Thursday, November 5, 2009

Generic Routing Encapsulation – GRE

  • GRE is IP protocol 47 (that's Protocol NOT port)
  • GRE can encapsulate a wide variety of protocol packets inside IP tunnels
  • Creates virtual Point-to-Point links to Cisco router (proprietary)
  • Uses IP for transport
  • Additional Header supports any other layer3 protocol in the payload (eg IPX, AppleTalk, et al)
  • Stateless – Tunnel end point doesn’t keep any information on the state/availability of the remote end point.
  • Offers NO security, confidentiality, integrity checking, data authentication
  • Uses 24-byte overhead by default – 20-byte IP header plus 4-byte GRE header
  • 4-byte header contains GRE flag setting out a checksum, key (if used), sequence number, version number, protocol type id field.
  • Protocol typre id field is used to identify the protocol of the payload, e.g, 0x800 indicates IP. This is the field that allows GRE to tunnel any protocol.
 Benefits:
  •  Good at tunneling
  •  Supports multiple protocols
  • Allows routing protocols (OSPF, EIGRP) to be used
Costs:
  • Poor security – only plain text authentication used
  • Cannot accommodate confidentiality, integrity, and data authentication
GRE and IPSEC
  •  GRE can be used in conjunction with IPSEC
  •  IPSEC offers confidentiality via 3DES or AES (for example)
  •  Authentication is provided via a HMAC such as MD5 or SHA-1
  •  Integrity is via MD5 or SHA-1
  •  IPSEC is not perfect though, older IOS’ don’t support IP multicast
  •  IPSEC was designed to support IP only
 Configure a basic GRE tunnel in IOS
  •  Here is a typical GRE tunnel config.
  • Each router needs needs a tunnel interface on the end points of the tunnel
  • Simplest type of tunnel
 R1(config)#int tu0
R1(config-if)#tunnel source S0/0
R1(config-if)#tunnel dest 192.168.20.1
R1(config-if)#ip address 172.16.10.1 255.255.255.0

R2(config)#int tu0
R2(config-if)#tunnel source s0/1
R2(config-if)#tunnel dest 192.168.10.1
R2(config-if)#ip address 172.16.10.2 255.255.255.0

*use the ? to inspect further options in tunnel interface mode

Note
  • The ‘int tu0’ cmd creates the GRE tunnel
  • ‘ip address’ is a network used exclusively by the tunnel end points
  •  ‘tunnel source’ is a physical interface on the route
  •  ‘tunnel dest’ is the ip of the physical interface on the remote router
  •  Default mode of the tunnel is GRE and so we have not needed to configure the mode in this example
  • GRE can pass OSPF/EIGRP so you use this in association with IPSEC (which cannot) if you are wishing to distribute routing information
  • Where you use IPSEC and GRE the ipsec crypto map will be assigned to the physical interface NOT the tunnel interface
  • IPSEC will be discussed in further detail later.

No comments:

Post a Comment