How to configure GRE Tunnel on Cisco IOS Router

Tunneling is a concept where we put ‘packets into packets’ so that they can be transported over certain networks. We also call this encapsulation.

A good example  is when you have two sites with IPv6 addresses on their LAN but they are only connected to the Internet with IPv4 addresses.Normally it would be impossible for the two IPv6 LANs to reach each other but by using tunneling the two routers will put IPv6 packets into IPv4 packets so that our IPv6 traffic can be routed on the Internet.

Another example is where we have an HQ and a branch site and you want to run a routing protocol like RIP, OSPF or EIGRP between them. We can tunnel these routing protocols so that the HQ and branch router can exchange routing information.

Basically when you configure a tunnel, it’s like you create a point-to-point connection between the two devices. GRE (Generic Routing Encapsulation) is a simple tunneling technique that can do this for us. Let me show you a topology that we will use to demonstrate GRE:

three cisco routers with tunnel

Above we have 3 routers connected to each other. On the left side we have the “HQ” router which is our headquarters. On the right side there is a “Branch” router that is supposed to be a branch office. Both routers are connected to the Internet, in the middle on top there is an ISP router. We can use this topology to simulate two routers that are connected to the Internet. The HQ and Branch router each have a loopback interface that represents the LAN.

Tunneling is a concept where we put 'packets into packets' so that they can be transported over certain networks. We also call this encapsulation. A good example  is when you have two sites with IPv6 addresses on their LAN but they are only connected to the Internet with IPv4 addresses.Normally it w


Let me show you the basic configuration of these routers so that you can recreate it if you want:

HQ(config)#interface fastEthernet 0/0           
HQ(config-if)#ip address 192.168.12.1 255.255.255.0
HQ(config-if)#exit
HQ(config)#interface loopback0
HQ(config-if)#ip address 172.16.1.1 255.255.255.0
HQ(config-if)#exit
HQ(config)#ip route 192.168.23.3 255.255.255.255 192.168.12.2
ISP(config)#interface fastEthernet 0/0
ISP(config-if)#ip address 192.168.12.2 255.255.255.0
ISP(config-if)#exit
ISP(config)#interface fastEthernet 1/0
ISP(config-if)#ip address 192.168.23.2 255.255.255.0
Branch(config)#interface fastEthernet 0/0
Branch(config-if)#ip address 192.168.23.3 255.255.255.0
Branch(config-if)#exit
Branch(config)#interface loopback 0
Branch(config-if)#ip address 172.16.3.3 255.255.255.0
Branch(config-if)#exit
Branch(config)#ip route 192.168.12.1 255.255.255.255 192.168.23.2

I created a static route on the HQ and Branch router so that they can reach each other through the ISP router. They will be unable to reach the networks on each others loopback interfaces however. Now let’s create a tunnel:

HQ(config)#interface tunnel 1     
HQ(config-if)#tunnel source fastEthernet 0/0
HQ(config-if)#tunnel destination 192.168.23.3
HQ(config-if)#ip address 192.168.13.1 255.255.255.0
Branch(config)#interface tunnel 1
Branch(config-if)#tunnel source fastEthernet 0/0
Branch(config-if)#tunnel destination 192.168.12.1
Branch(config-if)#ip address 192.168.13.3 255.255.255.0

You can pick any number for the tunnel interface that you like. We need to specify a source and destination IP address to build the tunnel and we’ll use the 192.168.13.0 /24 subnet on the tunnel interface. Let’s verify that our tunnel is working:

HQ#show interfaces tunnel 1
Tunnel1 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 192.168.13.1/24
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 192.168.12.1 (FastEthernet0/0), destination 192.168.23.3
  Tunnel protocol/transport GRE/IP
Branch#show interfaces tunnel 1
Tunnel1 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 192.168.13.3/24
  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 192.168.23.3 (FastEthernet0/0), destination 192.168.12.1
  Tunnel protocol/transport GRE/IP

Above you can see that the tunnel interface is up/up on both routers. The default tunneling mode is GRE. Let’s see if both routers can reach each other:

Branch#ping 192.168.13.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.13.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/7/12 ms

There we go…they can ping each other without any issues! So that wasn’t too bad right? Let’s see if we can enable a routing protocol so that we can advertise the loopback interfaces. I’ll use EIGRP for this:

HQ(config)#router eigrp 13    
HQ(config-router)#no auto-summary 
HQ(config-router)#network 192.168.13.0
HQ(config-router)#network 172.16.1.0
Branch(config)#router eigrp 13
Branch(config-router)#no auto-summary 
Branch(config-router)#network 192.168.13.0
Branch(config-router)#network 172.16.3.0

I’ll activate EIGRP on the tunnel and loopback interfaces. You will see that both routers establish an EIGRP neighbor adjacency through the tunnel interface. Let’s check the routing tables:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 657 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

541 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: ,


Forum Replies

  1. Dear Rene,

    1. Can you please tell why did you used:

    tunnel source fastEthernet 0/0

    and not:

    tunnel source 192.168.12.1

    instead? What would be the difference ?

    1. Now, this might sound silly but anyway … Given the below config:
    HQ(config)#interface tunnel 1
    HQ(config-if)#tunnel source fastEthernet 0/0
    HQ(config-if)#tunnel destination 192.168.23.3
    HQ(config-if)#ip address 192.168.13.1 255.255.255.0
    

    what I still cannot understand (I have read a couple of articles on GRE) and seems very strange to me is how the ip address of the tunnel is 192.168.13.1 and the source

    ... Continue reading in our forum

  2. Hi Adrian,

    When you use the tunnel source command, you can define an interface or an IP address. When you use the interface, the router will check for the IP address on the interface and use that so the end result is the same.

    The tunnel source and destination addresses are only used to build the tunnel, that’s it. When you use this to tunnel something over the Internet, we typically use the public IP address on the outside interfaces for this.

    You can use loopbacks as the source addresses if you want redundancy. Let’s say we have two routers that are connected

    ... Continue reading in our forum

  3. Hi Adrian,

    Once the GRE tunnel is up, it acts like a regular interface. With normal interfaces we also don’t see the next hop IP address within the IP packet.

    Here’s the logic of the router:

    1. When HQ sends a packet with destination 172.16.3.3 it has to check its routing table for a match:
    HQ#show ip route eigrp 
    
          172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
    D        172.16.3.0/24 [90/27008000] via 192.168.13.3, 00:00:07, Tunnel1
    
    1. Above you can see that the next hop is the remote IP address of the tunnel. Now it has to do another lookup to fig
    ... Continue reading in our forum

  4. Hello Pinki

    The advantages provided by GRE tunnelling (or any kind of network tunnelling) is that it allows us to interconnect two remote sites over a third network as if those remote sites are directly connected to each other. So let’s say you have two branch offices, one in one city and one in another. You have a subnet of 192.168.1.0/24 at the first office and 192.168.2.0/24 at the second office. Those two offices will never be able to communicate directly with each other over the Internet, because the Internet uses its own IP address ranges and it does n

    ... Continue reading in our forum

75 more replies! Ask a question or join the discussion by visiting our Community Forum