Back to Dashboard
Module 34
GRE Tunnels
β Previous Module
Next Module β
# π CCNA 200-301 - Video 34: GRE Tunnels ## Deep Study Notes --- ## π Learning Objectives By the end of this video, you should understand: - What GRE tunnels are and why they're used - GRE tunnel encapsulation process - GRE tunnel configuration - GRE over IPsec (for security) - GRE tunnel verification and troubleshooting - Common use cases (routing protocols over WAN, VPNs) --- ## π§ Core Concepts ### 1. What is GRE? **Definition:** Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that encapsulates a wide variety of network layer protocols inside IP tunnels, allowing packets from one network to be transported over another network. **Analogy:** Think of GRE like a shipping container. You can put anything inside it (car, furniture, electronics) and ship it across the country. The container (GRE tunnel) protects and transports the contents regardless of what they are. The truck (IP network) doesn't care what's inside the container. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β WHAT IS GRE TUNNEL? β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Physical Network: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Site A ββββββββββββββββββββββββββββββββββββββββββββ Site B β β β β (Internet / WAN / Service Provider) β β β β β β β β Sites communicate via public network β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β GRE Tunnel (Logical): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Site A ββββββββββββββββββββββββββββββββββββββββββββ Site B β β β β (GRE Tunnel - Logical Connection) β β β β β β β β GRE encapsulates packets inside IP packets β β β β Enables routing protocols, multicast, non-IP protocols β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 2. Why Use GRE Tunnels? | Use Case | Description | |----------|-------------| | **Routing Protocols over WAN** | OSPF, EIGRP can run over GRE tunnels (multicast supported) | | **IPv6 over IPv4** | Transport IPv6 traffic over IPv4-only networks | | **Non-IP Protocols** | Transport IPX, AppleTalk, etc. over IP networks | | **VPN Connectivity** | Create secure VPN tunnels (GRE over IPsec) | | **Multicast over Unicast** | Carry multicast traffic over unicast-only networks | | **Network Segmentation** | Create logical overlays over physical networks | ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β GRE USE CASES β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β USE CASE 1: Routing Protocols over GRE β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β OSPF Area 0 GRE Tunnel OSPF Area 0 β β β β βββββββββββ βββββββββ βββββββββββ β β β β β Router Aβββββββββββββββββββ GRE ββββββββββββββββββ Router Bβ β β β β βββββββββββ β Tunnelβ βββββββββββ β β β β βββββββββ β β β β OSPF neighbors form over GRE (multicast) β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β USE CASE 2: IPv6 over IPv4 β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β IPv6 Network GRE Tunnel IPv6 Network β β β β βββββββββββ (IPv4 Transport) βββββββββββ β β β β β Router Aβββββββββββββββββββββββββββββββββββββββββ Router Bβ β β β β β2001:db8:β β2001:db8:β β β β β β ::1 β β ::2 β β β β β βββββββββββ βββββββββββ β β β β β β β β IPv6 packets encapsulated in IPv4 GRE tunnels β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β USE CASE 3: VPN with GRE over IPsec β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Private Network GRE over IPsec Private Network β β β β βββββββββββ (Encrypted) βββββββββββ β β β β β Router Aβββββββββββββββββββββββββββββββββββββββββ Router Bβ β β β β βββββββββββ βββββββββββ β β β β β β β β GRE provides flexibility, IPsec provides encryption β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 3. GRE Tunnel Encapsulation **GRE Header Structure:** ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β GRE ENCAPSULATION β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Original Packet (Before Encapsulation): β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β IP Header (20 bytes) β Transport | Payload β β β β (Original) β (TCP/UDP) β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β After GRE Encapsulation: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β Outer IP Header β GRE Header β Inner IP Header β Payload β β β β (20 bytes) β (4-16 bytes)β (20 bytes) β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β GRE Header Format: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β βCβRβKβSβsβRecurβ Flags β