Upload File

how to configure gre tunnel on cisco ios router

6
How to configure GRE Tunnel on Cisco IOS Router Posted on April 10, 2013 by Rene Molenaar in CCNP R&S, Cisco Tunneling is a concept where we put ‘packets into packets’ so that they can be transported over certain networks. We also call this encapsulation. A good example is when you have two sites with IPv6 addresses on their LAN but they are only connected to the Internet with IPv4 addresses.Normally it would be impossible for the two IPv6 LANs to reach each other but by using tunneling the two routers will put IPv6 packets into IPv4 packets so that our IPv6 traffic can be routed on the Internet. Another example is where we have an HQ and a branch site and you want to run a routing protocol like RIP, OSPF or EIGRP between them. We can tunnel these routing protocols so that the HQ and branch router can exchange routing information. Basically when you configure a tunnel, it’s like you create a point-to-point connectionbetween the two devices. GRE (Generic Routing Encapsulation) is a simple tunneling technique that can do this for us. Let me show you a topology that we will use to demonstrate GRE: Above we have 3 routers connected to each other. On the left side we have the “HQ” router which is our headquarters. On the right side there is a “Branch” router that is supposed to be a branch office. Both routers are connected to the Internet, in the middle on top there is an ISP router.

Upload: muhammad-majid-khan

Post on 28-Nov-2015

23 views

Category:

Documents


0 download

Report

DESCRIPTION

GRE

TRANSCRIPT

Page 1: How to Configure GRE Tunnel on Cisco IOS Router

How to configure GRE Tunnel on Cisco IOS Router

Posted on April 10, 2013  by Rene Molenaar in CCNP R&S, Cisco

Tunneling is a concept where we put ‘packets into packets’ so that they can be transported over certain networks. We also call this encapsulation.A good example  is when you have two sites with IPv6 addresses on their LAN but they are only connected to the Internet with IPv4 addresses.Normally it would be impossible for the two IPv6 LANs to reach each other but by using tunneling the two routers will put IPv6 packets into IPv4 packets so that our IPv6 traffic can be routed on the Internet.

Another example is where we have an HQ and a branch site and you want to run a routing protocol like RIP, OSPF or EIGRP between them. We can tunnel these routing protocols so that the HQ and branch router can exchange routing information.

Basically when you configure a tunnel, it’s like you create a point-to-point connectionbetween the two devices. GRE (Generic Routing

Encapsulation) is a simple tunneling technique that can do this for us. Let me show you a topology that we will use to demonstrate GRE:

Above we have 3 routers connected to each other. On the left side we have the “HQ” router which is our headquarters. On the right side there is a “Branch” router that is supposed to be a branch office. Both routers are connected to the Internet, in the middle on top there is an ISP router. We can use this topology to simulate two routers that are connected to the Internet. The HQ and Branch router each have a loopback interface that represents the LAN.

Let me show you the basic configuration of these routers so that you can recreate it if you want:

HQ(config)#interface fastEthernet 0/0 HQ(config-if)#ip address 192.168.12.1 255.255.255.0HQ(config-if)#exitHQ(config)#interface loopback0HQ(config-if)#ip address 172.16.1.1 255.255.255.0HQ(config-if)#exitHQ(config)#ip route 192.168.23.3 255.255.255.255 192.168.12.2

http://cdn.networklessons.com/wp-content/uploads/2013/04/three-cisco-routers-with-tunnel.png
Page 2: How to Configure GRE Tunnel on Cisco IOS Router

ISP(config)#interface fastEthernet 0/0ISP(config-if)#ip address 192.168.12.2 255.255.255.0ISP(config-if)#exitISP(config)#interface fastEthernet 1/0ISP(config-if)#ip address 192.168.23.2 255.255.255.0Branch(config)#interface fastEthernet 0/0Branch(config-if)#ip address 192.168.23.3 255.255.255.0Branch(config-if)#exitBranch(config)#interface loopback 0Branch(config-if)#ip address 172.16.3.3 255.255.255.0Branch(config-if)#exitBranch(config)#ip route 192.168.12.1 255.255.255.255 192.168.23.2

I created a static route on the HQ and Branch router so that they can reach each other through the ISP router. They will be unable to reach the networks on each others loopback interfaces however. Now let’s create a tunnel:

HQ(config)#interface tunnel 1 HQ(config-if)#tunnel source fastEthernet 0/0HQ(config-if)#tunnel destination 192.168.23.3HQ(config-if)#ip address 192.168.13.1 255.255.255.0Branch(config)#interface tunnel 1Branch(config-if)#tunnel source fastEthernet 0/0Branch(config-if)#tunnel destination 192.168.12.1Branch(config-if)#ip address 192.168.13.3 255.255.255.0

