Generic Routing Encapsulation or GRE protocol is developed by Cisco and it provides a virtual point-to-point private connection and encapsulates and forwards packets over an IP-based network. GRE is used in many instances, such as transporting IPv6 traffic over an IPv4-only network. We can also use GRE to tunnel routing protocols like RIP, OSPF, or EIGRP between HQ and branch sites.
How Do GRE Tunnels Work?
When a router encapsulates data packets, it modifies the packet’s header information (encapsulation) to include the remote endpoint’s IP address as the destination. The GRE packets consist of GRE header and flags, original IP header, and payload data. The new IP header information now allows the GRE packet to be routed between two tunnel endpoints without inspecting the original packet’s payload. Once the packet reaches the remote tunnel endpoint, the GRE header is removed (de-encapsulation), and the original data packet is routed to the remote network.
Original Packet
| IP Header | Payload Data |
GRE Packet
| GRE IP Header | GRE Flags | Original IP Header | Payload Data |
GRE Configuration
Here’s the step-by-step process for configuring the GRE tunnel:
- Create a GRE tunnel interface.
- Configure an IP address for the tunnel interface.
- Set the local tunnel source. It can be a physical or loopback interface.
- Set the remote destination IP.
Optional configs: Tunnel bandwidth, keepalive, and IP MTU
For our example configuration, we will use the topology below. We have two sites, Site A and Site B, and both have their respective ISPs as default gateways to reach the Internet.
Without GRE tunnelling configured, let’s see if we can ping from Site A LAN to Site B LAN:
Site-A#sh ip routeGateway of last resort is 172.16.1.2 to network 0.0.0.0S* 0.0.0.0/0 [1/0] via 172.16.1.2
Site-A#traceroute 192.168.2.1Type escape sequence to abort.Tracing the route to 192.168.2.1VRF info: (vrf in name/id, vrf out name/id)1 172.16.1.2 2 msec 3 msec 4 msec2 172.16.1.2 !H !H *
Site-A#ping 192.168.2.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:.....Success rate is 0 percent (0/5)
A traceroute to Site B’s LAN interface is sent to ISP1 GW which blackholes it.
Now, let’s configure Site A and Site B routers. We have OSPF enabled on the LAN (192.168.1.0/24 and 192.168.2.0/24) and GRE tunnel (10.10.10.0/24) networks. With this, Sites A and B become direct OSPF neighbors over the GRE tunnel and learn each other’s routes. The default static routes are pointing to their respective ISPs.
Site A
Site-A#conf tSite-A(config)#int Tunnel1Site-A(config-if)#ip address 10.10.10.1 255.255.255.0Site-A(config-if)#tunnel source 172.16.1.1Site-A(config-if)#tunnel destination 172.16.2.1Site-A(config-if)#exitSite-A(config)#router ospf 1Site-A(config-router)#router-id 1.1.1.1Site-A(config-router)#network 10.10.10.0 0.0.0.255 area 0Site-A(config-router)#network 192.168.1.0 0.0.0.255 area 1Site-A(config-router)#exitSite-A(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2
Site B
Site-B#conf tSite-B(config)#int Tunnel1Site-B(config-if)#ip address 10.10.10.2 255.255.255.0Site-B(config-if)#tunnel source 172.16.2.1Site-B(config-if)#tunnel destination 172.16.1.1Site-B(config-if)#exitSite-B(config)#router ospf 1Site-B(config-router)#router-id 2.2.2.2Site-B(config-router)#network 10.10.10.0 0.0.0.255 area 0Site-B(config-router)#network 192.168.2.0 0.0.0.255 area 1Site-B(config-router)#exitSite-B(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2
Verification
Now, let’s check the state of the tunnel using the ‘show interfaces tunnel’ command.
Site-A#sh int tunnel 1 | include Tunnel.*is|Tunnel s|Tunnel pTunnel1 is up, line protocol is up Tunnel source 172.16.1.1, destination 172.16.2.1 Tunnel protocol/transport GRE/IP
Site-B#sh int tunnel 1 | include Tunnel.*is|Tunnel s|Tunnel p Tunnel1 is up, line protocol is up Tunnel source 172.16.2.1, destination 172.16.1.1 Tunnel protocol/transport GRE/IP
Let’s also check the routing table if Site A has formed an OSPF adjacency with Site B over the GRE tunnel.
Site-A# sh ip route ospfGateway of last resort is 172.16.1.2 to network 0.0.0.0O IA 192.168.2.0/24 [110/1001] via 10.10.10.2, 00:02:22, Tunnel1
Lastly, we do a traceroute and ping to confirm reachability.
Site-A#traceroute 192.168.2.1Type escape sequence to abort.Tracing the route to 192.168.2.1VRF info: (vrf in name/id, vrf out name/id) 1 10.10.10.2 5 msec 6 msec *
Site-A#ping 192.168.2.1Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms
Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.
We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training:
