GRE Tunnel Theory and Configuration

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
let's say that we had a couple of routers located at different sites separated by the internet or maybe a service providers cloud and we needed those two routers to appear to be layer two adjacent perhaps they needed to form a neighbor ship between themselves one way we can make that happen is to create a generic routing encapsulation or a Giri tunnel between these two routers with a GRE configuration we can send a packet out of a router and we can send it out of a tunnel interface as opposed to a physical interface where logically sending it down this big long tunnel which might wind its way through many routers that are out on the internet but from the perspective of the routers this logical tunnel through which the packet is traveling appears to be a single hop then the packet emerges from the tunnel the tunnel header is removed and the packet is sent on its way GRE however it does have an issue even though it is very generic in other words it can encapsulate just about any layer-3 protocol you can imagine including unicast IP multicast IP broadcast IP X appletalk and the list goes on and on even though it's very flexible as to what it can encapsulate by itself it does not do security however what we can do is use GRE and tandem with IPSec consider this topology routers r1 and r2 need to communicate securely between one another and like we said a GRE tunnel can logically interconnect routers r1 and r2 GRE however is not going to add security to that traffic it's not going to do encryption it's not going to do authentication however IPSec can do those things you might wonder why don't we just do IPSec to start with why even bother with GRE interestingly IPSec has its own limitation and that is it can secure unicast IP traffic but not multicast IP traffic and not broadcast IP traffic and traffic between our sites might very well be broadcast or multicast traffic for example routing protocols many of them rely on multicasts but what if we did this what if we encapsulated unicast IP broadcast multicast whatever we wanted we can encapsulate inside of a GRE packet and if we take a look at a Giri packet what is that packet regardless of what it contains the G Paquette itself is a unicast IP packet exactly what we can send down an IPSec tunnel what we can do therefore is take whatever traffic we want to send between these two routers put that traffic into a GRE tunnel and then put the GRE traffic into an IPSec tunnel this is a really common approach in the VPN world where we can encapsulate just about anything we want and secure it and what we want to do now in this video is to see how we can set up a basic Giri tunnel let's go out to a live interface and take a look using this topology on screen that let's set up a GRE tunnel between routers r1 and r4 we see that physically in order to get from r1 to r4 we have to pass through routers r2 and r3 however we're going to set up a Giri tunnel so it's going to appear that it's a single hop from r1 over our four let's begin on router r1 we're going to create out of thin air a virtual tunnel interface we can do that by saying interface tunnel and we give a locally significant identifier I'm just going to say interface tunnel one and we can assign an IP address to this tunnel just like we were to assign an IP address to any of our router interfaces let's say IP address and I'll say it's one ninety two dot one sixty eight dot zero dot one and since I only need two IP addresses for this tunnel I'm going to use the 30 bit subnet mask will say 255.255.255.0 r1 what's the source of this tunnel and what's the destination of this tunnel I'm going to say that my tunnel source and context-sensitive help shows us that I could specify an IP address or an interface what I typically do is say the tunnel source is the loopback interface on this router I'm going to say it's interface loopback zero and for the destination I'm going to specify the IP address of router r4 s loopback interface will say tunnel destination for dot 4.4.4 and we're done with our configuration on a router r1 let's go to router r4 and on router r4 will give a complimentary configuration let's say interface tunnel 1 and let's give an IP address for this tunnel I'll say it's one ninety two dot one sixty eight dot zero two with a 30 bit subnet mask that IP address is in the same subnet as the IP address we gave to the other side of the tunnel who is my tunnel source we're going to say it's loopback zero and the destination is going to be the IP address of the loopback interface on a router r1 which is one dot one dot one dot one and we're done with our configuration on router r4 oh and I have some confirmation that it's working look at that we just formed an EIGRP neighbor ship over that tunnel because I had told both of these routers that all of the interface you should participate in ERP and we just formed a neighbor ship over this tunnel however let's do some further verification let's do a show IP interface brief and we can see this newly created tunnel interface we can see its IP address and it is in the up up State fantastic can I ping on the other side of the tunnel can I do a ping to one ninety two dot one sixty eight dot zero dot one yes I can and we can get more information about this tunnel by doing a show interface tunnel one we can see the tunnel source we can see the tunnel destination and we can see that the encapsulation is tunnel this is telling me that this is a GRE tunnel but the real test is to do a trace route let's make sure that the far end of this tunnel appears to be only one router hop away let's do a trace route to the other side of this tunnel let's do a trace route to one ninety two dot one sixty eight dot zero dot one how many hops away it's only one look at that our next hop was the other end of the tunnel and that was our destination even though our packets really went from our four to r3 to r2 to r1 logically it appears that we're just one hop away and that's a look at how we can create a generic routing encapsulation or a GRE tunnel
Info
Channel: Kevin Wallace Training, LLC
Views: 103,224
Rating: 4.934866 out of 5
Keywords: Cisco Career Certification, Kevin Wallace, 1examamonth, 300-101, 200-120, 101-101, ROUTE, Cisco CCNP, Cisco, CCNA, CCNP, CCIE, CCDP, VPNs, IPsec, #kwtrain
Id: ZAFl4etjXs4
Channel Id: undefined
Length: 6min 7sec (367 seconds)
Published: Thu Oct 02 2014
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.