Last Updated: [last-modified] (UTC)
When y’all want to join two networks together, one option yous may investigate is a tunnel. GRE, or Generic Routing Encapsulation, is one of the technologies that we use to build these tunnels.
A great example of this is when you take ii co-operative offices, which are separated by the internet. They may make up one’s mind to build a GRE tunnel across the internet to provide connectivity.
GRE is not the just method of tunnelling, just information technology does have some advantages over some other technologies. For one, it is defined in RFC2784, so any vendor tin support it. Too, it supports multicast packets, which ways it can be used with dynamic routing protocols (unlike IPSec tunnels for example).
GRE is also lightweight, in that it does not have whatsoever congenital-in encryption, making information technology very easy to configure. If yous need encryption, it’south non difficult to add a layer of IPSec to the tunnel. This combines the advantages of GRE with the advantages of IPSec.
What are GRE Tunnels Used For?
Another use is within the private network. Yous may have a example where there are many hops to travel over, only your IGP has a hop limit. RIP is an example of an IGP with this limitation. In this case, just build a tunnel across the network, and the IGP won’t see equally many hops.
Yous may also accept a case where you demand to connect different ‘islands’ within your network. Mayhap you lot accept business units or tenants that be in different areas. GRE is a simple way to connect them. This besides works during a migration to IPv6, where parts of your network take been migrated, and other parts have not.
A case that you may non have idea of is connecting to a DDoS service. If you use a provider like Akamai to mitigate DDoS attacks, you volition connect to them with a GRE tunnel. Inbound traffic flows to them first, DDoS traffic is removed, and legitimate traffic is forwarded to your network over the tunnel.
A final advantage that we touched on before is carrying traffic types that may non be supported by the network. Remember of a WAN network that does not support multicast. How do you configure dynamic routing? Simply configure GRE tunnels, which tin can deport multicast traffic, including dynamic routing.
We’ll start with an example. We have a network of 4 routers. 2 of these routers be on the edge of the network, and two are in the core. Routing is configured so i edge router tin can attain through to the other.
We’ve decided that the edge routers demand to communicate straight with each other, so they traffic they laissez passer does non see the core routers.
To achieve this, nosotros’re going to use a GRE tunnel. Each edge router is configured with a Virtual Tunnel Interface (VTI). This is quite different to some other VPNs you may have seen (like the ASA), which use policies to tunnel traffic instead of using interfaces.
The VTI is configured with a destination accost. This is the IP of the router at the other stop of the tunnel. We’ll await at how this is configured soon.
The core routers are known as theunderlay network. This is responsible for taking GRE packets and transporting them from ane side of the network to the other.
The tunnel itself is theoverlay network. Packets passing through the overlay network are unaware of the routers in the underlay.
Traffic that needs to pass from ane border router to the other is passed over the tunnel. To make this possible, each bundle is encapsulated with two headers.
First, a GRE header is added. This includes information about the encapsulated data, such as the protocol used. For instance, it may say that the payload is using IPv4.
Next, an outer IP header is added. This is used to deliver the encapsulated packets across the underlay network.
Thanks to the encapsulation process, the original payload and inner IP header is non changed by any hop in the underlay. This is why the underlay is invisible to any traffic in the overlay (in the tunnel). Normal routing transports traffic through the underlay.
Let’south look at it from another perspective. In our case, two workstations need to communicate. The edge routers build the GRE tunnel across the core network.
The border router on the left usesten.10.ten.10 as its ‘existent’ IP accost, while the border router on the right uses10.20.20.20.
They both employ IP’s in the192.168.1.0 network for the tunnel.
The packets follow these steps:
- The workstation on the left sends some data over the network. The packets make it at the edge router
- The router looks at the routing table and determines that the tunnel interface has the best route to the destination, with192.168.1.twoequally the next hop
- The tunnel interface adds the GRE header, then the outer IP header. The outer IP header uses10.10.10.10 as the source andx.20.20.20 as the destination
- The encapsulated packet is forwarded out a real interface across the network
- The packet travels through the underlay. This behaves simply like a normal packet travelling across the core
- The encapsulated parcel arrives at the destination router, on the real interface
- The router sees that this is destined for the tunnel interface. The outer IP header and the GRE header are now removed
- The router frontwards the decapsulated traffic to the destination workstation
When the workstation on the right replies, the process will exist the same.
