PG1X WIKI

My Knowledge Base

User Tools

Site Tools


tech:network:cisco:vpn:tunneling:gre:gre

This is an old revision of the document!


Cisco: GRE

Topology

IP

Project name: ccna-vpn-gre-0001-gre

  • R1
enable
configure terminal
!
hostname R1
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 10.100.0.1 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
ip address 100.0.0.1 255.255.0.0
no shutdown
exit
!
end
write
  • R2
enable
configure terminal
!
hostname R2
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 10.200.0.2 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
ip address 200.0.0.2 255.255.0.0
no shutdown
exit
!
end
write
  • R3
enable
configure terminal
!
hostname R3
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 34.0.0.3 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
!
end
write
  • R4
enable
configure terminal
!
hostname R4
no ip domain-lookup
line console 0
exec-timeout 0 0
logging synchronous
exit
!
interface GigabitEthernet 0/0
ip address 34.0.0.4 255.255.255.0
no shutdown
exit
interface GigabitEthernet 0/1
no shutdown
exit
!
end
write
  • PC-1
ip 10.100.0.100 255.255.255.0 10.100.0.1
save
  • PC-2
ip 10.200.0.200 255.255.255.0 10.200.0.2
save

Configure Basic Routing Protocol(BGP, Static routing)

  • R3
configure terminal
!
router bgp 3
neighbor 34.0.0.4 remote-as 4
network 100.0.0.1 mask 255.255.255.255
exit
!
end
  • R4
configure terminal
!
router bgp 3
neighbor 34.0.0.3 remote-as 3
network 200.0.0.2 mask 255.255.255.255
exit
!
end

Configure PPPoE Server, Client

  • R1
configure terminal
!
interface GigabitEthernet 0/1
no ip address
pppoe enable
pppoe-client dial-pool-number 10
exit
!
interface GigabitEthernet 0/0
ip tcp adjust-mss 1356
exit
!
interface Loopback 1
ip address 100.0.0.1 255.255.255.0
exit
!
interface Dialer 1
ip unnumbered Loopback 1
ip mtu 1454
encapsulation ppp
dialer pool 10
dialer-group 20
ppp authentication chap callin
ppp chap hostname ccie@example.com
ppp chap password cc13
no shutdown
exit
!
ip route 200.0.0.0 255.255.0.0 Dialer 1
ip route 34.0.0.0 255.255.255.0 Dialer 1
!
dialer-list 20 protocol ip permit
!
end
  • R2
configure terminal
!
interface GigabitEthernet 0/1
no ip address
pppoe enable
pppoe-client dial-pool-number 10
exit
!
interface GigabitEthernet 0/0
ip tcp adjust-mss 1356
exit
!
interface Loopback 1
ip address 200.0.0.2 255.255.255.0
exit
!
interface Dialer 1
ip unnumbered Loopback 1
ip mtu 1454
encapsulation ppp
dialer pool 10
dialer-group 20
ppp authentication chap callin
ppp chap hostname ccie@example.com
ppp chap password cc13
no shutdown
exit
!
ip route 100.0.0.0 255.255.0.0 Dialer 1
ip route 34.0.0.0 255.255.255.0 Dialer 1
!
dialer-list 20 protocol ip permit
!
end
  • R3
configure terminal
!
username ccie@example.com password cc13
!
ip local pool POOL1 100.0.0.1
!
interface Loopback1
ip address 100.1.3.3 255.255.255.0
exit
!
interface Virtual-Template1
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL1
ppp authentication chap
exit
!
bba-group pppoe PPPOE-GROUP1
virtual-template 1
exit
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group PPPOE-GROUP1
no shut
exit
!
end
  • R4
configure terminal
!
username ccie@example.com password cc13
!
ip local pool POOL1 200.0.0.2
!
interface Loopback1
ip address 200.2.4.4 255.255.255.0
exit
!
interface Virtual-Template1
mtu 1454
ip unnumbered Loopback1
peer default ip address pool POOL1
ppp authentication chap
exit
!
bba-group pppoe PPPOE-GROUP1
virtual-template 1
exit
!
interface GigabitEthernet 0/1
no ip address
pppoe enable group PPPOE-GROUP1
no shut
exit
!
end

Static Routing

configure terminal
!
interface GigabitEthernet 0/0
 ! MSS 1500 - 24 = 1476 (Ethernet + GRE)
 ! MSS 1500 - 8 = 1492 (PPPoE)
 ! MSS 1454 - 40 = 1414 (NTT NGN + PPPoE)
 ! MSS 1454 - 40 - 24 = 1390 (NTT NGN + PPPoE + GRE)
 ! MSS 1356 - 24 = 1332 (NTT NGN + PPPoE + IPsec(3des, md5-hamc)+ GRE)
 ip tcp adjust mss 1332
exit
!
interface Tunnel 0
 ip address 192.168.0.1 255.255.255.252
 tunnel source 100.0.0.1
 tunnel destination 200.0.0.2
 keepalive 10 5
exit
!
ip route 10.200.0.0 255.255.255.0 Tunnel 0
!
end
configure terminal
!
interface GigabitEthernet 0/0
 ! MSS 1356 - 24 = 1332 (NTT NGN + PPPoE + IPsec(3des, md5-hamc)+ GRE)
 ip tcp adjust mss 1332
exit
!
interface Tunnel 0
 ip address 192.168.0.2 255.255.255.252
 tunnel source 200.0.0.2
 tunnel destination 100.0.0.1
 keepalive 10 5
exit
!
ip route 10.100.0.0 255.255.255.0 Tunnel 0
!
end

