Config example: GRE tunnel-interfaces

Posted on March 26, 2010 by jimmy

GRE tunnel-interfaces

Tunnel-interfaces are real cool. In later post I will describe how to use them to establish ipsec-tunnel but for now we will just ignore the fact that we doesn´t encrypt the packets.

GRE (Generic Routing Encapsulation) is invented by Cisco. It uses IP protocol 47 and encapsultates the entire packet within a new GRE-header.

Lets setup a GRE-tunnel in our example-topology. A Tunnel-interface is a virtual interface created in the router. It has an IP-address and can be treated just like any physical interface. In normal case a tunnel-interface needs to be configured with a tunnel source (usually a physical interface in the local router) and a tunnel destination (usually the remote IP to which to establish the tunnel). Like this:

Lets do it. First, make sure that we have connectivity with remote peer. Never forget that.

r1#ping 10.10.30.3

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.30.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms r1#

Now we configure our tunnel-interfaces:

r1(config)#int tu0 r1(config-if)# *Mar 19 13:31:05.402: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down r1(config-if)# r1(config-if)#ip address 10.99.99.1 255.255.255.0 r1(config-if)#tunnel source fa0.11 r1(config-if)#tunnel destination 10.10.30.3 *Mar 19 13:32:24.014: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up r1(config-if)# r1(config-if)#tunnel mode gre ip

r3(config)#int tu0 r3(config-if)#ip address 1 *Mar 19 13:34:54.058: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down r3(config-if)# r3(config-if)#ip address 10.99.99.3 255.255.255.0 r3(config-if)#tunnel source fa0.30 r3(config-if)#tunnel destination 10.10.11.1 *Mar 19 13:36:00.578: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up r3(config-if)# r3(config-if)#tunnel mode gre ip r3(config-if)#

Now we can see that we have our tunnel-interfaces configured and up/up:
r1#sh ip int brie | excl unassigned Interface IP-Address OK? Method Status Protocol FastEthernet0.10 10.10.10.2 YES NVRAM up up FastEthernet0.11 10.10.11.1 YES NVRAM up up Loopback0 10.1.1.1 YES NVRAM up up Tunnel0 10.99.99.1 YES manual up up r1#

Does it work?

r1#ping 10.99.99.3

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.99.99.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms r1#

Great. Now we have a virtual interface on each router inter-connecting them. Wanna have a look at the transit-traffic? Lets go to the wireshark between the routers:

As you see in the screen-dump above wireshark is smart enough to see that it is icmp-pings in the packets. Have a look at the middle-part of the window and you can see that the original IP-packet is inserted into a GRE-packet which in turn is inserted into a new IP-header. The internal (original) IP-header is destinated to the ip-address we pinged but the outer header is between the GRE tunnel endpoints, the physical interfaces. Remember, in my transit-network I might have routers that has no clue about any 10.99.99-addresses.

But our goal was to make our client 192.168.1.50 behind r1 reach the 10.3.3.3-address behind r3, right? How about routing? First r1.

r1#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.10.10.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks D EX 10.2.2.2/32 [170/1285120] via 10.10.10.1, 23:48:00, FastEthernet0.10 C 10.99.99.0/24 is directly connected, Tunnel0 C 10.10.10.0/24 is directly connected, FastEthernet0.10 C 10.10.11.0/24 is directly connected, FastEthernet0.11 C 10.1.1.1/32 is directly connected, Loopback0 S 10.10.30.3/32 [1/0] via 10.10.11.2 D EX 192.168.1.0/24 [170/1285120] via 10.10.10.1, 23:48:00, FastEthernet0.10 D*EX 0.0.0.0/0 [170/1285120] via 10.10.10.1, 23:48:02, FastEthernet0.10 r1#

and r3.

r3#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.3.3.3/32 is directly connected, Loopback0 C 10.99.99.0/24 is directly connected, Tunnel0 S 10.10.11.1/32 [1/0] via 10.10.30.1 C 10.10.30.0/24 is directly connected, FastEthernet0.30 r3#

Ooops. r1 doesn´t know of 10.3.3.3 and r3 doesnt know of 192.168.1.50. First we do it the ugly lazy way: add static routes of remote networks. Next-hop should be the remote router tunnel-interface:

r1(config)#ip route 10.3.3.3 255.255.255.255 10.99.99.3 r3(config)#ip route 192.168.1.50 255.255.255.255 10.99.99.1

