tech:network:cisco:vpn:tunneling:gre:gre
Table of Contents
Cisco: GRE
Topology
IP
Project name: ccna-vpn-gre-0001-gre
- R1
enable configure terminal ! hostname R1 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.100.0.1 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 ip address 100.0.0.1 255.255.0.0 no shutdown exit ! end write
- R2
enable configure terminal ! hostname R2 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 10.200.0.2 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 ip address 200.0.0.2 255.255.0.0 no shutdown exit ! end write
- R3
enable configure terminal ! hostname R3 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.3 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
- R4
enable configure terminal ! hostname R4 no ip domain-lookup line console 0 exec-timeout 0 0 logging synchronous exit ! interface GigabitEthernet 0/0 ip address 34.0.0.4 255.255.255.0 no shutdown exit interface GigabitEthernet 0/1 no shutdown exit ! end write
- PC-1
ip 10.100.0.100 255.255.255.0 10.100.0.1 save
- PC-2
ip 10.200.0.200 255.255.255.0 10.200.0.2 save
Configure Basic Routing Protocol(BGP, Static routing)
- R3
configure terminal ! router bgp 3 neighbor 34.0.0.4 remote-as 4 network 100.0.0.1 mask 255.255.255.255 exit ! end
- R4
configure terminal ! router bgp 3 neighbor 34.0.0.3 remote-as 3 network 200.0.0.2 mask 255.255.255.255 exit ! end
Configure PPPoE Server, Client
- R1
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 100.0.0.1 255.255.255.0 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 no shutdown exit ! ip route 200.0.0.0 255.255.0.0 Dialer 1 ip route 34.0.0.0 255.255.255.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
- R2
configure terminal ! interface GigabitEthernet 0/1 no ip address pppoe enable pppoe-client dial-pool-number 10 exit ! interface GigabitEthernet 0/0 ip tcp adjust-mss 1356 exit ! interface Loopback 1 ip address 200.0.0.2 255.255.255.0 exit ! interface Dialer 1 ip unnumbered Loopback 1 ip mtu 1454 encapsulation ppp dialer pool 10 dialer-group 20 ppp authentication chap callin ppp chap hostname ccie@example.com ppp chap password cc13 no shutdown exit ! ip route 100.0.0.0 255.255.0.0 Dialer 1 ip route 34.0.0.0 255.255.255.0 Dialer 1 ! dialer-list 20 protocol ip permit ! end
- R3
configure terminal ! username ccie@example.com password cc13 ! ip local pool POOL1 100.0.0.1 ! interface Loopback1 ip address 100.1.3.3 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
- R4
configure terminal ! username ccie@example.com password cc13 ! ip local pool POOL1 200.0.0.2 ! interface Loopback1 ip address 200.2.4.4 255.255.255.0 exit ! interface Virtual-Template1 mtu 1454 ip unnumbered Loopback1 peer default ip address pool POOL1 ppp authentication chap exit ! bba-group pppoe PPPOE-GROUP1 virtual-template 1 exit ! interface GigabitEthernet 0/1 no ip address pppoe enable group PPPOE-GROUP1 no shut exit ! end
Static Routing
configure terminal ! interface GigabitEthernet 0/0 ! MSS 1500 - 24 = 1476 (Ethernet + GRE) ! MSS 1500 - 8 = 1492 (PPPoE) ! MSS 1454 - 40 = 1414 (NTT NGN + PPPoE) ! MSS 1454 - 40 - 24 = 1390 (NTT NGN + PPPoE + GRE) ! MSS 1356 - 24 = 1332 (NTT NGN + PPPoE + IPsec(3des, md5-hamc)+ GRE) ip tcp adjust mss 1332 exit ! interface Tunnel 0 ip address 192.168.0.1 255.255.255.252 tunnel source 100.0.0.1 tunnel destination 200.0.0.2 keepalive 10 5 exit ! ip route 10.200.0.0 255.255.255.0 Tunnel 0 ! end