Dynamic Routing

configure terminal
!
interface GigabitEthernet 0/0
 ! MSS 1356 - 24 = 1332 (NTT NGN + PPPoE + IPsec(3des, md5-hamc)+ GRE)
 ip tcp adjust mss 1332
exit
!
interface Tunnel 0
 ip address 192.168.0.1 255.255.255.252
 tunnel source 100.0.0.1
 tunnel destination 200.0.0.2
exit
!
router ospf 1
 network 10.100.0.1 0.0.0.0 area 0
 network 192.168.0.1 0.0.0.0 area 0
exit
!
end
configure terminal
!
interface GigabitEthernet 0/0
 ! MSS 1356 - 24 = 1332 (NTT NGN + PPPoE + IPsec(3des, md5-hamc)+ GRE)
 ip tcp adjust mss 1332
exit
!
interface Tunnel 0
 ip address 192.168.0.2 255.255.255.252
 tunnel source 200.0.0.2
 tunnel destination 100.0.0.1
exit
!
router ospf 1
 network 10.200.0.2 0.0.0.0 area 0
 network 192.168.0.2 0.0.0.0 area 0
exit
!
end

Verification

R1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#int Tunn
R1(config)#int Tunnel 0
R1(config-if)#ip add
R1(config-if)#ip address 
*Apr 11 20:53:56.068: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config-if)#ip address 192.168.0.1 255.255.255.252
R1(config-if)#tu
R1(config-if)#tunnel sou
R1(config-if)#tunnel source 100.0.0.1
R1(config-if)#tun
R1(config-if)#tunnel des
R1(config-if)#tunnel destination 200.0.0.2
R1(config-if)#k
*Apr 11 20:54:27.480: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1(config-if)#ke
R1(config-if)#keepalive 10 5
R1(config-if)#exit
R1(config)#ip route 10.200.0.0 255.255.255.0 tu
R1(config)#ip route 10.200.0.0 255.255.255.0 tunnel 0
R1(config)#
*Apr 11 20:55:25.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R1(config)#int gig0/0
R1(config-if)#ip tc
R1(config-if)#ip tcp ad
R1(config-if)#ip tcp adjust-mss 1332
R1(config-if)#
*Apr 11 20:57:05.104: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R1(config-if)#exit
R1(config)#do ping 10.200.0.200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.0.200, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/7/8 ms
R1(config)#do ping 10.200.0.200 source 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.200.0.200, timeout is 2 seconds:
Packet sent with a source address of 100.0.0.1 
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 6/256/1005 ms
R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R2(config)#int gig0/0
R2(config-if)#ip tc
R2(config-if)#ip tcp ad
R2(config-if)#ip tcp adjust-mss 1332
R2(config-if)#int tunn0
R2(config-if)#
*Apr 11 20:56:18.973: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
R2(config-if)#ip add
R2(config-if)#ip address 192.168.0.2 255.255.255.252
R2(config-if)#tu
R2(config-if)#tunnel so
R2(config-if)#tunnel source 200.0.0.2
R2(config-if)#tu
R2(config-if)#tunnel des
R2(config-if)#tunnel destination 100.0.0.1
R2(config-if)#
*Apr 11 20:56:49.333: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up
R2(config-if)#ke
R2(config-if)#keepalive 10 5
R2(config-if)#exit
R2(config)#ip router 10.100.0.0 255.255.255.0 tun
R2(config)#ip router 10.100.0.0 255.255.255.0 tunn
R2(config)#ip route 10.100.0.0 255.255.255.0 tunn 
R2(config)#ip route 10.100.0.0 255.255.255.0 tunnel 0

correct

has issue: return packets are not encapsulated GRE. it must be dropped.

configure ACL on R2 side.

R2(config)#ip acce
R2(config)#ip access-list ex
R2(config)#ip access-list extended A-security-out
R2(config-ext-nacl)#den
R2(config-ext-nacl)#deny ip 10.200.0.0 0.0.0.255 an
R2(config-ext-nacl)#deny ip 10.200.0.0 0.0.0.255 any 
R2(config-ext-nacl)#permi
R2(config-ext-nacl)#permit an
R2(config-ext-nacl)#permit any any
                            ^
% Invalid input detected at '^' marker.

R2(config-ext-nacl)#permit ip an  
R2(config-ext-nacl)#permit ip any an
R2(config-ext-nacl)#permit ip any any 
R2(config-ext-nacl)#int dia1
R2(config-if)#ip access
R2(config-if)#ip access-group A-security-out out
R2(config-if)#noip access-group A-security-out out
                ^
% Invalid input detected at '^' marker.

R2(config-if)#no ip access-group A-security-out out
R2(config-if)#ip access-group A-security-out out   

TCP SYN packet MSS negotiation

PC-3 - PC-4

ifconfig eth0 10.100.0.103 netmask 255.255.255.0 broadcast 10.100.0.255
route add default gw 10.100.0.1 eth0
ifconfig eth0 10.200.0.204 netmask 255.255.255.0 broadcast 10.200.0.255
route add default gw 10.200.0.2 eth0
echo "hello, PC-4">index.html
php -S 0.0.0.0:80
curl http://10.200.0.204/index.html

References

tech/network/cisco/vpn/tunneling/gre/gre.1555021234.txt.gz · Last modified: 2019/04/12 07:20 by wnoguchi