Generic Routing Encapsulation (GRE) Tunnel

Generic Routing Encapsulation or GRE protocol is developed by Cisco and it provides a virtual point-to-point private connection and encapsulates and forwards packets over an IP-based network. GRE is used in many instances, such as transporting IPv6 traffic over an IPv4-only network. We can also use GRE to tunnel routing protocols like RIP, OSPF, or EIGRP between HQ and branch sites.

 

How Do GRE Tunnels Work?

When a router encapsulates data packets, it modifies the packet’s header information (encapsulation) to include the remote endpoint’s IP address as the destination. The GRE packets consist of GRE header and flags, original IP header, and payload data. The new IP header information now allows the GRE packet to be routed between two tunnel endpoints without inspecting the original packet’s payload. Once the packet reaches the remote tunnel endpoint, the GRE header is removed (de-encapsulation), and the original data packet is routed to the remote network.

 

Original Packet

IP HeaderPayload Data

 

GRE Packet

GRE IP HeaderGRE FlagsOriginal IP HeaderPayload Data

 

GRE Configuration

Here’s the step-by-step process for configuring the GRE tunnel:

  1. Create a GRE tunnel interface.
  2. Configure an IP address for the tunnel interface.
  3. Set the local tunnel source. It can be a physical or loopback interface.
  4. Set the remote destination IP.

Optional configs: Tunnel bandwidth, keepalive, and IP MTU

 

For our example configuration, we will use the topology below. We have two sites, Site A and Site B, and both have their respective ISPs as default gateways to reach the Internet.

GRE Tunnel

 

Without GRE tunnelling configured, let’s see if we can ping from Site A LAN to Site B LAN:

Site-A#sh ip route
Gateway of last resort is 172.16.1.2 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 172.16.1.2

 

Site-A#traceroute 192.168.2.1
Type escape sequence to abort.
Tracing the route to 192.168.2.1
VRF info: (vrf in name/id, vrf out name/id)
1 172.16.1.2 2 msec 3 msec 4 msec
2 172.16.1.2 !H !H *

 

Site-A#ping 192.168.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

 

A traceroute to Site B’s LAN interface is sent to ISP1 GW which blackholes it.

 

Now, let’s configure Site A and Site B routers. We have OSPF enabled on the LAN (192.168.1.0/24 and 192.168.2.0/24) and GRE tunnel (10.10.10.0/24) networks. With this, Sites A and B become direct OSPF neighbors over the GRE tunnel and learn each other’s routes. The default static routes are pointing to their respective ISPs.

Site A

Site-A#conf t
Site-A(config)#int Tunnel1
Site-A(config-if)#ip address 10.10.10.1 255.255.255.0
Site-A(config-if)#tunnel source 172.16.1.1
Site-A(config-if)#tunnel destination  172.16.2.1
Site-A(config-if)#exit
Site-A(config)#router ospf 1
Site-A(config-router)#router-id 1.1.1.1
Site-A(config-router)#network 10.10.10.0 0.0.0.255 area 0
Site-A(config-router)#network 192.168.1.0 0.0.0.255 area 1
Site-A(config-router)#exit
Site-A(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.2

 

Site B

Site-B#conf t
Site-B(config)#int Tunnel1
Site-B(config-if)#ip address 10.10.10.2 255.255.255.0
Site-B(config-if)#tunnel source 172.16.2.1
Site-B(config-if)#tunnel destination  172.16.1.1
Site-B(config-if)#exit
Site-B(config)#router ospf 1
Site-B(config-router)#router-id 2.2.2.2
Site-B(config-router)#network 10.10.10.0 0.0.0.255 area 0
Site-B(config-router)#network 192.168.2.0 0.0.0.255 area 1
Site-B(config-router)#exit
Site-B(config)#ip route 0.0.0.0 0.0.0.0 172.16.2.2

 

Verification

Now, let’s check the state of the tunnel using the ‘show interfaces tunnel’ command.

Site-A#sh int tunnel 1 | include Tunnel.*is|Tunnel s|Tunnel p

Tunnel1 is up, line protocol is up 
  Tunnel source 172.16.1.1, destination 172.16.2.1
  Tunnel protocol/transport GRE/IP

 

Site-B#sh int tunnel 1 | include Tunnel.*is|Tunnel s|Tunnel p 

Tunnel1 is up, line protocol is up 
  Tunnel source 172.16.2.1, destination 172.16.1.1
  Tunnel protocol/transport GRE/IP

 

Let’s also check the routing table if Site A has formed an OSPF adjacency with Site B over the GRE tunnel.

Site-A#  sh ip route ospf

Gateway of last resort is 172.16.1.2 to network 0.0.0.0
O IA  192.168.2.0/24 [110/1001] via 10.10.10.2, 00:02:22, Tunnel1

 

Lastly, we do a traceroute and ping to confirm reachability.

Site-A#traceroute  192.168.2.1

Type escape sequence to abort.
Tracing the route to 192.168.2.1
VRF info: (vrf in name/id, vrf out name/id)
  1 10.10.10.2 5 msec 6 msec * 

 

Site-A#ping 192.168.2.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/6 ms

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: