GRE tunnel-interfaces
Tunnel-interfaces are real cool. In later post I will describe how to use them to establish ipsec-tunnel but for now we will just ignore the fact that we doesn´t encrypt the packets.
GRE (Generic Routing Encapsulation) is invented by Cisco. It uses IP protocol 47 and encapsultates the entire packet within a new GRE-header.
Lets setup a GRE-tunnel in our example-topology. A Tunnel-interface is a virtual interface created in the router. It has an IP-address and can be treated just like any physical interface. In normal case a tunnel-interface needs to be configured with a tunnel source (usually a physical interface in the local router) and a tunnel destination (usually the remote IP to which to establish the tunnel). Like this:
Lets do it. First, make sure that we have connectivity with remote peer. Never forget that.
r1#ping 10.10.30.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.30.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
r1#
Now we configure our tunnel-interfaces:
r1(config)#int tu0
r1(config-if)#
*Mar 19 13:31:05.402: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
r1(config-if)#
r1(config-if)#ip address 10.99.99.1 255.255.255.0
r1(config-if)#tunnel source fa0.11
r1(config-if)#tunnel destination 10.10.30.3
*Mar 19 13:32:24.014: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
r1(config-if)#
r1(config-if)#tunnel mode gre ip
r3(config)#int tu0
r3(config-if)#ip address 1
*Mar 19 13:34:54.058: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
r3(config-if)#
r3(config-if)#ip address 10.99.99.3 255.255.255.0
r3(config-if)#tunnel source fa0.30
r3(config-if)#tunnel destination 10.10.11.1
*Mar 19 13:36:00.578: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
r3(config-if)#
r3(config-if)#tunnel mode gre ip
r3(config-if)#
Now we can see that we have our tunnel-interfaces configured and up/up:
r1#sh ip int brie | excl unassigned
Interface IP-Address OK? Method Status Protocol
FastEthernet0.10 10.10.10.2 YES NVRAM up up
FastEthernet0.11 10.10.11.1 YES NVRAM up up
Loopback0 10.1.1.1 YES NVRAM up up
Tunnel0 10.99.99.1 YES manual up up
r1#
Does it work?
r1#ping 10.99.99.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.99.99.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
r1#
Great. Now we have a virtual interface on each router inter-connecting them. Wanna have a look at the transit-traffic? Lets go to the wireshark between the routers:
As you see in the screen-dump above wireshark is smart enough to see that it is icmp-pings in the packets. Have a look at the middle-part of the window and you can see that the original IP-packet is inserted into a GRE-packet which in turn is inserted into a new IP-header. The internal (original) IP-header is destinated to the ip-address we pinged but the outer header is between the GRE tunnel endpoints, the physical interfaces. Remember, in my transit-network I might have routers that has no clue about any 10.99.99-addresses.
But our goal was to make our client 192.168.1.50 behind r1 reach the 10.3.3.3-address behind r3, right? How about routing? First r1.
r1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.10.10.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
D EX 10.2.2.2/32 [170/1285120] via 10.10.10.1, 23:48:00, FastEthernet0.10
C 10.99.99.0/24 is directly connected, Tunnel0
C 10.10.10.0/24 is directly connected, FastEthernet0.10
C 10.10.11.0/24 is directly connected, FastEthernet0.11
C 10.1.1.1/32 is directly connected, Loopback0
S 10.10.30.3/32 [1/0] via 10.10.11.2
D EX 192.168.1.0/24 [170/1285120] via 10.10.10.1, 23:48:00, FastEthernet0.10
D*EX 0.0.0.0/0 [170/1285120] via 10.10.10.1, 23:48:02, FastEthernet0.10
r1#
and r3.