You can pick any number for the tunnel interface that you like. We need to specify a source and destination IP address to build the tunnel and we’ll use the 192.168.13.0 /24 subnet on the tunnel interface. Let’s verify that our tunnel is working:

HQ#show interfaces tunnel 1Tunnel1 is up, line protocol is up Hardware is Tunnel Internet address is 192.168.13.1/24 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 192.168.12.1 (FastEthernet0/0), destination 192.168.23.3 Tunnel protocol/transport GRE/IPBranch#show interfaces tunnel 1Tunnel1 is up, line protocol is up Hardware is Tunnel Internet address is 192.168.13.3/24 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 192.168.23.3 (FastEthernet0/0), destination 192.168.12.1 Tunnel protocol/transport GRE/IP

Above you can see that the tunnel interface is up/up on both routers. The default tunneling mode is GRE. Let’s see if both routers can reach each other:

Branch#ping 192.168.13.1

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/12 ms

There we go…they can ping each other without any issues! So that wasn’t too bad right? Let’s see if we can enable a routing protocol so that we can advertise the loopback interfaces. I’ll use EIGRP for this:

Page 3: How to Configure GRE Tunnel on Cisco IOS Router

HQ(config)#router eigrp 13 HQ(config-router)#no auto-summary HQ(config-router)#network 192.168.13.0HQ(config-router)#network 172.16.1.0Branch(config)#router eigrp 13Branch(config-router)#no auto-summary Branch(config-router)#network 192.168.13.0Branch(config-router)#network 172.16.3.0

I’ll activate EIGRP on the tunnel and loopback interfaces. You will see that both routers establish an EIGRP neighbor adjacency through the tunnel interface. Let’s check the routing tables:

HQ#show ip route eigrp 172.16.0.0/24 is subnetted, 2 subnetsD 172.16.3.0 [90/297372416] via 192.168.13.3, 00:01:31, Tunnel1Branch#show ip route eigrp 172.16.0.0/24 is subnetted, 2 subnetsD 172.16.1.0 [90/297372416] via 192.168.13.1, 00:01:51, Tunnel1

As you can see the two routers learned about each others networks. They will use the tunnel interface to reach each other. Let’s do a quick test:

HQ#ping 172.16.3.3 source loopback 0

Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.3.3, timeout is 2 seconds:Packet sent with a source address of 172.16.1.1 !!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms

A quick ping between the loopback interfaces proves that the two “LANs” can reach each other.

Be careful when you run a routing protocol on the tunnel interface as this can causerecursive routing issues. If you don’t know what this is, take a look at my recursive routing GRE tunnel article.

In case you are curious, let me show you what encapsulated packets look like in wireshark:

Page 4: How to Configure GRE Tunnel on Cisco IOS Router
http://cdn.networklessons.com/wp-content/uploads/2013/04/wireshark-gre-capture.png
Page 5: How to Configure GRE Tunnel on Cisco IOS Router

Take a close look at the source and destination IP addresses. You can see the packet between 192.168.12.1 and 192.168.23.3 and inside you will find the IP packet between 172.16.1.1 and 172.16.3.3.

Note that GRE does tunneling for us but doesn’t encrypt any traffic like a VPN does. IPSEC is one of the protocols that can encrypt the packets within our tunnel.


Dynamic Multipoint VPN - Cisco · tunnel mode gre multipoint Step 11 Step 12 tunnelprotectionipsecprofilename AssociatesatunnelinterfacewithanIPsecprofile. Dynamic Multipoint VPN

How to Configure IPSec VPN Tunnel between DSR Router and ... · PDF fileHow to Configure IPSec VPN Tunnel between DSR Router and DFL Firewall 3 Configuration step of DSR-1000N 1. Go

Virtual Tunnel Interface (VTI) Design Guide - · PDF filep2p GRE over IPsec (p2p GRE over an IPsec dynamic crypto map) Support for IPmc Support for IGP dynamic routing ... Virtual

Zscaler-Silver Peak GRE Integration Guide: Manual …...Step 1: Request tunnel destination Obtain a support ticket from Zscaler. Zscaler requires a support ticket to receive the GRE

GRE Tunneling over IPsec - pearsoncmg.com · GRE Tunneling over IPsec Generic routing encapsulation (GRE) tunnels have been around for quite some time. GRE was ... The GRE tunnel

GRE Tunnelling - ELPRO Technologies · The Return GRE Tunnel configuration will be very similar to the tunnel configured in the Master only the Peer IP address, Remote LAN Subnet

How to Configure IPSec VPN Tunnel between DSR … 192.168.1.1 WAN LAN How to Configure IPSec VPN Tunnel between DSR Router and DFL Firewall 2 How to Configure IPSec VPN Tunnel between

