GRE (generic routing encapsulation)

GRE (Generic Routing Encapsulation)

Tunneling provides a mechanism to transport packets of one protocol within another protocol. The

protocol that is carried is called as the passenger protocol, and the protocol that is used for carrying the

passenger protocol is called as the transport protocol. Generic Routing Encapsulation (GRE) is one of the

available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying

many different passenger protocols. The tunnels behave as virtual point-to-point links that have two

endpoints identified by the tunnel source and tunnel destination addresses at each endpoint.

GRE encapsulates packets into IP packets and redirects them to an intermediate host, where they are

de-encapsulated and routed to their final destination.

Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems. GRE is

described in RFC 2784 (obsoletes earlier RFCs 1701 and 1702). The switches support RFC 2784, but not

completely.

The below diagram shows encapsulation process of GRE packet as it traversers the router and enters the

tunnel interface:

GRE Tunneling

Data is routed by the system to the GRE endpoint over routes established in the route table. (These

routes can be statically configured or dynamically learned by routing protocols such as RIP or OSPF.)

When a data packet is received by the GRE endpoint, it is de-encapsulated and routed again by means of

the endpoint configuration to the destination address of the tunnel. In this way, each data packet

traveling over the GRE tunnel gets routed through the system twice.

Because GRE tunnels are stateless, the endpoint of the tunnel contains no information about the state

or availability of the remote tunnel endpoint. Therefore, the switch operating as a tunnel source router

cannot change the state of the GRE tunnel interface to down if the remote endpoint is unreachable.

Figure 1 GRE Encapsulation Process


Encapsulation and De-Encapsulation

Encapsulation— A Router operating as a tunnel source router encapsulates and forwards GRE

packets as follows:

1. When a Router receives a data packet (payload) to be tunneled, it sends the packet to the tunnel

interface.

2. The tunnel interface encapsulates the data in a GRE packet.

3. The system encapsulates the GRE packet in an IP packet.

4. The IP packet is forwarded based on its destination address and routing table.

De-encapsulation— A Router operating as a tunnel remote router handles GRE packets as

follows:

1. When the destination Router receives the IP packet from the tunnel interface, the Router checks

the destination address.

2. The IP header is removed, and the packet is submitted to the GRE protocol.

3. The GRE protocol strips off the GRE header and submits the payload packet for forwarding.

Number of Source and Destination Tunnels Allowed on a Switch

Depending on your network, you can configure up to approximately 500 GRE tunnels to operate

between switches transmitting IPv4 or IPv6 payload packets over GRE. If a passenger protocol in

addition to IPv4 and IPv6 is used, you can configure up to approximately 333 GRE tunnels

between the switches.

A switch can have a maximum of 20 tunnel source IP addresses configured, and each tunnel

source IP can be configured with up to 20 destination IP addresses on a second switch. As a

result, the two connected switches can have a maximum of 400 GRE tunnels. If the first switch is

also connected to a third switch, the possible maximum number of tunnels can reach 500.

Example Uses

1. In conjunction with PPTP(point to point tunnel protocol) to create VPNs.

2. In conjunction with IPsec VPNs to allow passing of routing information between connected

networks.

3. In Mobility protocols.

4. In A8/A10 interfaces to encapsulate IP data to/from Packet Control Function (PCF).

5. Linux and BSD can establish ad-hoc IP over GRE tunnels which are interoperable with Cisco

equipment.

6. Aruba Access Points use GRE tunnels to establish a connection with their respective Aruba

Mobility Controller. User data is transferred through this tunnel.


7. Distributed denial of service (DDoS) protected appliance to an unprotected endpoint.

Example protocol stack

OSI model layer Protocol

5. Session X.225

4. Transport UDP

3. Network (GRE-encapsulated) IPv6

Encapsulation GRE

3. Network IPv4

2. Data Link Ethernet

1. Physical Ethernet physical layer

Based on the principles of protocol layering in OSI, protocol encapsulation, not specifically GRE, breaks

the layering order. It may be viewed as a separator between two different protocol stacks, one acting as

a carrier for another.

Packet Header

Standard GRE Packet Header

A standard GRE packet header structure, as defined by RFC 2784 and RFC 2890, is represented in the

diagram below.