From the workstations perspective, information technology volition non see the core routers. If you lot run a traceroute, you would see:
- The left border router
- The tunnel IP of the right edge router
- The workstation on the correct
The first step is to create the VTI with theinterface tunnel 0 control. You lot can select whatsoever number you want for the tunnel interface. They are numbered simply because you may have more than one tunnel configured.
Adjacent, nosotros need to set up the IP accost of the tunnel interface. This is washed just like a regular interface.
Recollect how we add more headers to the package? This will modify the maximum packet size that can laissez passer over the tunnel. The GRE header is 4 bytes, and the outer IP header is xx bytes, so we need have the MTU of our existent interface (commonly 1500), and decrease 24 bytes. This leaves us with an MTU of 1476.
And so, we want to adjust our MSS. This is used to help devices in the entire path to suit their size to avert fragmentation. This means that nosotros subtract an boosted twoscore bytes, making the MSS 1436.
Also, take notation that we’re not doing encryption in this example. If we practise encryption (which we volition talk over in another commodity), nosotros will demand to account for the IPSec headers also.
Finally, we demand to gear up the source IP or interface that is used when building the tunnel. This is the ‘existent’ interface on the router.
The destination router’s IP also needs to be set up.
interface tunnel 0 ip address 192.168.i.1 255.255.255.0 ip mtu 1476 ip tcp adjust-mss 1436 tunnel source x.ten.10.ten tunnel destination ten.20.20.twenty
The corresponding config is washed on the other router also.
interface tunnel 0 ip address 192.168.i.2 255.255.255.0 ip mtu 1476 ip tcp adjust-mss 1436 tunnel source 10.xx.twenty.xx tunnel destination 10.10.10.10
Cheque that the tunnel interface is up.
Edge-ane#show ip interface br Interface IP-Address OK? Method Status Protocol GigabitEthernet0/0 unassigned Aye unset administratively down downwards GigabitEthernet0/one unassigned Yeah unset administratively downwards downward GigabitEthernet0/2 10.10.x.ten Aye transmission up upwardly Tunnel0 192.168.one.one YES manual up up
Confirm that the tunnel is in the local routing table.
Edge-one#bear witness ip road Gateway of concluding resort is x.x.x.11 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 10.x.x.eleven 10.0.0.0/eight is variably subnetted, 2 subnets, 2 masks C 10.ten.10.0/24 is straight continued, GigabitEthernet0/ii L 10.x.10.10/32 is directly connected, GigabitEthernet0/two 192.168.1.0/24 is variably subnetted, two subnets, 2 masks C 192.168.i.0/24 is directly connected, Tunnel0 L 192.168.1.i/32 is directly connected, Tunnel0
And finally, confirm that we tin can ping across the tunnel.
Border-1#ping 192.168.1.two Blazon escape sequence to abort. Sending v, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/vii ms
Now the bones config is done, we tin continue with any additional config that nosotros may need. This may include:
- VRF configuration
- QoS configuration
- Dynamic routing
Remember that the tunnel interface behaves like any other interface. That ways that you can apply any config to it that you would to a real interface.
Allow’s have a quick look at dynamic routing to meet it in action. But configure simple OSPF commands on both the edge routers.
router ospf 10 network 192.168.one.0 0.0.0.255 area 0
As you tin see, OSPF comes up without any need to configure the core. The core is finer transparent to OSPF in this example.
Edge-i#show ip ospf neighbour Neighbor ID Pri State Dead Time Accost Interface 192.168.1.2 0 Full/ - 00:00:36 192.168.1.2 Tunnel0
Incapsula – What is a GRE Tunnel
Juniper – GRE Tunnel Services
Cisco Learning Network – Beefcake of GRE Tunnels