r3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 10.3.3.3/32 is directly connected, Loopback0
C 10.99.99.0/24 is directly connected, Tunnel0
S 10.10.11.1/32 [1/0] via 10.10.30.1
C 10.10.30.0/24 is directly connected, FastEthernet0.30
r3#
Ooops. r1 doesn´t know of 10.3.3.3 and r3 doesnt know of 192.168.1.50. First we do it the ugly lazy way: add static routes of remote networks. Next-hop should be the remote router tunnel-interface:
r1(config)#ip route 10.3.3.3 255.255.255.255 10.99.99.3
r3(config)#ip route 192.168.1.50 255.255.255.255 10.99.99.1
Now we have a working tunnel. My windows-client 192.168.1.50 can ping 10.3.3.3
^C
C:UsersJimmyDesktop>ping 10.3.3.3
Skickar ping-signal till 10.3.3.3 med 32 byte data:
Svar från 10.3.3.3: byte=32 tid=1ms TTL=254
Svar från 10.3.3.3: byte=32 tid=1ms TTL=254
Svar från 10.3.3.3: byte=32 tid=1ms TTL=254
Svar från 10.3.3.3: byte=32 tid=2ms TTL=254
Ping-statistik för 10.3.3.3:
Paket: Skickade = 4, Mottagna = 4, Förlorade = 0 (0 %),
Ungefärlig överföringstid i millisekunder:
Lägsta = 1 ms, Högsta = 2 ms, Medel = 1 ms
C:UsersJimmyDesktop>
One of the major functions of tunnel-interfaces is that it supports routing protocols. In r1 we already have eigrp running. Lets try to run eigrp thru the tunnel…
First, remove our static routes.
r1(config)#no ip route 10.3.3.3 255.255.255.255 10.99.99.3
r3(config)#no ip route 192.168.1.50 255.255.255.255 10.99.99.1
First, add the tunnel-interface to the eigrp-process of r1:
r1#sh run | sect router
router eigrp 11
network 10.1.1.1 0.0.0.0
network 10.10.10.2 0.0.0.0
no auto-summary
r1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
r1(config)#router eigrp 11
r1(config-router)#network 10.99.99.1 0.0.0.0
r1(config-router)#
In r3 we have no routing protocol running. Time to add that…
r3(config)#router eigrp 11
r3(config-router)#network 10.3.3.3 0.0.0.0
r3(config-router)#network 10.99.99.3 0.0.0.0
*Mar 19 14:06:26.522: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 11: Neighbor 10.99.99.1 (Tunnel0) is up: new adjacency
r3(config-router)#no auto-summary
r3(config-router)#
So, what happened?
r3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.99.99.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D EX 10.2.2.2/32 [170/26885120] via 10.99.99.1, 00:01:08, Tunnel0
C 10.3.3.3/32 is directly connected, Loopback0
C 10.99.99.0/24 is directly connected, Tunnel0
S 10.10.11.1/32 [1/0] via 10.10.30.1
D 10.10.10.0/24 [90/26882560] via 10.99.99.1, 00:01:08, Tunnel0
D 10.1.1.1/32 [90/27008000] via 10.99.99.1, 00:01:08, Tunnel0
C 10.10.30.0/24 is directly connected, FastEthernet0.30
D EX 192.168.1.0/24 [170/26885120] via 10.99.99.1, 00:01:09, Tunnel0
D*EX 0.0.0.0/0 [170/26885120] via 10.99.99.1, 00:01:09, Tunnel0
r3#
Cool. r3 got itself a default-route to the world thru the tunnel.
r1#sh ip route
*Mar 19 14:06:30.122: %SYS-5-CONFIG_I: Configured from console by console
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.10.10.1 to network 0.0.0.0
10.0.0.0/8 is variably subnetted, 7 subnets, 2 masks
D EX 10.2.2.2/32 [170/1285120] via 10.10.10.1, 1d00h, FastEthernet0.10
D 10.3.3.3/32 [90/27008000] via 10.99.99.3, 00:02:06, Tunnel0
C 10.99.99.0/24 is directly connected, Tunnel0
C 10.10.10.0/24 is directly connected, FastEthernet0.10
C 10.10.11.0/24 is directly connected, FastEthernet0.11
C 10.1.1.1/32 is directly connected, Loopback0
S 10.10.30.3/32 [1/0] via 10.10.11.2
D EX 192.168.1.0/24 [170/1285120] via 10.10.10.1, 1d00h, FastEthernet0.10
D*EX 0.0.0.0/0 [170/1285120] via 10.10.10.1, 1d00h, FastEthernet0.10
r1#
… and r1 knows how to find 10.3.3.3
As I said before: Voila!
Here are the configs for r1 and r3.
Next session will add encryption to this configuration.