, the admin distance of the route is set to 254.  Let’s also say that the bottom router sits in a data center and serves as some sort of VPN gateway for these remote routers.

Now let’s say that we want to GRE peer the two router’s for the purpose of advertising routes from the data center to the top router through EIGRP (or any other routing protocol).  Since the top router is the ‘end’ of the network infrastructure, we can safely just advertise a 0’s route to the top router from the bottom router so all of the traffic will come down and take the more specific prefixes that the bottom router knows about.

Pretty straight forward right?  The instant you turn this up, it will break.  Why?  Because you are learning a better route to your GRE peer through the GRE tunnel itself.  The bottom router will advertise a 0’s route with a better admin distance to the top router.  The top router will try to install that route in it’s FIB and then realize that this better route supersedes the route it used to build the GRE tunnel.  Not only that, but it’s through the GRE tunnel.  That can’t happen.  You are trying to maintain a GRE tunnel through the GRE tunnel at this point.

So the best practice?  A static /32 route for your GRE peer on the top router.  That way, we can still learn any route from the bottom router and still know how to get to the GRE tunnel destination.  A Cisco doc about this here…

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094690.shtml

Leave a Reply

Your email address will not be published.