Version β Protocol Type β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Checksum (optional) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Key (optional) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Sequence Number (optional) β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Key GRE Header Fields: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Protocol Type: Encapsulated protocol (0x0800 = IP) β β β β β’ Checksum: Optional error checking β β β β β’ Key: Optional authentication β β β β β’ Sequence Number: Optional ordering β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 4. GRE Tunnel MTU Considerations **MTU Calculation:** ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β GRE MTU CALCULATION β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β Physical Interface MTU: 1500 bytes β β β β GRE Overhead: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Outer IP Header: 20 bytes β β β β β’ GRE Header: 4 bytes (min) β β β β β’ Total Overhead: 24 bytes β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Effective MTU: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β 1500 - 24 = 1476 bytes (for inner IP packet) β β β β β β β β With additional headers (IPsec, etc.): β β β β β’ GRE over IPsec: ~1400 bytes or less β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Solution: Configure tunnel MTU β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β interface Tunnel0 β β β β ip mtu 1400 β β β β ip tcp adjust-mss 1360 β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ### 5. GRE Tunnel Configuration **Basic GRE Tunnel Configuration:** ```cisco ! Router A hostname RouterA ! ! Configure physical interface interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 no shutdown ! ! Configure tunnel interface interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 ! ! Optional: Configure tunnel mode (GRE/IP is default) ! tunnel mode gre ip ! ! Static route through tunnel ip route 192.168.2.0 255.255.255.0 Tunnel0 ! end ``` **Router B Configuration:** ```cisco hostname RouterB ! interface GigabitEthernet0/0 ip address 203.0.113.2 255.255.255.0 no shutdown ! interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.1 ! ip route 192.168.1.0 255.255.255.0 Tunnel0 ! end ``` --- ### 6. GRE with Routing Protocols **OSPF over GRE Tunnel:** ```cisco ! Router A hostname RouterA ! interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 ! interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 ip ospf 1 area 0 ! router ospf 1 network 10.0.0.0 0.0.0.255 area 0 network 192.168.1.0 0.0.0.255 area 0 ! end ``` **EIGRP over GRE Tunnel:** ```cisco ! Router A hostname RouterA ! interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 ! interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 ! router eigrp 100 network 10.0.0.0 0.0.0.255 network 192.168.1.0 0.0.0.255 no auto-summary ! end ``` --- ### 7. GRE Keepalives **Purpose:** Monitor tunnel reachability and detect failures. ```cisco ! Configure GRE keepalives interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 keepalive 10 3 ! 10 seconds interval, 3 retries ! ! Verification Router# show interfaces tunnel0 ! Look for "Keepalive set (10 sec)" ``` --- ### 8. GRE over IPsec (GRE with Security) **Purpose:** Add encryption to GRE tunnels using IPsec. ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β GRE OVER IPSEC β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β GRE over IPsec Architecture: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β β β β Private Network GRE over IPsec Private β β β β βββββββββββ (Encrypted) βββββββββββ β β β β β Router Aββββββββββββββββββββββββββββββββββββββββββββ Router Bβ β β β β βββββββββββ βββββββββββ β β β β β β β β Outer IP β ESP Header β GRE Header β Inner IP β Payload β β β β (Public) β (Encrypted) β β (Private)β β β β β β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β Benefits: β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ GRE provides flexibility (multicast, routing protocols) β β β β β’ IPsec provides encryption and authentication β β β β β’ Combined solution for site-to-site VPNs β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` **GRE over IPsec Configuration (Tunnel Mode):** ```cisco ! Router A - ISAKMP Policy crypto isakmp policy 10 encr aes authentication pre-share group 2 ! crypto isakmp key Cisco123 address 203.0.113.2 ! ! IPsec Transform Set crypto ipsec transform-set GRE-TRANSFORM esp-aes esp-sha-hmac mode tunnel ! ! Crypto Map crypto map GRE-MAP 10 ipsec-isakmp set peer 203.0.113.2 set transform-set GRE-TRANSFORM match address 110 ! ! ACL for interesting traffic (GRE protocol) access-list 110 permit gre host 203.0.113.1 host 203.0.113.2 ! ! Apply crypto map to physical interface interface GigabitEthernet0/0 crypto map GRE-MAP ! ! GRE Tunnel interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 ! end ``` --- ### 9. GRE Tunnel Verification Commands | Command | Purpose | |---------|---------| | `show interfaces tunnel [num]` | Display tunnel interface status | | `show ip interface brief` | Quick tunnel status | | `show ip route` | Verify routes over tunnel | | `show ip ospf neighbor` | Verify OSPF neighbors over tunnel | | `show ip eigrp neighbors` | Verify EIGRP neighbors over tunnel | | `ping [tunnel-ip]` | Test tunnel connectivity | | `traceroute [tunnel-ip]` | Trace path through tunnel | **Example Outputs:** ```cisco RouterA# show interfaces tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.0.0.1/24 MTU 17916 bytes, BW 100 Kbit/sec, DLY 50000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive set (10 sec), retries 3 Tunnel source 203.0.113.1, destination 203.0.113.2 Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255 Tunnel transport MTU 1476 bytes Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 00:00:04, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 100 packets input, 8400 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 100 packets output, 8400 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 unknown protocol drops 0 output buffer failures, 0 output buffers swapped out RouterA# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set C 203.0.113.0/24 is directly connected, GigabitEthernet0/0 C 10.0.0.0/24 is directly connected, Tunnel0 C 192.168.1.0/24 is directly connected, GigabitEthernet0/1 O 192.168.2.0/24 [110/1001] via 10.0.0.2, 00:01:23, Tunnel0 ``` --- ### 10. GRE Tunnel Troubleshooting | Problem | Symptom | Solution | |---------|---------|----------| | **Tunnel Not Up** | `show int tunnel` down/down | Verify tunnel source/destination reachable | | **Physical Interface Down** | Physical interface down | Check cables, IP configuration | | **No Routes** | Tunnel up, no routes | Check routing protocol, static routes | | **MTU Issues** | Large packets fail | Reduce MTU on tunnel, adjust MSS | | **Routing Protocol Failing** | Neighbors not forming | Ensure multicast is supported (GRE does) | | **Keepalive Failing** | Tunnel flapping | Verify connectivity, adjust keepalive timers | **Troubleshooting Commands:** ```cisco ! Check tunnel status Router# show interfaces tunnel 0 ! Verify tunnel source/destination reachability Router# ping 203.0.113.2 ! Check routing table for tunnel destination Router# show ip route 203.0.113.2 ! Check tunnel endpoints Router# show ip interface brief | include Tunnel ! Debug tunnel events Router# debug tunnel ! Verify OSPF over tunnel Router# show ip ospf neighbor ! Verify EIGRP over tunnel Router# show ip eigrp neighbors ``` --- ### 11. GRE Tunnel Design Considerations ``` βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β GRE TUNNEL DESIGN CONSIDERATIONS β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β β β 1. MTU CONFIGURATION β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Reduce tunnel MTU to 1400-1476 β β β β β’ Configure TCP MSS adjustment β β β β β’ Ensure end-to-end PMTUD works β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 2. ROUTING PROTOCOL DESIGN β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ GRE supports multicast (OSPF, EIGRP work) β β β β β’ Can create hub-and-spoke topologies β β β β β’ Consider routing protocol timers for tunnel convergence β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 3. RECURSIVE ROUTING β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ Avoid using tunnel interface as next-hop for tunnel destination β β β β β’ Example: Don't route 203.0.113.0/24 through Tunnel0 β β β β β’ Use physical interface or static routes for tunnel source β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β 4. SECURITY β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β β’ GRE alone provides no encryption β β β β β’ Use GRE over IPsec for secure tunnels β β β β β’ Consider DMVPN for large-scale VPN deployments β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β β β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ ``` --- ## π§ Complete Configuration