How to configure GRE Tunnel on Cisco IOS Router

Hi,

How does a router, in this example HQ or Branch would know to send packets to GRE application to encapsulate those inner packets within the GRE header? Another way to interpret the question is how the control plane of GRE work and is there a way so that only some of the hosts behind the HQ/Branch uses the GRE and some other do not use the tunnel and send the packets using traditional routing (w/o tunneling.)

Thanks.

Hello Ishan,

When the router receives a packet, it checks the destination and does a lookup in the routing table. It finds that the outgoing interface is the tunnel interface, checks the encapsulation type of the tunnel and does its job.

For example, the HQ router receives a packet that is destined to 172.16.3.3. In the routing table, the outgoing interface is the Tunnel1 interface, which means the router has to add a GRE header.

The outer IP header has a destination IP address of 192.168.23.3 so the HQ router does another lookup in the routing table, figures out that 12.2 is the next hop and forwards the IP packet to the ISP router.

The default routing table is global so if you create an entry, it applies to all packets. However, you can use policy-based routing to tell the router that certain packets should be forwarded on another interface. Here’s an example:

I am still working through this but the following information is incorrect for the static route. The configuration that is currently in the lesson for the static route portion does not work.

Need to change to network instead of the specific IP. This is the case on my Cisco equipment anyway.

Need to change to the following:

HQ(config)#ip route 192.168.23.0 255.255.255.0 192.168.12.2
HQ(config)#end

Branch(config)#ip route 192.168.12.0 255.255.255.0 192.168.23.2
Branch(config)#end

Hello Brian

Hmmm, that’s interesting. I tried to lab it up as well and it worked for me with just the specific IP addresses in the ip route commands rather than the whole subnet. I was able to get the tunnel up and running as well as the EIGRP neighbourship. Want to take a look at it again and see if there’s another glitch somewhere?

I hope this has been helpful!

Laz

hello Rene, why do we need tunneling, when we already have static and dynamic routing protocol? what’s the need of tunnelng ? maybe if you’ve mentioned but i am still not clear about the advantage and use of Tunnel.

Hello Pinki

The advantages provided by GRE tunnelling (or any kind of network tunnelling) is that it allows us to interconnect two remote sites over a third network as if those remote sites are directly connected to each other. So let’s say you have two branch offices, one in one city and one in another. You have a subnet of 192.168.1.0/24 at the first office and 192.168.2.0/24 at the second office. Those two offices will never be able to communicate directly with each other over the Internet, because the Internet uses its own IP address ranges and it does not allow the use of private IP addresses to be routed using static and dynamic routing.

However, you can create a GRE tunnel between the edge routers at each branch office. The packets addressed in the 192.168.1.0/24 and 192.168.2.0/24 address ranges will then be tunnelled or encapsulated into IP packets that can be routed over the Internet. Once they arrive at the other edge router, they will be decapsulated and sent onto the local network. In this way, hosts at each branch office will think that the two edge routers are directly connected to each other, allowing you to enable communication between the two offices as if they were really directly connected to each other.

So in summary, a tunnel will allow you to route your private packets over a public or third party network such as the Internet, in such a way so that your networks function as if they are directly connected to each other.

I hope this has been helpful!

Laz

1 Like

Hi,

I have a question about the static route
Is there a difference between:
1-ip route 192.168.23.3 255.255.255.255 192.168.12.2
2-ip route 0.0.0.0 0.0.0.0 192.168.12.2

I think if we use the first one we can only connect to 192.168.23.3, so we use the ISP to connect the HQ and Branch only
But if we use the default static route we can also connect to the Internet.

Please correct me if I’m wrong.

Hello Rehab

Yes you are correct. Both static routes will indeed allow you to reach the 192.168.23.3 subnet, while the default route will also allow you to reach the Internet as well. In the particular example, connectivity to the Internet was not a requirement, so it wasn’t configured that way, but it will indeed work.

I hope this has been helpful!

Laz

Hello Laz,

Thank you for your prompt reply I really appreciate it, and the information was really useful.

Thanks

1 Like

Hi

Is it possible to do this all in IPv6? I notice there is a lot of IPv6 Over IPv4 tunnels, but I am wondering if this is possible to do in IPv6 only (for testing purposes).

Thanks

Hello Thomas

Yes it is possible to create GRE tunnels using IPv6 for both the internal and external protocol. You can find out more information about this at the following Cisco documentation:


Now in the examples found in there, some implement IPv6 over an IPv4 GRE tunnel. However, IPv6 can be used for both inside and outside of the GRE tunnel.

I hope this has been helpful!

Laz

hello lagapides
can i use eigrp instead a static route
like rene have used EIGRP for introduce a network which is running on HQ and same apply in BRANCH office but why he has not introduced a 192.168.12.0 or 192.168.23.0 in EIGRP

Hello Harshit

This is a very good question, and indeed an important one. Rene could have included those networks in EIGRP, however, the problem that would occur is that EIGRP would learn of a “better” route between the Branch to HQ routers via the GRE tunnel. But that means that routes to 192.168.12.0 or 192.168.23.0 would be removed from the routing table in favour of the route via the GRE tunnel. But those routes are needed in order to correctly route the GRE tunnel, so the tunnel would fail. This results in the routes being reinstated only to have the tunnel come back up again and the routing changes again, and it fails… and so on. This is called the GRE tunnel recursive routing error, and you can find out more about it (and how to solve it) in this lesson:

I hope this has been helpful!

Laz

In real world , you configured GRE+IP Sec ? how can I configured GRE turn on automatically as a backup if I one the Point to Point link fails?

Hello Juan

GRE and IPSec are used in the real world as VPN solutions especially if you want to run a routing protocol (IPsec alone does not support multicast). Now if you want to use a GRE tunnel as a backup to a main link, you don’t need to have it enabled or automatically turn it on as you need it.
You just need to configure it and make it a backup choice using routing or IP SLA. Normally, a GRE tunnel will come up as soon as it is configured and it will stay up as long as there is a valid tunnel source address or interface that is also up, and as long as the destination IP address is routable.

For this reason, GRE uses keepalives to check on the state of the other end of the link. You can find out more about keepalives and GRE and IPSec at the following link.

I hope I have understood your initial question, but if you need more information, please clarify what it is you want to achieve so we can help you further.

I hope this has been helpful!

Laz

Hi Lazaro,

Iam running EIGRP in a Ethernet Private Line (Its only 2 routers) , if I understand I have to configure GRE and IPSec, but how the routers are going to make the decision to use GRE when EPL fails?

Regards

Hello Juan

I apologize, I’m probably missing something here. Do you have alternate links connecting to your router? Can you please share your topology with us to clarify?

Thanks!

Laz

Hello.
What is the best right answer for question below:
“which feature can mitigate fragmentation issues whithin network segment that are between GRE endpoints?”

I cann’t choose between PMTUD and TCP MSS. As for me the best is TCP MSS. Anybody clear clarify?

Thanks

If you use “ip tcp adjust-mss” on interface its going to intercept only TCP segments with SYN flag, thus this fixes only TCP traffic.

However if you use PMUTD it can fix TCP and also UDP, but you need to be sure that ICMP messages are not filtered, at least unreachables and time-exceeded should be allowed for PMUTD.

But may be you want to enable MTU discovery for GRE path itself? This is done using “tunnel path-mtu-discovery”.

1 Like

Hi Lazaros,

Here is my topology, Active routing protocol is EIGRP, I wanted to know how to configure GRE+IPSec to be active using the Public Address when EIGRP fails.