GRE (Generic Routing Encapsulation) Tunneling provides a mechanism to transport packets of one protocol within another protocol. The protocol that is carried is called as the passenger protocol, and the protocol that is used for carrying the passenger protocol is called as the transport protocol. Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint. GRE encapsulates packets into IP packets and redirects them to an intermediate host, where they are de-encapsulated and routed to their final destination. Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems. GRE is described in RFC 2784 (obsoletes earlier RFCs 1701 and 1702). The switches support RFC 2784, but not completely. The below diagram shows encapsulation process of GRE packet as it traversers the router and enters the tunnel interface:
Figure 1 GRE
Encapsulation Process
GRE Tunneling Data is routed by the system to the GRE endpoint over routes established in the route table. (These routes can be statically configured or dynamically learned by routing protocols such as RIP or OSPF.) When a data packet is received by the GRE endpoint, it is de-encapsulated and routed again by means of the endpoint configuration to the destination address of the tunnel. In this way, each data packet traveling over the GRE tunnel gets routed through the system twice. Because GRE tunnels are stateless, the endpoint of the tunnel contains no information about the state or availability of the remote tunnel endpoint. Therefore, the switch operating as a tunnel source router cannot change the state of the GRE tunnel interface to down if the remote endpoint is unreachable.
GRE (Generic Routing Encapsulation) Encapsulation and De-Encapsulation Encapsulation— A Router operating as a tunnel source router encapsulates and forwards GRE packets as follows: 1. When a Router receives a data packet (payload) to be tunneled, it sends the packet to the tunnel interface. 2. The tunnel interface encapsulates the data in a GRE packet. 3. The system encapsulates the GRE packet in an IP packet. 4. The IP packet is forwarded based on its destination address and routing table. De-encapsulation— A Router operating as a tunnel remote router handles GRE packets as follows: 1. When the destination Router receives the IP packet from the tunnel interface, the Router checks the destination address. 2. The IP header is removed, and the packet is submitted to the GRE protocol. 3. The GRE protocol strips off the GRE header and submits the payload packet for forwarding.
Number of Source and Destination Tunnels Allowed on a Switch Depending on your network, you can configure up to approximately 500 GRE tunnels to operate between switches transmitting IPv4 or IPv6 payload packets over GRE. If a passenger protocol in addition to IPv4 and IPv6 is used, you can configure up to approximately 333 GRE tunnels between the switches. A switch can have a maximum of 20 tunnel source IP addresses configured, and each tunnel source IP can be configured with up to 20 destination IP addresses on a second switch. As a result, the two connected switches can have a maximum of 400 GRE tunnels. If the first switch is also connected to a third switch, the possible maximum number of tunnels can reach 500.
Example Uses 1. In conjunction with PPTP(point to point tunnel protocol) to create VPNs. 2. In conjunction with IPsec VPNs to allow passing of routing information between connected networks. 3. In Mobility protocols. 4. In A8/A10 interfaces to encapsulate IP data to/from Packet Control Function (PCF). 5. Linux and BSD can establish ad-hoc IP over GRE tunnels which are interoperable with Cisco equipment. 6. Aruba Access Points use GRE tunnels to establish a connection with their respective Aruba Mobility Controller. User data is transferred through this tunnel.
GRE (Generic Routing Encapsulation) 7. Distributed denial of service (DDoS) protected appliance to an unprotected endpoint.
Example protocol stack OSI model layer
Protocol
5. Session
X.225
4. Transport
UDP
3. Network (GRE-encapsulated) IPv6 Encapsulation
GRE
3. Network
IPv4
2. Data Link
Ethernet
1. Physical
Ethernet physical layer
Based on the principles of protocol layering in OSI, protocol encapsulation, not specifically GRE, breaks the layering order. It may be viewed as a separator between two different protocol stacks, one acting as a carrier for another.
Packet Header Standard GRE Packet Header A standard GRE packet header structure, as defined by RFC 2784 and RFC 2890, is represented in the diagram below.