Examples ### Lab 1: Basic GRE Tunnel with Static Routes **Topology:** ``` 192.168.1.0/24 192.168.2.0/24 βββββββββββ βββββββββββ β Router Aβ β Router Bβ ββββββ¬βββββ ββββββ¬βββββ β β Gi0/0: 203.0.113.1 Gi0/0: 203.0.113.2 β β βββββββββ Internet βββββββββββββββ ``` **Router A Configuration:** ```cisco hostname RouterA ! ! Physical interface interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 no shutdown ! ! LAN interface interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 no shutdown ! ! GRE Tunnel interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 ! ! Static route to remote LAN ip route 192.168.2.0 255.255.255.0 Tunnel0 ! end ``` **Router B Configuration:** ```cisco hostname RouterB ! interface GigabitEthernet0/0 ip address 203.0.113.2 255.255.255.0 no shutdown ! interface GigabitEthernet0/1 ip address 192.168.2.1 255.255.255.0 no shutdown ! interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.1 ! ip route 192.168.1.0 255.255.255.0 Tunnel0 ! end ``` --- ### Lab 2: OSPF over GRE Tunnel **Router A Configuration:** ```cisco hostname RouterA ! interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 no shutdown ! interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 no shutdown ! interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 ip ospf 1 area 0 ! router ospf 1 network 192.168.1.0 0.0.0.255 area 0 network 10.0.0.0 0.0.0.255 area 0 ! end ``` **Router B Configuration:** ```cisco hostname RouterB ! interface GigabitEthernet0/0 ip address 203.0.113.2 255.255.255.0 no shutdown ! interface GigabitEthernet0/1 ip address 192.168.2.1 255.255.255.0 no shutdown ! interface Tunnel0 ip address 10.0.0.2 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.1 ip ospf 1 area 0 ! router ospf 1 network 192.168.2.0 0.0.0.255 area 0 network 10.0.0.0 0.0.0.255 area 0 ! end ``` --- ### Lab 3: GRE over IPsec **Router A Configuration:** ```cisco hostname RouterA ! ! ISAKMP Policy crypto isakmp policy 10 encr aes authentication pre-share group 2 ! crypto isakmp key VPNKEY address 203.0.113.2 ! ! IPsec Transform Set crypto ipsec transform-set GRE-TRANSFORM esp-aes esp-sha-hmac mode tunnel ! ! Crypto Map crypto map GRE-MAP 10 ipsec-isakmp set peer 203.0.113.2 set transform-set GRE-TRANSFORM match address 110 ! ! ACL for GRE traffic access-list 110 permit gre host 203.0.113.1 host 203.0.113.2 ! ! Physical interface with crypto map interface GigabitEthernet0/0 ip address 203.0.113.1 255.255.255.0 crypto map GRE-MAP no shutdown ! ! LAN interface interface GigabitEthernet0/1 ip address 192.168.1.1 255.255.255.0 ! ! GRE Tunnel interface Tunnel0 ip address 10.0.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 ! ! OSPF over tunnel router ospf 1 network 192.168.1.0 0.0.0.255 area 0 network 10.0.0.0 0.0.0.255 area 0 ! end ``` --- ## β Exam Tips (For CCNA 200-301) | Topic | What Cisco Tests | |-------|------------------| | **GRE Purpose** | Encapsulate arbitrary protocols, support multicast | | **GRE Header** | Protocol type, optional checksum/key/seq | | **Tunnel Mode** | `tunnel mode gre ip` (default) | | **MTU** | 1476 bytes effective (1500 - 24) | | **Keepalives** | Monitor tunnel reachability | | **GRE over IPsec** | Encryption + flexibility | ### Common Exam Scenarios: **Scenario 1:** "Which tunneling protocol supports multicast and can carry routing protocols?" - **Answer:** GRE (Generic Routing Encapsulation) **Scenario 2:** "A GRE tunnel is up/up but cannot ping the remote tunnel IP. What could be the issue?" - **Answer:** Physical reachability to tunnel destination, routing issue, or ACL blocking **Scenario 3:** "Why is MTU adjustment important for GRE tunnels?" - **Answer:** GRE adds 24 bytes of overhead, requiring lower MTU to prevent fragmentation ### Mnemonics: **GRE Use Cases:** **"M.R.V." - Multicast, Routing, VPN** - **M**ulticast over unicast networks - **R**outing protocols over WAN - **V**PN (with IPsec) **GRE Overhead:** **"20 + 4 = 24"** - 20 bytes IP header + 4 bytes GRE header = 24 bytes overhead --- ## π Summary (1-Minute Revision) ``` GRE (Generic Routing Encapsulation): PURPOSE: βββ Encapsulate arbitrary protocols βββ Support multicast (routing protocols) βββ Create logical overlays βββ VPN connectivity (with IPsec) ENCAPSULATION: βββ Outer IP Header (20 bytes) βββ GRE Header (4-16 bytes) βββ Inner IP Header + Payload βββ Protocol Type 47 (IP protocol) HEADER FIELDS: βββ Protocol Type: Encapsulated protocol βββ Checksum: Optional error checking βββ Key: Optional authentication βββ Sequence Number: Optional ordering CONFIGURATION: βββ interface Tunnel0 βββ ip address [ip] [mask] βββ tunnel source [interface|ip] βββ tunnel destination [ip] βββ keepalive [seconds] [retries] βββ tunnel mode gre ip (default) MTU: βββ Physical MTU: 1500 βββ GRE Overhead: 24 bytes βββ Effective MTU: 1476 βββ Recommended: ip mtu 1400, ip tcp adjust-mss 1360 GRE OVER IPSEC: βββ GRE: Flexibility, multicast βββ IPsec: Encryption, authentication βββ Crypto map on physical interface VERIFICATION: βββ show interfaces tunnel βββ show ip route βββ show ip ospf neighbor βββ ping [tunnel-ip] βββ debug tunnel ``` --- ## π§ͺ Practice Questions **1. What is the IP protocol number for GRE?** - A) 47 - B) 50 - C) 51 - D) 89 <details> <summary>Answer</summary> <b>A) 47</b> - GRE uses IP protocol number 47. </details> **2. How much overhead does a basic GRE tunnel add to each packet?** - A) 4 bytes - B) 20 bytes - C) 24 bytes - D) 28 bytes <details> <summary>Answer</summary> <b>C) 24 bytes</b> - 20 bytes for outer IP header + 4 bytes for basic GRE header. </details> **3. Which command creates a GRE tunnel interface?** - A) `interface gre 0` - B) `interface tunnel 0` - C) `interface gre-tunnel 0` - D) `interface ip-tunnel 0` <details> <summary>Answer</summary> <b>B) `interface tunnel 0`</b> - Tunnel interfaces are created with the tunnel interface command. </details> **4. What is the default tunnel mode on Cisco routers?** - A) GRE/IP - B) IPIP - C) IPsec - D) L2TP <details> <summary>Answer</summary> <b>A) GRE/IP</b> - The default tunnel mode is GRE over IP. </details> **5. Which of the following can be transported over GRE tunnels? (Select two)** - A) IPv4 - B) IPv6 - C) Ethernet frames - D) All of the above <details> <summary>Answer</summary> <b>D) All of the above</b> - GRE can encapsulate almost any protocol. </details> **6. Why would you use GRE over IPsec?** - A) GRE alone provides no encryption - B) IPsec doesn't support multicast - C) GRE supports routing protocols - D) All of the above <details> <summary>Answer</summary> <b>D) All of the above</b> - GRE over IPsec combines flexibility with security. </details> **7. Which command configures GRE keepalives?** - A) `keepalive 10 3` - B) `gre keepalive 10 3` - C) `tunnel keepalive 10 3` - D) `ip keepalive 10 3` <details> <summary>Answer</summary> <b>A) `keepalive 10 3`</b> - Configured on tunnel interface with interval and retries. </details> **8. What is the recommended MTU for GRE tunnels?** - A) 1500 - B) 1492 - C) 1476 - D) 1400 <details> <summary>Answer</summary> <b>D) 1400</b> - Often recommended to account for additional overhead and fragmentation. </details> **9. Which command displays tunnel interface status?** - A) `show tunnel` - B) `show interfaces tunnel` - C) `show gre tunnels` - D) `show ip tunnel` <details> <summary>Answer</summary> <b>B) `show interfaces tunnel`</b> - Displays tunnel interface status and statistics. </details> **10. Which protocol can run natively over GRE without modification?** - A) OSPF - B) EIGRP - C) RIP - D) All of the above <details> <summary>Answer</summary> <b>D) All of the above</b> - GRE supports multicast, so all routing protocols work. </details> **11. What is the purpose of GRE keepalives?** - A) Encrypt tunnel traffic - B) Monitor tunnel reachability - C) Compress tunnel traffic - D) Fragment packets <details> <summary>Answer</summary> <b>B) Monitor tunnel reachability</b> - Keepalives detect when the tunnel fails. </details> **12. Which Cisco technology combines GRE with IPsec for scalable VPNs?** - A) DMVPN - B) MPLS VPN - C) L2TP - D) PPPoE <details> <summary>Answer</summary> <b>A) DMVPN</b> - Dynamic Multipoint VPN uses GRE over IPsec for scalable VPNs. </details> --- ## π Next Steps After completing Video 34, you should be ready for: - **Video 35:** VPN Technologies (IPsec, DMVPN, FlexVPN) - **Video 36:** Device Hardening and Security **Lab Practice:** 1. Configure basic GRE tunnel between two routers 2. Verify with `show interfaces tunnel` and ping 3. Configure OSPF over GRE tunnel 4. Test routing protocol convergence 5. Configure GRE keepalives 6. Configure GRE over IPsec (if IPsec lab available) 7. Troubleshoot MTU issues with ping -l -f --- **Ready for Video 35?** Share the link or say "next" and I'll continue with VPN Technologies (IPsec, DMVPN, FlexVPN). I'll continue with **Video 35: VPN Technologies** based on the standard CCNA 200-301 curriculum. ---