How GRE Tunnels Work | VPN Tunnels Part 1

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you've probably used VPNs before maybe you have VPN software installed on a computer at home and you use it to connect to your office what we're doing with this is building a tunnel through a network this is like a bypass tunnel under a city we get through the city but we're not bothered by any of the traffic lights GRE or generic routing encapsulation is a type of VPN unlike the VPN that connects your computer to the office a GRE tunnel connects one part of the network to another part of the network before getting too deep into the mechanics of GRE let's consider where they're used the obvious reason to use GRE is to build a tunnel across the Internet this is useful if you have branch offices and want to connect to your main site a GRE tunnel is going to cost far less than putting in dedicated where in lines but that's just one way to use GRE there are some other possibilities that you may not have thought of you may have a few Network Islands that need to be brought together there are a few reasons this could happen if you're running Ripper's your routing protocol hop count is your metric building a tunnel between the islands creates a virtual link lowering the hop count you could also leave rip in the middle of your network and run OSPF between your islands or maybe you're migrating to ipv6 the core of your network may still be ipv4 and you have ipv6 islands GRE can carry the ipv6 traffic over the ipv4 core we can take this a step further and extend it to the where while it's getting rare it is still possible to find some when types out there that don't support multicast well good news GRE tunnels do now you don't have to go and change your LAN type if you want to add multicast traffic this in turn adds support for dynamic routing you usually need multicast for hollow packets and not all VPNs allow this so GRE has an advantage and lastly we have an unusual case you may use GRE with a DDoS provider you sign up with a provider and build a GRE tunnel with them all your incoming Internet traffic goes to them first they remove anything malicious and send the rest to you over the GRE tunnel now it's time to see how GRE tunnels actually work we have a scenario here with two edge routers and to where and routers we manage the edges but we have no control over the when they're managed by a service provider but we want to run OSPF between our edge routers and for that we need them to be directly connected the workaround is to create a tunnel between them our routers each have an interface connected to the web network they can route packets through the wind to each other GRE tunnels use a virtual tunnel interface or vti tunnel interfaces are much like regular interfaces this includes setting the IP address and mask we also need to set the source and destination of the tunnel these are the IPS that we're going to use in our we're network that's the minimum we need to get the tunnel running the tunnel interface is much like any other interface so now it looks like the routers are directly connected we could now easily configure OSPF and the neighbors would come up so now when traffic arrives at the router it is passed across the tunnel the core network is transparent to this traffic what do I mean by this well if you ran a trace route each of these edge routers would appear but the routers in the middle will not the network that we're tunneling across is called the underlay Network the tunnel is built on top of the underlay and therefore is called the overlay Network this is because the traffic is encapsulated when it is passed through the tunnel this means that extra headers are added to each tunnel to packet firstly a GRE header is added this includes information to describe the traffic that's being carried through the tunnel the most important piece of information in the GRE header is the protocol used for the original packet for example this could be I P v4 or ipv6 it may also include some optional information like an authentication key and a checksum an extra IP header is now added notice that there are now two IP headers the inner header is the original header that was there before the encapsulation started the outer header is used to transport the packet across the underlay this uses the routers real IP address for the source and destination the encapsulated traffic is forwarded across the underlying network just like any other packet the original packet is not changed as it's passed around when the packet arrives at the destination router the headers are removed leaving the original untouched packet this can now be delivered to its ultimate destination just like it normally would be these extra headers change the size of the packet a standard Ethernet link will have an MTU of 1500 the extra headers are 24 bytes long so a large packet will go over the 1500 byte and will be fragmented or dropped the solution therefore is to lower the MTU to 1436 so the packets payload plus the extra headers will not go over 1,500 bytes we should adjust the MSS too in the case of ipv4 this should be 40 bytes lower than the MTU to lock this into our brains let's run through a quick packet walk the computer here on the left wants to send a packet to the computer on the right it starts by sending the packet to its default gateway the router looks at its routing table and sees that the next hop is at the other end of the tunnel the router now adds the GRE header this says that ipv4 is the original protocol type there's no authentication keys or anything fancy in our example next the outer IP header is added the IP of the routers physical interface is the source and the IP of the destination routers physical interface is the destination IP the encapsulated packet is then sent across the underlay each router makes forwarding decisions like it would for any other packet eventually the packet arrives at the other end of the tunnel the router sees that the destination IP matches itself and determines that this is a GRE packet it can now D capsulate the packet by removing the IP and GRE headers the original packet is left which can now be forwarded to the workstation so we have a tunnel that we can reroute traffic over but there's a catch GRE tunnels are not encrypted by default that's a serious concern if you're building a tunnel over the Internet we can add encryption using IPSec which is exactly what we're going to do in the next video so if you've liked this video please let me know by leaving a comment and subscribing and I'll see you soon

Info

Channel: Network Direction

Views: 53,555

Rating: 4.9488053 out of 5

Keywords: gre vpn, gre tunnel, generic routing encapsulation, what is gre tunnel, generic routing encapsulation (internet protocol), vpn network, gre, tunnels, underlay, encapsulation, cisco, ccna, ccnp, vpn, site to site, routing, internet, wan, ospf, rip, hop count, ipv6, ddos, vti, overlay, mtu, mss, encryption, site to site vpn, cisco gre tunnel configuration, tunneling protocol, ccna security, routing protocols, virtual private network

Id: ytAqv7qHGyU

Channel Id: undefined

Length: 7min 20sec (440 seconds)

Published: Thu Aug 23 2018