How to configure GRE Tunnel on Cisco IOS Router

(Rene Molenaar) #47

Hi Cristian,

Do you mean to access the consoles? I used Xshell for awhile but nowadays I use secureCRT for everything.

Rene

0 Likes

(Nanu N) #48

Hi Rene,

In the above example, when we ping Branch loopback 172.16.3.3 from HQ without specifying any source in ping command, then in the wireshark I can see the source IP of the ICMP ping packet is the IP address of tunnel interface i.e. 192.168.13.1 and same thing in the EIGRP Hello packet.

So can we say that any packet going out of f0/0 of R1 will have source IP 192.168.13.1 (i.e. IP address of tunnel for which f0/0 is configured as source)? as we have configured f0/0 as tunnel source.

And also I think we cannot configure one interface as a source for more than one tunnel…right?

Regards,
Nanu

0 Likes

(Andrew P) #49

Hi Nanu,

So can we say that any packet going out of f0/0 of R1 will have source IP 192.168.13.1 (i.e. IP address of tunnel for which f0/0 is configured as source)?

The answer to this is No. A simple counter-example would be any packet going from HQ to the ISP. Presumably, the ISP has no idea that the Tunnel IP space exists, so the packet must be sourced from 192.168.12.1. The key for HQ figuring out whether to use the 192.168.12.1 or 192.168.13.1 address would be what its routing table says is the next hop of the destination. If the next hop is in the Tunnel address space, it will use that.

I think we cannot configure one interface as a source for more than one tunnel…right?

You are correct. While you can have a single interface be the source of a tunnel with multiple destinations (DMVPN does this), technically, this is just a single tunnel. In order to have multiple tunnels, you will need to create loopbacks and source the tunnels from there.

0 Likes

(Nanu N) #50

Hi Andrew,

Your explanation has cleared my doubts…thanks a lot…:slight_smile:

Regards,
Nanu

0 Likes

(Trevor H) #51

Rene

Will you do / explain how to do this lab with the IGP being iBGP, with the loopbacks being redistributed into BGP?

Thank you.

Trevor

0 Likes

(Rene Molenaar) #52

Hi Trevor,

The goal of this example is to demonstrate how GRE tunneling works, you could use any other routing protocol. Here’s a quick example though how you can use BGP instead.

First we create an access-list that matches the loopback interface and we create a route-map:

R1(config)#ip access-list standard L0
R1(config-std-nacl)#permit 172.16.1.0 0.0.0.255

R1(config)#route-map L0_ONLY permit 10
R1(config-route-map)#match ip address L0

R1(config)#route-map L0_ONLY permit 20

Now you can configure BGP, configure the remote neighbor and redistribute only the loopback interface:

R1(config)#router bgp 13
R1(config-router)#neighbor 192.168.13.3 remote-as 13
R1(config-router)#redistribute connected route-map L0_ONLY

Hope this helps!

Rene

0 Likes

(Shantel - Networklessons.com) split this topic #53

19 posts were merged into an existing topic: How to configure GRE Tunnel on Cisco IOS Router

0 Likes

(Vitaly K) #54

Hello Rene,

I was not able to advertise Lo via tunnel Eigrp process with the given /24 config of yours. I fixed it using /32 bit prefix. It seems LOs cant build adjacency till 32 bit prefix is configured on loopback interface. Also I used successfully a source on one side of the setup as MLPPP and testes tunnel stability when flapped one of the PPP link.

0 Likes

(Rene Molenaar) #55

Hi Vitaly,

The loopbacks won’t affect your neighbor adjacency whatsoever. The neighbor adjacency is established on the tunnel interface so any other interfaces don’t have any effect on it. It won’t matter if you use a /24 or /32 on the loopback interfaces :slight_smile:

Do you still have your config with the /24s on the loopback that is not working?

Rene

0 Likes

(Ishan P) #56

Hi,

How does a router, in this example HQ or Branch would know to send packets to GRE application to encapsulate those inner packets within the GRE header? Another way to interpret the question is how the control plane of GRE work and is there a way so that only some of the hosts behind the HQ/Branch uses the GRE and some other do not use the tunnel and send the packets using traditional routing (w/o tunneling.)

Thanks.

0 Likes

(Rene Molenaar) #57

Hello Ishan,

When the router receives a packet, it checks the destination and does a lookup in the routing table. It finds that the outgoing interface is the tunnel interface, checks the encapsulation type of the tunnel and does its job.

