Help required - Understanding GRE tunnels

Unanswered Question
May 14th, 2009

Can someone please share thoughts on the following topics for a CCNA guy.

1. What is GRE tunnel and why we really need that

2. What is the difference between point to point , point to multipoint GRE tunnel.

3. What is GRE keep alive and why we need it.

4. What is the fundamental/reason behind using GRE over IPSEC

5. Some sample configs of configuring point to point/point to multipoint GRE tunnels.

6.What IP addressing scheme and source/destination interfaces should be choosen while configuring GRE tunnels

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
lamav Thu, 05/14/2009 - 11:41


1.) A GRE tunnel is used to encapsulate private or non-routable data packets that are generated on a private network, which will then be forwarded over a public domain to another private network. For example, a branch office of a company that does not have a dedicated circuit back to the company headquarters, but instead only has a connection to the public Internet. The GRE tunnel is used to encapsulate the private traffic and "hide" the private addresses from the ISP routing domain.

Under the GRE tunnel interface that you will configure on your VPN router, you will define the tunnel source address and tunnel destination address - the so-called tunnel endpoints. If the packet is being routed over a public internet, the tunnel endpoints must consist of global public addresses that are routable over the public domain.

2.) In a hub-and-spoke VPN topology, a point-to-point GRE tunnel is one that provides a direct connection with its tunnel peer only. In a point-to-multipoint configuration (mGRE), the spoke router can communicate directly to the hub or to another spoke. NHRP is used to facilitate mGRE.

3.) A GRE keepalive is a mechanism used by peer routers to ensure that the distant-end tunnel interface is still reachable. Remember that tunnel interfaces are virtual and are therefore always "up,up", except in the case of recursive routing, which is a special circumstance.

So, instead of waiting for the routing protocol to detect the loss of connectivity with the distant end and converge, the keepalive mechanism uses a pro-active paradigm to detect tunnel interface failures in a timely manner.

4.) IPSec is a VPN suite of technologies that supports encryption, authentication, nonrepudiation and data integrity, but it does not support multicast traffic. GRE does. So, if you are running a dynamic routing protcol between your two VPN endpoints that utilizes multicast updates, like OSPF or EIGRP, then you will need to run "GRE over IPSec".

5.) Cisco's website has tons of configuration samples. Just do a search.

6.) As explained earlier, the tunnel endpoints should be global addresses if you are routing over the public Internet. The interfaces used are typically physical interfaces that connect directly to the provider circuit or to an Internet router. Sometimes the loopback interface is used.



Jon Marshall Thu, 05/14/2009 - 11:46


"the keepalivem echanism uses a pro-active paradigm to detect tunnel interface failures in a timely manner."

It's hard to believe this is from the same person that reads Hustler :-)

Really good, detailed explanation - rated.


lamav Thu, 05/14/2009 - 11:50

LOL! C'mon, we have to have some diversity in our lives. It cant all be about bits and

Just an FYI...I did some minor editing to my original post while you were posting.

:-) Thanks for the rating.


This Discussion