Home > GRE Tunnel Tutorial

GRE Tunnel Tutorial

April 26th, 2018 Go to comments

GRE stands for Generic Routing Encapsulation, which is a very simple form of tunneling. With GRE we can easily create a virtual link between routers and allow them to be directly connected, even if they physically aren’t. Let’s have a look at the topology below:

GRE_Tunnel.jpg

Suppose R1 and R2 are routers at two far ends of our company. They are connected to two computers who want to communicate. Although R1 and R2 are not physically connected to each other but with GRE Tunnel, they appear to be! This is great when you have multiple end points and don’t care the path between them. The routing tables of two routers show that they are directly connected via GRE Tunnel.

How GRE Tunnel works

When the sending router decides to send a packet into the GRE Tunnel, it will “wrap” the whole packet into another IP packet with two headers: one is the GRE header which uses to manage the tunnel itself. The other is called “Delivery header” which includes the new source and destination IP addresses of two virtual interfaces of the tunnel (called tunnel interfaces). This process is called encapsulation.

GRE_Tunnel_Encapsulation_Process.jpg

In the example above when R1 receives an IP packet, it wraps the whole packet with a GRE header and a delivery header. The delivery header includes new source IP address of 63.1.27.2 (the IP address of R1’s physical interface which is used to create tunnel) and new destination IP address of 85.5.24.10 (the IP address of R2’s physical interface which is used to create tunnel).

It is important to note that the GRE tunnel does not encrypt the packet, only encapsulate it. If we want to encrypt the packet inside GRE Tunnel we must use IPSec but it is out of CCNA scope so we will not mention here.

When the GRE packet arrives at the other end of the tunnel (R2 in this case), the receiving router R2 needs to remove the GRE header and delivery header to get the original packet.

Unlike VPN which does not support multicast, GRE tunnel does support multicast so many popular routing protocols (like OSPF, EIGRP) can operate along with.

Note: The IP addresses of the two ends of GRE Tunnel (63.1.27.2 & 85.5.24.10 in this case) can be in the same subnet or different subnet (like over the Internet with public IP addresses), provided that two routers know how to reach each other’s tunnel IP address. For example in this case R1 must know how to reach 85.5.24.10 and R2 must reach 63.1.27.2.

Now you learned the basis of GRE Tunnel. It is important to show you the related GRE configuration of the example above. Suppose OSPF is used in our company.

R1 (GRE config only)
interface s0/0/0
ip address 63.1.27.2 255.255.255.0
interface tunnel0
ip address 10.0.0.1 255.255.255.0
tunnel mode gre ip //this command can be ignored
tunnel source s0/0/0
tunnel destination 85.5.24.10
router ospf 1
network 192.168.1.0 0.0.0.255 area 0
R2 (GRE config only)
interface s0/0/0
ip address 85.5.24.10 255.255.255.0
interface tunnel1
ip address 10.0.0.2 255.255.255.0
tunnel source 85.5.24.10
tunnel destination 63.1.27.2
router ospf 1
network 192.168.1.0 0.0.0.255 area 0

In the above R1 configuration, the command interface tunnel0 create the virtual tunnel 0 interface, which is called a tunnel interface. We can use any number. The tunnel numbers do not need to match on two routers so on R2 we can use “interface tunnel1” without any problem.

The next line assigns the IP address for the tunnel interface: 10.0.0.1/24. The IP addresses of two tunnel interfaces must be in the same subnet (10.0.0.1/24 on R1 & 10.0.0.2/24 on R2 in this case).

The command tunnel mode gre ip is in fact not necessary as this is the default setting. We just want to show you this command and let you know that we are configuring a traditional point-to-point GRE. There are other GRE modes like “tunnel mode gre multipoint” used in DMVPN or “tunnel mode gre ipv6” to encapsulate IPv4 packets in an IPv6 infrastructure.