Bits 0–3 C
4–12
K S Reserved0
Checksum (optional) Key (optional) Sequence Number (optional)
13–15
16–31
Version Protocol Type Reserved1 (optional)
GRE (Generic Routing Encapsulation) a) b) c) d) e) f) g) h) i) j)
C: Checksum bit. Set to 1 if a checksum is present. K: Key bit. Set to 1 if a key is present. S: Sequence number bit. Set to 1 if a sequence number is present. Reserved0: Reserved bits; set to 0. Version: GRE Version number; set to 0. Protocol Type: Indicates the ether protocol type of the encapsulated payload. (For IPv4, this would be hex 0800.) Checksum: Present if the C bit is set; contains the checksum for the GRE header and payload. Reserved1: Present if the C bit is set; is set to 0. Key: Present if the K bit is set; contains an application-specific key value. Sequence Number: Present if the S bit is set; contains a sequence number for the GRE packet.
PPTP GRE Packet Header The Point-to-Point Tunneling Protocol (PPTP), defined in RFC 2637, uses a variant GRE packet header structure, represented below. PPTP creates a GRE tunnel through which the PPTP GRE packets are sent.
Bits 0–4
5–7
C R K S s Recur
8
9-12
A Flags
13–15
16–31
Version Protocol Type
Key Payload Length
Key Call ID
Sequence Number (optional) Acknowledgement Number (optional)
a) b) c) d) e) f) g) h) i) j)
C: Checksum bit. For PPTP GRE packets, this is set to 0. R: Routing bit. For PPTP GRE packets, this is set to 0. K: Key bit. For PPTP GRE packets, this is set to 1. (All PPTP GRE packets carry a key.) S: Sequence number bit. Set to 1 if a sequence number is supplied, indicating a PPTP GRE data packet. s: Strict source route bit. For PPTP GRE packets, this is set to 0. Recur: Recursion control bits. For PPTP GRE packets, these are set to 0. A: Acknowledgement number present. Set to 1 if an acknowledgement number is supplied, indicating a PPTP GRE acknowledgement packet. Flags: Flag bits. For PPTP GRE packets, these are set to 0. Version: GRE Version number. For PPTP GRE packets, this is set to 1. Protocol Type: For PPTP GRE packets, this is set to hex 880B.
GRE (Generic Routing Encapsulation) k) l) m) n)
Key Payload Length: Contains the size of the payload, not including the GRE header. Key Call ID: Contains the Peer's Call ID for the session to which the packet belongs. Sequence Number: Present if the S bit is set; contains the GRE payload sequence number. Acknowledgement Number: Present if the A bit is set; contains the sequence number of the highest GRE payload packet received by the sender.
Example (GRE Tunnel over S2S VPN)
Figure 2 Topology
(Note: 1. R2 and R3 must able to ping each other. 2. Tunnel ip is must to ping each other.) R2 int t0 ip add 192.168.1.1 255.255.255.0 tunnel source se0/0 tunnel destination 102.1.1.100 exit router eigrp 100 network 192.168.1.0 0.0.0.255 network 192.10.1.0 0.0.0.255 network 192.10.2.0 0.0.0.255 network 192.10.3.0 0.0.0.255
GRE (Generic Routing Encapsulation) network 192.10.4.0 0.0.0.255 no auto-summary exit crypto isakmp policy 10 authentication pre-share encryption 3des group 2 hash sha lifetime 1800 exit crypto ipsec transform-set tset esp-sha-hmac esp-3des exit crypto isakmp key cisco add 102.1.1.100 crypto ipsec profile IPSEC set transform-set tset exit int t0 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC exit R3 int t0 ip add 192.168.1.2 255.255.255.0 tunnel source se0/0 tunnel destination 101.1.1.100 exit router eigrp 100 network 192.168.1.0 0.0.0.255 network 192.20.1.0 0.0.0.255 network 192.20.2.0 0.0.0.255 network 192.20.3.0 0.0.0.255 network 192.20.4.0 0.0.0.255 no auto-summary
GRE (Generic Routing Encapsulation) exit crypto isakmp policy 10 authentication pre-share encryption 3des group 2 hash sha lifetime 1800 exit crypto ipsec transform-set tset esp-sha-hmac esp-3des exit crypto isakmp key cisco add 101.1.1.100 crypto ipsec profile IPSEC set transform-set tset exit int t0 tunnel mode ipsec ipv4 tunnel protection ipsec profile IPSEC exit