Cisco® CCNP Route Exam Notes : Configure And Verifying GRE

4. VPN Technologies

4.1 Configure and verify GRE

Tunneling provides a mechanism to transport packets of one protocol within another protocol. The protocol that is carried is called as the passenger protocol, and the protocol that is used for carrying the passenger protocol is called as the transport protocol. Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint. IPv6 traffic can be carried over IPv4 GRE tunnels using the standard GRE tunneling technique. The tunnels are not tied to a specific passenger or transport protocol, but in this case, carry IPv6 as the passenger protocol with the GRE as the carrier protocol and IPv4 or IPv6 as the transport protocol. The primary use of GRE tunnels is for stable connections that require regular secure communication between two edge routers or between an edge router and an end system. The edge routers and the end systems must be dual-stack implementations.

When running GRE tunnel over IPSec, a packet is first encapsulated in a GRE packet and then GRE is encrypted by IPSec

A drawback of IPSec is it does not support multicast traffic. But most popular routing protocols nowadays rely on multicast (like OSPF, EIGRP, RIP except BGP) to send their routing updates. A popular solution to this is using GRE tunnels. GRE tunnels do support transporting IP multicast and broadcast packets to the other end of the GRE tunnel. Non-IP traffic (such as IPX, AppleTalk) can be wrapped inside GRE encapsulation and then this packet is subjected to IPSec encapsulation so all traffic can be routed

Advantages of GRE tunnels include the following:

  • GRE tunnels encase multiple protocols over a single-protocol backbone.
  • GRE tunnels provide workarounds for networks with limited hops.
  • GRE tunnels connect discontinuous sub-networks.
  • GRE tunnels allow VPNs across wide area networks (WANs).

While GRE provides a stateless, private connection, it is not considered a secure protocol because it does not use encryption like the IP Security (IPSec) Encapsulating Security Payload (ESP), defined by RFC 2406

Configuring GRE Tunnel: Configuring a GRE tunnel involves creating a tunnel interface, which is a logical interface. Then you must configure the tunnel endpoints for the tunnel interface. Refer below fig

Configuring GRE Tunnel

As seen, the GRE tunnel configuration at the minimum involves configuring the IP addresses at the Branch, HQ, and the ISP. Then, configuring the tunnel interfaces at the HQ and the Branch.

Configuration on HQ router:

HQ(config)#interface fastEthernet 0/0 
HQ(config-if)#ip address
HQ(config)#interface loopback0
HQ(config-if)#ip address
HQ(config)#ip route
HQ(config)#interface tunnel
HQ(config-if)#tunnel source fastEthernet 0/0
HQ(config-if)#tunnel destination
HQ(config-if)#ip address

Configuration on Branch office router:

Branch(config)#interface fastEthernet 0/0
Branch(config-if)#ip address
Branch(config)#interface loopback 0
Branch(config-if)#ip address
Branch(config)#ip route
Branch(config)#interface tunnel 9
Branch(config-if)#tunnel source fastEthernet 0/0
Branch(config-if)#tunnel destination
Branch(config-if)#ip address

Configuration on ISP router:

ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address

ISP(config)#interface fastEthernet 1/0
ISP(config-if)#ip address

Four steps to configure GRE tunnel over IPsec are:

1. Create a physical or loopback interface to use as the tunnel endpoint. Using a loopback rather than a physical interface adds stability to the configuration.

2. Create the GRE tunnel interfaces.

3. Add the tunnel subnet to the routing process so that it exchanges routing updates across that interface.

4. Add GRE traffic to the crypto access list, so that IPsec encrypts the GRE tunnel traffic.

An example of configuring GRE Tunnel is shown below:

interface Tunnel0

ip address

tunnel source FastEthernet1/0

tunnel destination

tunnel mode gre ip

Note: The last command is enabled by default so we can ignore it in the configuration)

Previous   Contents   Next

CCNP Route Cram Notes Contents
certexams ad

simulationexams ad