For example, the HQ router receives a packet that is destined to 172.16.3.3. In the routing table, the outgoing interface is the Tunnel1 interface, which means the router has to add a GRE header.

The outer IP header has a destination IP address of 192.168.23.3 so the HQ router does another lookup in the routing table, figures out that 12.2 is the next hop and forwards the IP packet to the ISP router.

The default routing table is global so if you create an entry, it applies to all packets. However, you can use policy-based routing to tell the router that certain packets should be forwarded on another interface. Here’s an example:

0 Likes

(Brian C) #58

I am still working through this but the following information is incorrect for the static route. The configuration that is currently in the lesson for the static route portion does not work.

Need to change to network instead of the specific IP. This is the case on my Cisco equipment anyway.

Need to change to the following:

HQ(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
HQ(config)#end

Branch(config)#ip route 192.168.12.0 255.255.255.0 192.168.23.2
Branch(config)#end

0 Likes

(Lazaros Agapides) #59

Hello Brian

Hmmm, that’s interesting. I tried to lab it up as well and it worked for me with just the specific IP addresses in the ip route commands rather than the whole subnet. I was able to get the tunnel up and running as well as the EIGRP neighbourship. Want to take a look at it again and see if there’s another glitch somewhere?

I hope this has been helpful!

Laz

0 Likes

(Pinki D) #60

hello Rene, why do we need tunneling, when we already have static and dynamic routing protocol? what’s the need of tunnelng ? maybe if you’ve mentioned but i am still not clear about the advantage and use of Tunnel.

0 Likes

(Lazaros Agapides) #61

Hello Pinki

The advantages provided by GRE tunnelling (or any kind of network tunnelling) is that it allows us to interconnect two remote sites over a third network as if those remote sites are directly connected to each other. So let’s say you have two branch offices, one in one city and one in another. You have a subnet of 192.168.1.0/24 at the first office and 192.168.2.0/24 at the second office. Those two offices will never be able to communicate directly with each other over the Internet, because the Internet uses its own IP address ranges and it does not allow the use of private IP addresses to be routed using static and dynamic routing.

However, you can create a GRE tunnel between the edge routers at each branch office. The packets addressed in the 192.168.1.0/24 and 192.168.2.0/24 address ranges will then be tunnelled or encapsulated into IP packets that can be routed over the Internet. Once they arrive at the other edge router, they will be decapsulated and sent onto the local network. In this way, hosts at each branch office will think that the two edge routers are directly connected to each other, allowing you to enable communication between the two offices as if they were really directly connected to each other.

So in summary, a tunnel will allow you to route your private packets over a public or third party network such as the Internet, in such a way so that your networks function as if they are directly connected to each other.

I hope this has been helpful!

Laz

1 Like

(Rehab Z) #62

Hi,

I have a question about the static route
Is there a difference between:
1-ip route 192.168.23.3 255.255.255.255 192.168.12.2
2-ip route 0.0.0.0 0.0.0.0 192.168.12.2

I think if we use the first one we can only connect to 192.168.23.3, so we use the ISP to connect the HQ and Branch only
But if we use the default static route we can also connect to the Internet.

Please correct me if I’m wrong.

0 Likes

(Lazaros Agapides) #63

Hello Rehab

Yes you are correct. Both static routes will indeed allow you to reach the 192.168.23.3 subnet, while the default route will also allow you to reach the Internet as well. In the particular example, connectivity to the Internet was not a requirement, so it wasn’t configured that way, but it will indeed work.

I hope this has been helpful!

Laz

0 Likes

(Rehab Z) #64

Hello Laz,

Thank you for your prompt reply I really appreciate it, and the information was really useful.

Thanks

1 Like

(Thomas R) #65

Hi

Is it possible to do this all in IPv6? I notice there is a lot of IPv6 Over IPv4 tunnels, but I am wondering if this is possible to do in IPv6 only (for testing purposes).

Thanks

0 Likes

(Lazaros Agapides) #66

Hello Thomas

Yes it is possible to create GRE tunnels using IPv6 for both the internal and external protocol. You can find out more information about this at the following Cisco documentation:


Now in the examples found in there, some implement IPv6 over an IPv4 GRE tunnel. However, IPv6 can be used for both inside and outside of the GRE tunnel.

I hope this has been helpful!

Laz

0 Likes