Now we have a working tunnel. My windows-client 192.168.1.50 can ping 10.3.3.3

^C C:UsersJimmyDesktop>ping 10.3.3.3

Skickar ping-signal till 10.3.3.3 med 32 byte data: Svar från 10.3.3.3: byte=32 tid=1ms TTL=254 Svar från 10.3.3.3: byte=32 tid=1ms TTL=254 Svar från 10.3.3.3: byte=32 tid=1ms TTL=254 Svar från 10.3.3.3: byte=32 tid=2ms TTL=254

Ping-statistik för 10.3.3.3: Paket: Skickade = 4, Mottagna = 4, Förlorade = 0 (0 %), Ungefärlig överföringstid i millisekunder: Lägsta = 1 ms, Högsta = 2 ms, Medel = 1 ms

C:UsersJimmyDesktop>

One of the major functions of tunnel-interfaces is that it supports routing protocols. In r1 we already have eigrp running. Lets try to run eigrp thru the tunnel…

First, remove our static routes.

r1(config)#no ip route 10.3.3.3 255.255.255.255 10.99.99.3 r3(config)#no ip route 192.168.1.50 255.255.255.255 10.99.99.1

First, add the tunnel-interface to the eigrp-process of r1:
r1#sh run | sect router router eigrp 11 network 10.1.1.1 0.0.0.0 network 10.10.10.2 0.0.0.0 no auto-summary r1#conf t Enter configuration commands, one per line. End with CNTL/Z. r1(config)#router eigrp 11 r1(config-router)#network 10.99.99.1 0.0.0.0 r1(config-router)#

In r3 we have no routing protocol running. Time to add that…
r3(config)#router eigrp 11 r3(config-router)#network 10.3.3.3 0.0.0.0 r3(config-router)#network 10.99.99.3 0.0.0.0 *Mar 19 14:06:26.522: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 11: Neighbor 10.99.99.1 (Tunnel0) is up: new adjacency r3(config-router)#no auto-summary r3(config-router)#

So, what happened?
r3#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.99.99.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks D EX 10.2.2.2/32 [170/26885120] via 10.99.99.1, 00:01:08, Tunnel0 C 10.3.3.3/32 is directly connected, Loopback0 C 10.99.99.0/24 is directly connected, Tunnel0 S 10.10.11.1/32 [1/0] via 10.10.30.1 D 10.10.10.0/24 [90/26882560] via 10.99.99.1, 00:01:08, Tunnel0 D 10.1.1.1/32 [90/27008000] via 10.99.99.1, 00:01:08, Tunnel0 C 10.10.30.0/24 is directly connected, FastEthernet0.30 D EX 192.168.1.0/24 [170/26885120] via 10.99.99.1, 00:01:09, Tunnel0 D*EX 0.0.0.0/0 [170/26885120] via 10.99.99.1, 00:01:09, Tunnel0 r3#

Cool. r3 got itself a default-route to the world thru the tunnel.

r1#sh ip route *Mar 19 14:06:30.122: %SYS-5-CONFIG_I: Configured from console by console Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.10.10.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks D EX 10.2.2.2/32 [170/1285120] via 10.10.10.1, 1d00h, FastEthernet0.10 D 10.3.3.3/32 [90/27008000] via 10.99.99.3, 00:02:06, Tunnel0 C 10.99.99.0/24 is directly connected, Tunnel0 C 10.10.10.0/24 is directly connected, FastEthernet0.10 C 10.10.11.0/24 is directly connected, FastEthernet0.11 C 10.1.1.1/32 is directly connected, Loopback0 S 10.10.30.3/32 [1/0] via 10.10.11.2 D EX 192.168.1.0/24 [170/1285120] via 10.10.10.1, 1d00h, FastEthernet0.10 D*EX 0.0.0.0/0 [170/1285120] via 10.10.10.1, 1d00h, FastEthernet0.10 r1#

… and r1 knows how to find 10.3.3.3

As I said before: Voila!

Here are the configs for r1 and r3.

Next session will add encryption to this configuration.

Posted in Cisco Security

Config example: GRE tunnel-interfaces

New posts

Popular Posts

Signuppp

Config example: GRE tunnel-interfaces

New posts

Popular Posts

Tags

Signuppp