configure terminal ! interface GigabitEthernet 0/0 ! MSS 1356 - 24 = 1332 (NTT NGN + PPPoE + IPsec(3des, md5-hamc)+ GRE) ip tcp adjust mss 1332 exit ! interface Tunnel 0 ip address 192.168.0.2 255.255.255.252 tunnel source 200.0.0.2 tunnel destination 100.0.0.1 keepalive 10 5 exit ! ip route 10.100.0.0 255.255.255.0 Tunnel 0 ! end
Dynamic Routing
configure terminal ! interface GigabitEthernet 0/0 ! MSS 1356 - 24 = 1332 (NTT NGN + PPPoE + IPsec(3des, md5-hamc)+ GRE) ip tcp adjust mss 1332 exit ! interface Tunnel 0 ip address 192.168.0.1 255.255.255.252 tunnel source 100.0.0.1 tunnel destination 200.0.0.2 exit ! router ospf 1 network 10.100.0.1 0.0.0.0 area 0 network 192.168.0.1 0.0.0.0 area 0 exit ! end
configure terminal ! interface GigabitEthernet 0/0 ! MSS 1356 - 24 = 1332 (NTT NGN + PPPoE + IPsec(3des, md5-hamc)+ GRE) ip tcp adjust mss 1332 exit ! interface Tunnel 0 ip address 192.168.0.2 255.255.255.252 tunnel source 200.0.0.2 tunnel destination 100.0.0.1 exit ! router ospf 1 network 10.200.0.2 0.0.0.0 area 0 network 192.168.0.2 0.0.0.0 area 0 exit ! end
Verification
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#int Tunn R1(config)#int Tunnel 0 R1(config-if)#ip add R1(config-if)#ip address *Apr 11 20:53:56.068: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down R1(config-if)#ip address 192.168.0.1 255.255.255.252 R1(config-if)#tu R1(config-if)#tunnel sou R1(config-if)#tunnel source 100.0.0.1 R1(config-if)#tun R1(config-if)#tunnel des R1(config-if)#tunnel destination 200.0.0.2 R1(config-if)#k *Apr 11 20:54:27.480: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up R1(config-if)#ke R1(config-if)#keepalive 10 5 R1(config-if)#exit R1(config)#ip route 10.200.0.0 255.255.255.0 tu R1(config)#ip route 10.200.0.0 255.255.255.0 tunnel 0 R1(config)# *Apr 11 20:55:25.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down R1(config)#int gig0/0 R1(config-if)#ip tc R1(config-if)#ip tcp ad R1(config-if)#ip tcp adjust-mss 1332 R1(config-if)# *Apr 11 20:57:05.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up R1(config-if)#exit R1(config)#do ping 10.200.0.200 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.200.0.200, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/8 ms R1(config)#do ping 10.200.0.200 source 100.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.200.0.200, timeout is 2 seconds: Packet sent with a source address of 100.0.0.1 .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 6/256/1005 ms
R2#conf t Enter configuration commands, one per line. End with CNTL/Z. R2(config)#int gig0/0 R2(config-if)#ip tc R2(config-if)#ip tcp ad R2(config-if)#ip tcp adjust-mss 1332 R2(config-if)#int tunn0 R2(config-if)# *Apr 11 20:56:18.973: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down R2(config-if)#ip add R2(config-if)#ip address 192.168.0.2 255.255.255.252 R2(config-if)#tu R2(config-if)#tunnel so R2(config-if)#tunnel source 200.0.0.2 R2(config-if)#tu R2(config-if)#tunnel des R2(config-if)#tunnel destination 100.0.0.1 R2(config-if)# *Apr 11 20:56:49.333: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up R2(config-if)#ke R2(config-if)#keepalive 10 5 R2(config-if)#exit R2(config)#ip router 10.100.0.0 255.255.255.0 tun R2(config)#ip router 10.100.0.0 255.255.255.0 tunn R2(config)#ip route 10.100.0.0 255.255.255.0 tunn R2(config)#ip route 10.100.0.0 255.255.255.0 tunnel 0
correct
has issue: return packets are not encapsulated GRE. it must be dropped.
configure ACL on R2 side.