Configure a Site-to-Site IPSec IKEv1 Tunnel Between an ASA and a

Configuring MPLS over GRE - Cisco - Global Home PageConfiguring Layer 3 VPN Configuring MPLS over GRE To configure a generic routing encaps ulation (GRE) tunnel an d create a virtual

Configuring VPNs in VRF Mode - Cisco - Global …...“Configuring VPNs in VRF Mode with Tunnel Protection (GRE)” section on page 22-12 and the “VRF Mode Tunnel Protection Configuration

Configuring MPLS over GRE - CiscoPE-to-PE GRE Tunneling A provider-edge-to-provider-edge (PE-to-PE) tunnel provides a scalable way to connect multiple customer networks across a non-MPLS

How to Configure IPSec VPN Tunnel between DSR Router and DFL

Completed Planning Practice Tables - pearsoncmg.comptgmedia.pearsoncmg.com/imprint_downloads/cisco/...(DMVPN). The design requires that a single GRE tunnel interface support multiple

Generic Routing Encapsulation (GRE) - Allied Telesis · PDF fileGeneric Routing Encapsulation (GRE) | Page 3 What is GRE? instead is actually the endpoint of a tunnel from another

Configuring a Generic Routing Encapsulation (GRE) Tunnel

APPLICATION NOTE - Elmarksupport.elmark.com.pl/advantech/icom/routery/gre/... · GRE Tunnel 1. GRE Protocol Generic Routing Encapsulation (GRE) is a tunneling protocol developed by

AT&T€¦  · Web viewAfter selecting Tunnel Direction = GRE PBR, click Create Tunnel button will create a base profile and display the detail page: IPv4 Host changes On the IPv4

PTP Debugging over GRE Tunnel - Cisco · PTP Debugging over GRE Tunnel ... • Guidelines,page2 • ConfiguringGRETunnelonSlaveDevice,page3 ... (PCAP)file,whichisthenusedfor

Policy Routing: Inside / Outside VTI Tunnel… · Skill Level: Advanced Policy Routing: Inside / Outside VTI Tunnel This walkthrough describes the steps necessary to configure policy

Cisco CCNA GRE Tunnel Configuration

Tunnel comparison between Generic Routing Encapsulation (GRE

configure ssh-tunnel on jump server or bastion host

HOWTO: How to configure L2TP VPN tunnel roadwarrior ...resources.downloads.pandasecurity.com/sop/PGDI/V1/02Sop_PGDIHT01_v... · How to configure the L2TP VPN tunnel roadwarrior-to-gateway

configure debug GRE - Virtual Access€¦ · Timeout Specifies a period of time after which an inactive GRE tunnel shuts down. When a tunnel is required, it is automatically established

Configure Full Mesh VPN with OSPF using Single Tunnel ... · PDF fileApplication Note Configure Full Mesh VPN with OSPF using Single Tunnel Interface Version 1.0 Juniper Networks,

VNS3 GRE Over IPsec Companion - Amazon S3 · When connecting a GRE tunnel the local private IP address is required in the remote Endpoint definition. Change the default value of

GRE Tunnel

Tunnel comparison between Generic Routing Encapsulation ...525279/FULLTEXT01.pdf · The main goal of the GRE and IPSec/VPN tunnel in our report are: Compare the security strength

GRE TunnellingAgain, the tunnel configuration will be very similar to the GRE tunnel in Remote #1 as the Peer IP address, Remote LAN Subnet will be identical, but the Local Tunnel

IMPLEMENTASI VIRTUAL PRIVATE NETWORK OVER GRE TUNNEL

VNS3 GRE Over IPsec Companion - Cohesive Networks · PDF fileVNS3 GRE over IPsec Connecting to a remote device using a GRE tunnel over IPsec

configure debug GRE - Virtual Accessvirtualaccess.com/wp-content/uploads/2016/08/configure_debug_GRE… · Generic Routing Encapsulation (GRE) ... encapsulated as GRE packets and

GRE Tunnel Interface Configuration Mode Commands...GRE Tunnel Interface Configuration Mode Commands ttl. Command Line Interface Reference, Commands G - H, StarOS Release 20 12 GRE

QoS Tunnel Marking for GRE Tunnels - Cisco · QoS Tunnel Marking for GRE Tunnels ... QoS: Classification Configuration Guide, Cisco IOS Release 15S 1. Restrictions for QoS Tunnel

Tunneling Configuration Guide for Enterprise · Enabling Soft GRE tunnel A Soft GRE tunnel can be enabled if the AP has to terminate traffic on a 3rd-party gateway with Soft GRE support