Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1173
Views
5
Helpful
3
Replies

Help required - Understanding GRE tunnels

talktokaushal
Level 1
Level 1

‎05-14-2009 09:09 AM - edited ‎03-04-2019 04:46 AM

Can someone please share thoughts on the following topics for a CCNA guy.

1. What is GRE tunnel and why we really need that

2. What is the difference between point to point , point to multipoint GRE tunnel.

3. What is GRE keep alive and why we need it.

4. What is the fundamental/reason behind using GRE over IPSEC

5. Some sample configs of configuring point to point/point to multipoint GRE tunnels.

6.What IP addressing scheme and source/destination interfaces should be choosen while configuring GRE tunnels

Labels:
0 Helpful
3 Replies 3

lamav
Level 8
Level 8

‎05-14-2009 11:41 AM

Hello:

1.) A GRE tunnel is used to encapsulate private or non-routable data packets that are generated on a private network, which will then be forwarded over a public domain to another private network. For example, a branch office of a company that does not have a dedicated circuit back to the company headquarters, but instead only has a connection to the public Internet. The GRE tunnel is used to encapsulate the private traffic and "hide" the private addresses from the ISP routing domain.

Under the GRE tunnel interface that you will configure on your VPN router, you will define the tunnel source address and tunnel destination address - the so-called tunnel endpoints. If the packet is being routed over a public internet, the tunnel endpoints must consist of global public addresses that are routable over the public domain.

2.) In a hub-and-spoke VPN topology, a point-to-point GRE tunnel is one that provides a direct connection with its tunnel peer only. In a point-to-multipoint configuration (mGRE), the spoke router can communicate directly to the hub or to another spoke. NHRP is used to facilitate mGRE.

3.) A GRE keepalive is a mechanism used by peer routers to ensure that the distant-end tunnel interface is still reachable. Remember that tunnel interfaces are virtual and are therefore always "up,up", except in the case of recursive routing, which is a special circumstance.

So, instead of waiting for the routing protocol to detect the loss of connectivity with the distant end and converge, the keepalive mechanism uses a pro-active paradigm to detect tunnel interface failures in a timely manner.

4.) IPSec is a VPN suite of technologies that supports encryption, authentication, nonrepudiation and data integrity, but it does not support multicast traffic. GRE does. So, if you are running a dynamic routing protcol between your two VPN endpoints that utilizes multicast updates, like OSPF or EIGRP, then you will need to run "GRE over IPSec".

5.) Cisco's website has tons of configuration samples. Just do a search.

6.) As explained earlier, the tunnel endpoints should be global addresses if you are routing over the public Internet. The interfaces used are typically physical interfaces that connect directly to the provider circuit or to an Internet router. Sometimes the loopback interface is used.

HTH

Victor

Jon Marshall
Hall of Fame
Hall of Fame
In response to lamav

‎05-14-2009 11:46 AM

Victor

"the keepalivem echanism uses a pro-active paradigm to detect tunnel interface failures in a timely manner."

It's hard to believe this is from the same person that reads Hustler :-)

Really good, detailed explanation - rated.

Jon

0 Helpful

lamav
Level 8
Level 8
In response to Jon Marshall

‎05-14-2009 11:50 AM

LOL! C'mon, we have to have some diversity in our lives. It cant all be about bits and bytes...lol

Just an FYI...I did some minor editing to my original post while you were posting.

:-) Thanks for the rating.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card