R2(config)#ip acce
R2(config)#ip access-list ex
R2(config)#ip access-list extended A-security-out
R2(config-ext-nacl)#den
R2(config-ext-nacl)#deny ip 10.200.0.0 0.0.0.255 an
R2(config-ext-nacl)#deny ip 10.200.0.0 0.0.0.255 any
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit an
R2(config-ext-nacl)#permit any any
^
% Invalid input detected at '^' marker.
R2(config-ext-nacl)#permit ip an
R2(config-ext-nacl)#permit ip any an
R2(config-ext-nacl)#permit ip any any
R2(config-ext-nacl)#int dia1
R2(config-if)#ip access
R2(config-if)#ip access-group A-security-out out
R2(config-if)#noip access-group A-security-out out
^
% Invalid input detected at '^' marker.
R2(config-if)#no ip access-group A-security-out out
R2(config-if)#ip access-group A-security-out out
R1(config-ext-nacl)#do ping 10.200.0.200 source 100.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.200.0.200, timeout is 2 seconds: Packet sent with a source address of 100.0.0.1 ..... Success rate is 0 percent (0/5) R1(config-ext-nacl)#
works fine
Dynamic routing verification
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int gig0/0
R1(config-if)#ip ad
R1(config-if)#ip tc
R1(config-if)#ip tcp ad
R1(config-if)#ip tcp adjust-mss 1332
R1(config-if)#int tunnel 0
R1(config-if)#
*Apr 11 22:51:00.006: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip add
R1(config-if)#ip address 192.168.0.1 255.255.255.252
R1(config-if)#tunne
R1(config-if)#tunnel so
R1(config-if)#tunnel source dia
R1(config-if)#tunnel source dialer 1
R1(config-if)#tunn
R1(config-if)#tunnel des
R1(config-if)#tunnel destination 200
R1(config-if)#tunnel destination 200.0.0.1
R1(config-if)#
*Apr 11 22:51:56.139: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1(config-if)#tunnel source loo
R1(config-if)#tunnel source loopback 1
R1(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1(config-if)#kee
R1(config-if)#keepalive 10 5
R1(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
R1(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
R1(config-if)#tunnel source loopback
*Apr 11 22:56:09.028: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#do sh ip int tun0
Tunnel0 is up, line protocol is down
Internet address is 192.168.0.1/30
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1430 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
R1(config-if)#tunn
R1(config-if)#tunnel so
R1(config-if)#tunnel source 100.0.0.1
R1(config-if)#tu
R1(config-if)#tunnel so
R1(config-if)#tunnel source dia
R1(config-if)#tunnel source dialer 1
R1(config-if)#tu
R1(config-if)#tunnel des
R1(config-if)#tunnel destination 200.0.0.2
R1(config-if)#
*Apr 11 22:57:49.034: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1(config-if)#do ping 192.168.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/11 ms
R1(config-if)#router ospf 1
R1(config-router)#network 10.100.0.1 0.0.0.0 are
R1(config-router)#network 10.100.0.1 0.0.0.0 area 0
R1(config-router)#ne
R1(config-router)#netwo
R1(config-router)#network 192.168.0.1 0.0.0.0 area 0
R1(config-router)#
*Apr 11 23:03:46.160: %OSPF-5-ADJCHG: Process 1, Nbr 200.0.0.2 on Tunnel0 from LOADING to FULL, Loading Done
R1(config-router)#do sh ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
200.0.0.2 0 FULL/ - 00:00:38 192.168.0.2 Tunnel0
R1(config-router)#do sh ip ro ospf
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
O 10.200.0.0/24 [110/1001] via 192.168.0.2, 00:00:13, Tunnel0
R1(config-router)#ping 10.200.0.204
^
% Invalid input detected at '^' marker.