Bits 0–3 4–12 13–15 16–31

C

K S Reserved0 Version Protocol Type

Checksum (optional) Reserved1 (optional)

Key (optional)

Sequence Number (optional)


a) C: Checksum bit. Set to 1 if a checksum is present.

b) K: Key bit. Set to 1 if a key is present.

c) S: Sequence number bit. Set to 1 if a sequence number is present.

d) Reserved0: Reserved bits; set to 0.

e) Version: GRE Version number; set to 0.

f) Protocol Type: Indicates the ether protocol type of the encapsulated payload. (For IPv4, this

would be hex 0800.)

g) Checksum: Present if the C bit is set; contains the checksum for the GRE header and payload.

h) Reserved1: Present if the C bit is set; is set to 0.

i) Key: Present if the K bit is set; contains an application-specific key value.

j) Sequence Number: Present if the S bit is set; contains a sequence number for the GRE packet.

PPTP GRE Packet Header

The Point-to-Point Tunneling Protocol (PPTP), defined in RFC 2637, uses a variant GRE packet header

structure, represented below. PPTP creates a GRE tunnel through which the PPTP GRE packets are sent.

Bits 0–4 5–7 8 9-12 13–15 16–31

C R K S s Recur A Flags Version Protocol Type

Key Payload Length Key Call ID

Sequence Number (optional)

Acknowledgement Number (optional)

a) C: Checksum bit. For PPTP GRE packets, this is set to 0.

b) R: Routing bit. For PPTP GRE packets, this is set to 0.

c) K: Key bit. For PPTP GRE packets, this is set to 1. (All PPTP GRE packets carry a key.)

d) S: Sequence number bit. Set to 1 if a sequence number is supplied, indicating a PPTP GRE data

packet.

e) s: Strict source route bit. For PPTP GRE packets, this is set to 0.

f) Recur: Recursion control bits. For PPTP GRE packets, these are set to 0.

g) A: Acknowledgement number present. Set to 1 if an acknowledgement number is supplied,

indicating a PPTP GRE acknowledgement packet.

h) Flags: Flag bits. For PPTP GRE packets, these are set to 0.

i) Version: GRE Version number. For PPTP GRE packets, this is set to 1.

j) Protocol Type: For PPTP GRE packets, this is set to hex 880B.


k) Key Payload Length: Contains the size of the payload, not including the GRE header.

l) Key Call ID: Contains the Peer's Call ID for the session to which the packet belongs.

m) Sequence Number: Present if the S bit is set; contains the GRE payload sequence number.

n) Acknowledgement Number: Present if the A bit is set; contains the sequence number of the

highest GRE payload packet received by the sender.

Example (GRE Tunnel over S2S VPN)

(Note: 1. R2 and R3 must able to ping each other.

2. Tunnel ip is must to ping each other.)

R2

int t0

ip add 192.168.1.1 255.255.255.0

tunnel source se0/0

tunnel destination 102.1.1.100

exit

router eigrp 100

network 192.168.1.0 0.0.0.255

network 192.10.1.0 0.0.0.255

network 192.10.2.0 0.0.0.255

network 192.10.3.0 0.0.0.255

Figure 2 Topology


network 192.10.4.0 0.0.0.255

no auto-summary

exit

crypto isakmp policy 10

authentication pre-share

encryption 3des

group 2

hash sha

lifetime 1800

exit

crypto ipsec transform-set tset esp-sha-hmac esp-3des

exit

crypto isakmp key cisco add 102.1.1.100

crypto ipsec profile IPSEC

set transform-set tset

exit

int t0

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC

exit

R3

int t0

ip add 192.168.1.2 255.255.255.0

tunnel source se0/0

tunnel destination 101.1.1.100

exit

router eigrp 100

network 192.168.1.0 0.0.0.255

network 192.20.1.0 0.0.0.255

network 192.20.2.0 0.0.0.255

network 192.20.3.0 0.0.0.255

network 192.20.4.0 0.0.0.255

no auto-summary


exit

crypto isakmp policy 10

authentication pre-share

encryption 3des

group 2

hash sha

lifetime 1800

exit

crypto ipsec transform-set tset esp-sha-hmac esp-3des

exit

crypto isakmp key cisco add 101.1.1.100

crypto ipsec profile IPSEC

set transform-set tset

exit

int t0

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC

exit

Technology

GRE (generic routing encapsulation)