Understanding GRE Tunnels: An Essential Guide

Generic Routing Encapsulation - with LAB Example

·

5 min read

Understanding GRE Tunnels: An Essential Guide

Introduction

In the world of modern networking, the ability to connect disparate networks securely and efficiently is crucial for businesses and organizations. One technology that has proven to be invaluable in achieving this is the Generic Routing Encapsulation (GRE) tunnel. GRE provides a flexible and scalable method for encapsulating packets and transporting them over an intermediate network. In this article, we will delve into the details of GRE tunnels, exploring how they work, their benefits, and various use cases in today's networking landscape.

What is a GRE Tunnel?

A GRE tunnel is a virtual point-to-point connection that encapsulates packets from one network protocol within another. Essentially, GRE creates a private, secure, and isolated path between two endpoints over a public or untrusted network, like the Internet. It achieves this by encapsulating the original packets inside GRE headers, allowing them to traverse the intermediate network while keeping their original routing information intact.

How GRE Tunnels Work

A GRE tunnel consists of two endpoints: the source and the destination. When a packet is sent from the source endpoint, it is encapsulated with a GRE header, which includes information such as the destination IP address and the original packet type. The packet is then routed through the intermediate network, like any other IP packet, until it reaches the destination endpoint. At the destination, the GRE header is stripped off, and the original packet is forwarded to its final destination based on its original routing information.

Benefits of GRE Tunnels

  • Encapsulation Flexibility: GRE is protocol-agnostic, meaning it can encapsulate packets from various network protocols. This versatility allows for the seamless integration of different networks and devices.

  • Enhanced Security: By creating a private tunnel, GRE adds an extra layer of security, shielding the original packet's content from potential eavesdroppers and unauthorized access.

  • Isolation and Routing Independence: GRE tunnels allow networks to communicate with each other as if they were directly connected, even if they use different routing protocols. This independence makes it easier to connect networks with diverse configurations.

  • Overcoming NAT Limitations: GRE tunnels can bypass Network Address Translation (NAT) devices, enabling communication between private IP networks across the internet.

Use Cases of GRE Tunnels

  • Site-to-Site Connectivity: GRE tunnels are widely used for connecting remote offices and branch locations to the main corporate network, enabling secure communication over the Internet.

  • VPN Solutions: GRE can be combined with encryption protocols to create Virtual Private Networks (VPNs), ensuring privacy and confidentiality in data transmission.

  • IPv6 Transition: During the transition from IPv4 to IPv6, GRE tunnels can help establish connectivity between IPv4-only and IPv6-only networks, facilitating a smooth migration.

  • Multicast over Unicast Networks: GRE tunnels can be utilized to transmit multicast traffic over networks that only support unicast traffic, expanding the reach of multicast applications.

Lab Example

As the above topology, R1 and R3 play the role of Edge Routers which will form site-to-site GRE tunnel.

The tunnel IP Address segment will be 192.168.10.0/24, and R1, R3 will form the EIGRP adjacency on this tunnel segment. Note that in this demonstration I use RIPv2 for underlay reachability (172.16.0.0).

Using EIGRP adjacency to advertise the LAN sides network 10.1.1.0/24 and 10.3.3.0/24 via tunnel IP next-hops.

R1 Configuration
!
interface Tunnel0
 ip address 192.168.10.1 255.255.255.0
 shutdown
!
tunnel source Ethernet0/0
 tunnel destination 172.16.31.2
!
interface Ethernet0/0
 ip address 172.16.11.2 255.255.255.252
!
interface Ethernet0/3
 ip address 10.1.1.254 255.255.255.0
!
router eigrp 100
 network 10.1.1.0 0.0.0.255
 network 192.168.10.0
!
router rip
 version 2
 network 172.16.0.0
 no auto-summary
!
R2 Configuration
!
interface Ethernet0/0
 ip address 172.16.11.1 255.255.255.252
!
interface Ethernet0/1
 ip address 172.16.31.1 255.255.255.252
!
router rip
 version 2
 network 172.16.0.0
 no auto-summary
!
R3 Configuration
!
interface Tunnel0
 ip address 192.168.10.3 255.255.255.0
 tunnel source Ethernet0/1
 tunnel destination 172.16.11.2
!
interface Ethernet0/1
 ip address 172.16.31.2 255.255.255.252
!
interface Ethernet0/3
 ip address 10.3.3.254 255.255.255.0
!
router eigrp 100
 network 10.3.3.0 0.0.0.255
 network 192.168.10.0
!
router rip
 version 2
 network 172.16.0.0
 no auto-summary
!

Verification

VPC1 traceroute to VPC2
VPC1> trace 10.3.3.3 trace to 10.3.3.3, 8 hops max, 
 1 10.1.1.254 0.428 ms 0.415 ms 0.300 ms
 2 192.168.10.3 1.132 ms 0.876 ms 1.028 ms
 3 *10.3.3.3 2.424 ms

The traffic goes through the Tunnel IP address (192.168.10.3) as the next-hop.

The below output shows the detailed Tunnel's interface information:

  • Tunnel interface status

  • Tunnel IP address, Tunnel Source

  • Tunnel MTU, Bandwidth, Delay, Keepalive

  • Tunnel Encapsulation type

R1#show interfaces Tunnel 0

Tunnel0 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 192.168.10.1/24
  MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 172.16.11.2 (Ethernet0/0), destination 172.16.31.2
   Tunnel Subblocks:
      src-track:
         Tunnel0 source tracking subblock associated with Ethernet0/0
          Set of tunnels with source Ethernet0/0, 1 member (includes iterators), on interface <OK>
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
    Checksumming of packets disabled
  Tunnel TTL 255, Fast tunneling enabled
  Tunnel transport MTU 1476 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
   ...

For your reference, the below output is the EIGRP neighbor status and routing table on R1.

R1#show ip eigrp neighbors 
EIGRP-IPv4 Neighbors for AS(100)
H   Address        Interface       Hold Uptime   SRTT   RTO  Q  Seq
                                    (sec)         (ms)       Cnt Num
0   192.168.10.3     Tu0           14 01:38:33   19     1470  0  3
R1#show ip route
...

Gateway of last resort is not set
...
D        10.3.3.0/24 [90/26905600] via 192.168.10.3, 01:39:44, Tunnel0
      172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
...
R        172.16.31.0/30 [120/1] via 172.16.11.1, 00:00:20, Ethernet0/0
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, Tunnel0
L        192.168.10.1/32 is directly connected, Tunnel0

Conclusion

As networks continue to grow in complexity, the need for robust, secure, and scalable connectivity solutions becomes paramount. GRE tunnels provide a powerful tool for achieving these objectives, enabling organizations to create secure, private connections across diverse networks. With their flexibility, security features, and versatility, GRE tunnels remain an indispensable part of modern networking, facilitating seamless communication between geographically dispersed entities. As technology advances, GRE tunnels will continue to play a pivotal role in enabling the interconnectivity that drives today's digital world.