R1(config-router)#do ping 10.200.0.204
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.0.204, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/10/18 ms
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int gig0/0
R2(config-if)#ip tc
R2(config-if)#ip tcp ad
R2(config-if)#ip tcp adjust-mss 1332
R2(config-if)#int tun0
R2(config-if)#
*Apr 11 22:51:16.347: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R2(config-if)#tunn
R2(config-if)#tunnel sou
R2(config-if)#tunnel source dia
R2(config-if)#tunnel source dialer 1
R2(config-if)#ip add
R2(config-if)#ip address 192.168.0.2 255.255.255.252
R2(config-if)#tu
R2(config-if)#tunnel des
R2(config-if)#tunnel destination 100.0.0.1
R2(config-if)#
*Apr 11 22:53:04.664: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2(config-if)#tunnel source loo
R2(config-if)#tunnel source loopback 1
R2(config-if)#kee
R2(config-if)#keepalive 10 5
R2(config-if)#
*Apr 11 22:56:15.362: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R2(config-if)#do sh ip int tun0
Tunnel0 is up, line protocol is down
Internet address is 192.168.0.2/30
Broadcast address is 255.255.255.255
Address determined by setup command
MTU is 1430 bytes
Helper address is not set
Directed broadcast forwarding is disabled
Outgoing access list is not set
Inbound access list is not set
Proxy ARP is enabled
Local Proxy ARP is disabled
Security level is default
Split horizon is enabled
ICMP redirects are always sent
ICMP unreachables are always sent
ICMP mask replies are never sent
IP fast switching is enabled
IP fast switching on the same interface is disabled
IP Flow switching is disabled
IP CEF switching is enabled
IP CEF switching turbo vector
IP Null turbo vector
IP multicast fast switching is enabled
R2(config-if)#tunn
R2(config-if)#tunnel so
R2(config-if)#tunnel source 200.0.0.2
R2(config-if)#tunnel source dia
R2(config-if)#tunnel source dialer 1
R2(config-if)#tun
R2(config-if)#tunnel
*Apr 11 22:57:55.370: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2(config-if)#tunnel des
R2(config-if)#tunnel destination 100.0.0.1
R2(config-if)#router ospf 1
R2(config-router)#netwo
R2(config-router)#network 10.200.0.2 0.0.0.0 area 0
R2(config-router)#netwo
R2(config-router)#network 192.168.0.2 0.0.0.0 area 0
R2(config-router)#
*Apr 11 23:03:47.152: %OSPF-5-ADJCHG: Process 1, Nbr 100.0.0.1 on Tunnel0 from LOADING to FULL, Loading Done
PC-1> ping 10.200.0.204 84 bytes from 10.200.0.204 icmp_seq=1 ttl=62 time=6.818 ms 84 bytes from 10.200.0.204 icmp_seq=2 ttl=62 time=6.569 ms 84 bytes from 10.200.0.204 icmp_seq=3 ttl=62 time=5.863 ms 84 bytes from 10.200.0.204 icmp_seq=4 ttl=62 time=4.850 ms 84 bytes from 10.200.0.204 icmp_seq=5 ttl=62 time=5.164 ms PC-1>
TCP SYN packet MSS negotiation
PC-3 - PC-4
ifconfig eth0 10.100.0.103 netmask 255.255.255.0 broadcast 10.100.0.255 route add default gw 10.100.0.1 eth0
ifconfig eth0 10.200.0.204 netmask 255.255.255.0 broadcast 10.200.0.255 route add default gw 10.200.0.2 eth0
echo "hello, PC-4">index.html php -S 0.0.0.0:80
curl http://10.200.0.204/index.html
References
tech/network/cisco/vpn/tunneling/gre/gre.txt · Last modified: 2019/04/12 08:07 by wnoguchi
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
