Create a GRE tunnel between endpoints!

Many time it is necessary to link a remote office to your main site and today we have many technologies to accomplish this task. We have IPSEC tunnels, IP-IN-IP tunnels, and GRE or Generic Routing Encapsulation Tunnels.

Each type of connectivity offers advantages and disadvantages. Some of these tunnels can even be overlaid on top of one another. For instance IPSEC can be used in a transport mode, which allows you to use the encryption with other tunnels or protocols. For this article we are going to discuss GRE tunnels. GRE is unique as tunneling technologies go in that is started out as a proprietary protocol developed by Cisco and later adopted as a standard. GRE was invented as a way of encapsulating non routable protocols in IP which is a routable protocol. In this way protocols such as multicast (this include OSPF, EIGRP), and other protocols like IPX could be tunneled across routable links.

 

GRE offers several advantages today when used as a tunnel to connect private LANs. The main advantages are the ability to carry multicast traffic, i.e. routing protocols across the internet. For instance, lets say you had a main office in London, which has Frame Relay links to 15 offices in Europe, and you have your headquarters in Washington D.C. with a MPLS network of 25 offices across North and South America. Now suppose due to the costs of bandwidth and particularly the cost of private connection such as frame across the pond, you decided to go with a 45mbps T3 line. Between London and D.C.  Now you could connect these offices with an IPSEC VPN however if you did this you would be limited to building static  routes for each network on each side of the ocean, this is not a very scalable solution and does not allow you the advantages of a dynamic routing protocol. This solution may even limit you should you decide to add a second T3 later say to an office in Madrid. With dynamic routing protocols, the traffic would automatically swing to the Madrid office if something were to happen to the link between D.C. and London. The solution  to this problem is to use GRE tunnels, since GRE tunnels pass all types of traffic you can easily run a dynamic routing protocol, like OSPF or EIGRP. These protocols will allow seamless easy route adjustments when a route goes down.

 

Configuring GRE tunnels is easy with a few simple steps you will be on your way. Before we can talk about configuring GRE tunnels we need to discuss exactly what the requirements for GRE are! GRE is a protocol, like IP you need to make sure this protocol is allowed through your firewall if you want to terminate a GRE tunnel. GRE to be more exact is protocol 47. Please be mindful that this is not port 47 but protocol 47. Allowing port 47 through your firewall will not allow GRE to work.

 

Steps to configure a GRE tunnel

 

  1. create access-list on outside interface to permit GRE
  2. create tunnel interface

 

interface Tunnel0
 ip address 172.20.1.1 255.255.255.252
 keepalive 10 3
 tunnel source FastEthernet0/0
 tunnel destination 192.168.1.2
 tunnel path-mtu-discovery
!
!
!
!
interface FastEthernet0/1
 description LAN INTERFACE
 ip address 10.0.0.254 255.255.255.0
 ip nat inside
 duplex auto
 speed auto
!
!
!
!
interface FastEthernet0/0
 description Internet Interface
 ip address 192.168.1.1 255.255.255.0
 ip access-group allow-gre in
 ip nat inside
 duplex auto
 speed auto
!
!
!
!
ip access-list extended allow-gre
 permit gre any any

Tags: , , , ,

Leave a Reply

You must be logged in to post a comment.

Categories
Support Our site