- GRE is IP protocol 47 (that's Protocol NOT port)
- GRE can encapsulate a wide variety of protocol packets inside IP tunnels
- Creates virtual Point-to-Point links to Cisco router (proprietary)
- Uses IP for transport
- Additional Header supports any other layer3 protocol in the payload (eg IPX, AppleTalk, et al)
- Stateless – Tunnel end point doesn’t keep any information on the state/availability of the remote end point.
- Offers NO security, confidentiality, integrity checking, data authentication
- Uses 24-byte overhead by default – 20-byte IP header plus 4-byte GRE header
- 4-byte header contains GRE flag setting out a checksum, key (if used), sequence number, version number, protocol type id field.
- Protocol typre id field is used to identify the protocol of the payload, e.g, 0x800 indicates IP. This is the field that allows GRE to tunnel any protocol.
- Good at tunneling
- Supports multiple protocols
- Allows routing protocols (OSPF, EIGRP) to be used
- Poor security – only plain text authentication used
- Cannot accommodate confidentiality, integrity, and data authentication
- GRE can be used in conjunction with IPSEC
- IPSEC offers confidentiality via 3DES or AES (for example)
- Authentication is provided via a HMAC such as MD5 or SHA-1
- Integrity is via MD5 or SHA-1
- IPSEC is not perfect though, older IOS’ don’t support IP multicast
- IPSEC was designed to support IP only
- Here is a typical GRE tunnel config.
- Each router needs needs a tunnel interface on the end points of the tunnel
- Simplest type of tunnel
R1(config-if)#tunnel source S0/0
R1(config-if)#tunnel dest 192.168.20.1
R1(config-if)#ip address 172.16.10.1 255.255.255.0
R2(config)#int tu0
R2(config-if)#tunnel source s0/1
R2(config-if)#tunnel dest 192.168.10.1
R2(config-if)#ip address 172.16.10.2 255.255.255.0
*use the ? to inspect further options in tunnel interface mode
Note
- The ‘int tu0’ cmd creates the GRE tunnel
- ‘ip address’ is a network used exclusively by the tunnel end points
- ‘tunnel source’ is a physical interface on the route
- ‘tunnel dest’ is the ip of the physical interface on the remote router
- Default mode of the tunnel is GRE and so we have not needed to configure the mode in this example
- GRE can pass OSPF/EIGRP so you use this in association with IPSEC (which cannot) if you are wishing to distribute routing information
- Where you use IPSEC and GRE the ipsec crypto map will be assigned to the physical interface NOT the tunnel interface
- IPSEC will be discussed in further detail later.
No comments:
Post a Comment