Home > Articles > Certification > Cisco Certification > CCNP

  • Print
  • + Share This
This chapter is from the book

Foundation Summary

The generic characteristics of a GRE tunnel are as follows:

  • A GRE tunnel is similar to an IPsec tunnel because the original packet is wrapped inside an outer shell.
  • GRE is stateless and offers no flow control mechanisms.
  • GRE adds at least 24 bytes of overhead, including the new 20-byte IP header.
  • GRE is multiprotocol and can tunnel any OSI Layer 3 protocol.
  • GRE permits routing protocols to travel through the tunnel.
  • GRE was needed to carry IP multicast traffic until 12.4(4)T.
  • GRE has relatively weak security features.

Table 14-3 describes the GRE header options.

Table 14-3. GRE Options

GRE Header Bit

Option

Description

0

Checksum Present

Adds a 4-byte checksum field to the GRE header after the protocol field if this bit is set to 1.

2

Key Present

Adds a 4-byte encryption key to the GRE header after the checksum field if this bit is set to 1.

3

Sequence Number Present

Adds a 4-byte sequence number to the GRE header after the key field if this bit is set to 1.

13–15

GRE Version

0 indicates basic GRE, while 1 is used for PPTP.

The basic configuration components of a GRE tunnel include

  • A tunnel source (an interface or IP address local to this router)
  • A tunnel destination (an IP address of a remote router)
  • A tunnel mode (GRE/IP is the default)
  • Tunnel traffic (data that travels through the tunnel, and is encapsulated by the GRE header)

GRE over IPsec uses the GRE tunnel to carry dynamic IP routing protocols, and uses IPsec to enforce confidentiality and integrity.

GRE over IPsec using tunnel mode has a total of three IP headers in the packet. GRE over IPsec using transport mode has only two IP headers in the packet.

Most GRE over IPsec implementations use a hub-and-spoke design to limit the number of IPsec tunnels required to secure the entire network.

The Secure GRE Wizard is accessed as follows:

  1. Step 1 Click the Configure button at the top of the window.
  2. Step 2 Click the VPN button in the Tasks bar on the left.
  3. Step 3 Click the Site-to-Site VPN option at the top of the menu.
  4. Step 4 Click the Create Site to Site VPN tab in the window.
  5. Step 5 Click the Create a secure GRE tunnel (GRE over IPSec) radio button.
  6. Step 6 Click the Launch the selected task button at the bottom of the window.

The basic steps of the Secure GRE Wizard include

  1. Step 1 Create the GRE tunnel.
  2. Step 2 Create a backup GRE tunnel (optional).
  3. Step 3 Select the IPsec VPN authentication method.
  4. Step 4 Select the IPsec VPN IKE proposals.
  5. Step 5 Select the IPsec VPN transform sets.
  6. Step 6 Select the routing method for the GRE over IPsec tunnel.
  7. Step 7 Validate the GRE over IPsec configuration.

The GRE Tunnel Information window is where the GRE tunnel is configured in SDM. Configuration includes

  • Tunnel source (local interface or IP address)
  • Tunnel destination (remote IP address)
  • Interior tunnel IP address and subnet mask
  • Optional MTU path discovery to know if fragmentation must be performed on this router due to the larger packet size created by GRE over IPsec

The Backup GRE Tunnel Information window is where the backup GRE tunnel is configured in SDM. The backup GRE tunnel uses the same source as the primary GRE tunnel. Configuration includes

  • Enable the backup tunnel
  • Tunnel destination (remote IP address)
  • Interior tunnel IP address and subnet mask

The IPsec VPN configuration has three phases, all of which are identical to those found in the site-to-site IPsec VPN configuration process:

  1. VPN authentication
  2. IKE proposals
  3. IPsec transform sets

There are four routing options supported within the GRE tunnel:

  • EIGRP
  • OSPF
  • RIP
  • Static routing

Static routing can configure only one subnet and is not appropriate for sites with multiple subnets or for sites using two GRE tunnels.

RIP cannot be configured if a backup GRE tunnel is configured.

Both OSPF and EIGRP use inverse masks when adding subnets to the routing protocol.

Be sure to include the internal IP subnet of the GRE tunnel in the routing protocol configuration so that the configured protocol will use the GRE tunnel interface.

The Configuration Summary window allows you to view the configuration just created with the wizard. You can return to the wizard by clicking the <Back button to make changes, or you can finish the wizard by clicking the Finish button.

  • + Share This
  • 🔖 Save To Your Account