Next we have to specify the tunnel source and tunnel destination with “tunnel source …” and “tunnel destination” commands. For “tunnel source” command, we can either specify the interface or the IP address of the interface. When we define the tunnel source and tunnel destination in the tunnel interface, the router will add these IP addresses to the GRE packet generated by the tunnel interface. At the receiving end, the router looks for the tunnel destination and decapsulates the packet, then forwards it to the specific tunnel interface.

GRE_tunnel_source_destination.jpg

Note: We can use loopback interface as the tunnel source or destination. Traffic will flow through the best physical path toward the tunnel destination.

One last note, GRE tunnels are stateless which means the tunnel endpoint does not keep any information about the state or availability of the remote tunnel endpoint. Therefore the local tunnel endpoint does not bring the line protocol of the GRE tunnel interface down if the remote tunnel endpoint is unreachable. For example, if R2 tunnel interface is brought down for some reason, R1 tunnel interface will remain in up state.

If you are interested in full config for GRE please read our GRE tunnel Lab to have detailed knowledge of how to configure GRE tunnel.

Comments (28) Comments
  1. MarkL
    April 27th, 2018

    Hi, is there a typo maybe with the PC1 or /and PC2 IP addresses ?
    The tutorial says:
    “The IP addresses of two tunnel interfaces must be in the same subnet (192.168.1.1/24 on R1 & 192.168.1.2/24 on R2 in this case)”
    and the Host IPs of PC1 and PC2 are:
    192.168.1.1
    and
    192.168.2.1

    Thanks,
    Mark

  2. Rokibul Hasan
    May 2nd, 2018

    Need detailed…with lab

  3. nika
    May 3rd, 2018

    good question

  4. Gregory
    May 8th, 2018

    Hi. Does it matter if interface IPs configured are public or private and the respective Tunnel interface IPs are also public or private ?

    If interface IPs are private then Tunnel IPs must be public and vice versa ? Do both cases work ?

    It is a bit confusing since in GNS3 lab you have private IPs on the interfaces and public on the Tunnel ones while here is the opposite.

  5. Vlonee
    May 10th, 2018

    @Gregory I think the aim of configuring the physical interface with a private address is to enable you see from a virtual perspective how a private address could communicate with another private address via the cloud. Once you ping now you’ll get replies. Secondly the tunnel interface is configured with a public routable address because it is the one that encapsulates the private address in itself making it seem like it is public to enable communication with the other private address.

  6. Anonymous
    May 14th, 2018

    @Gregory -To add to Vlonee’s comment, in a Lab environment, it doesn’t matter what IP addresses you configure on where. But in real world scenario, one of the purposes (or the main purpose) of a GRE Tunnel is to carry a company’s internal private network through the cloud (public internet) to the company’s other branch location or locations. So realistically, the GRE Tunnels are configured with private IP address, while the internet or ISP facing interfaces are configured with public IP addresses.

  7. Tom
    May 19th, 2018

    Hi, what’s the use case for GRE? why not to have the R1 and R2 communicating over standard routing protocol – whichever implemented? Tks. Tom

  8. Andy
    May 21st, 2018

    Hi All,

    I have a ,dump that used on 2 weeks ago about 13-14 May 2018.
    If you want to use it, you can contact me on email {email not allowed}

  9. Amigo
    May 21st, 2018

    Hi Andy we can not see ur email here…

    please send to me on ihussein496(@)gmail.(com)

    thank you in advance

  10. Becks
    June 7th, 2018

    Hey Any,
    Can you send me any latest dumps that you have as well. {email not allowed}

    Thanks
    23Becks

  11. Becks
    June 7th, 2018

    Hi Andy,
    I guess i didn’t do that right. mt79126 ( @ ) yahoo. (com)

    Thanks again

  12. Ngo Ngoc Luu
    June 11th, 2018

    Hi Andy,
    Can you send latest dumps that you have ?
    (ngongocluuuct@gmail. com)….
    Thanks

  13. tannerX
    June 11th, 2018

    hi, I have the same question …didnt quite understand!

    Hi, is there a typo maybe with the PC1 or /and PC2 IP addresses ?
    The tutorial says:
    “The IP addresses of two tunnel interfaces must be in the same subnet (192.168.1.1/24 on R1 & 192.168.1.2/24 on R2 in this case)”
    and the Host IPs of PC1 and PC2 are:
    192.168.1.1
    and
    192.168.2.1
    Thanks,
    Mark

  14. Nav Man
    June 12th, 2018

    Hi tannerx

    After some deductive thinking please see facts below, then the conclusion, it must be a typo. Two keywords that clinched it are “same subnet”.

    Extracted text from tutorial above
    “The next line assigns the IP address for the tunnel interface: 192.168.1.1/24. The IP addresses of two tunnel interfaces must be in the same subnet (192.168.1.1/24 on R1 & 192.168.1.2/24 on R2 in this case).”

    I hope it sheds some light on the matter, I am no expert, like most fretting about the exam which is fast looming closer for me. Can anything be done to extend last date for the exam which Cisco imposes on you once the last module exam has been completed?. For example, In case if you suddenly had a massive panic attack and been incapacitated for say a month.

  15. Nav Man
    June 12th, 2018

    Hi tannerx

    Just wanted conclusively prove about the typo error, I did a the associated GRE Lab (“If you are interested in full config for GRE please read our GRE tunnel Lab to have detailed knowledge of how to configure GRE tunnel.”)
    I successfully completed the labs as per the instructions, the ping thru tunnel worked. Then I changed on R2 the GRE tunnel interface ip address from 12.12.12.2 to 12.12.13.2. The ping test failed. After I put back the changes it start working.

  16. blackisok
    June 15th, 2018

    Hi,

    I live in Angola and I will the certification on monday.
    Please sameone send me any latest dumps that you have as well.

    {email not allowed}

    Thanks, and good luck

  17. AA
    June 19th, 2018

    @Nav Man & Tannerx
    I don’t think it’s a typo. The reference of “The IP addresses of two tunnel interfaces must be in the same subnet” is exactly what it means. The 2 sub interfaces (tunnel interfaces) must be in the same subnet and does not have to be in the same subnet as the PCs. The above example states that OSPF is in use which will advertise the 192.168.1.0 network

  18. Moe ahmed
    June 20th, 2018

    IP address for the tunnel interface: 10.0.0.1/24. The IP addresses of two tunnel interfaces must be in the same subnet (10.0.0.1/24 on R1 & 10.0.0.2/24 on R2 in this case) and it is correct!

  19. ahmed
    June 28th, 2018

    hi,
    my test is next week,
    please send me dumps on
    {email not allowed}

  20. ahmed11
    June 28th, 2018

    hi,
    my test is next week,
    please send me dumps on
    {email not allowed}

  21. ahmedq11
    June 28th, 2018

    hi,
    my test is next week,
    please send me dumps on
    {email not allowed}

  22. Anonymous
    June 30th, 2018

    Hi can someone please send me the latest brain dumps on mramsaran ( @ ) gmail. (com)

  23. eyyup
    July 1st, 2018

    I need dumps eyyupbarut (@) gmail.com

  24. Newton
    July 1st, 2018

    ALL LATEST VALID DUMPS AT BELOW LINK:
    CCNA
    CCNP
    CCIE
    PASS without any risk.

    https://docs.google.com/document/d/1GyGH0VZq6XcdRI7nHBLHiu_0gIb1Vjd3cxbyS64VEWc/edit

  25. desparate
    July 5th, 2018

    kindly share latest dumps, writing in a week paul.thuso @ gmail .com

  26. Anonymous
    July 9th, 2018

    Jesus Christ almighty, FOR LOVE OF GOD Please dump CCENT to melinli6969 (@) gmail.(com). YOU WILL BE MY SAVIOR

  27. Anonymous
    July 9th, 2018

    melvinli6969, typo

  28. Amin
    July 16th, 2018

    It was helpful.
    Thanks

Add a Comment