GRE (Generic Routing Encapsulation) - NetwaxLab

Breaking

Facebook Popup

BANNER 728X90

Saturday, February 21, 2015

GRE (Generic Routing Encapsulation)

Tunneling provides a mechanism to transport packets of one protocol within another protocol. The protocol that is carried is called as the passenger protocol, and the protocol that is used for carrying the passenger protocol is called as the transport protocol. Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint.

GRE encapsulates packets into IP packets and redirects them to an intermediate host, where they are de-encapsulated and routed to their final destination.

Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco Systems. GRE is described in RFC 2784 (obsoletes earlier RFCs 1701 and 1702). The switches support RFC 2784, but not completely.

The below diagram shows encapsulation process of GRE packet as it traversers the router and enters the tunnel interface:

GRE Encapsulation Process


GRE Tunneling

Data is routed by the system to the GRE endpoint over routes established in the route table. (These routes can be statically configured or dynamically learned by routing protocols such as RIP or OSPF.) When a data packet is received by the GRE endpoint, it is de-encapsulated and routed again by means of the endpoint configuration to the destination address of the tunnel. In this way, each data packet traveling over the GRE tunnel gets routed through the system twice.

Because GRE tunnels are stateless, the endpoint of the tunnel contains no information about the state or availability of the remote tunnel endpoint. Therefore, the switch operating as a tunnel source router cannot change the state of the GRE tunnel interface to down if the remote endpoint is unreachable.

Encapsulation and De-Encapsulation on the Router

Encapsulation— A Router operating as a tunnel source router encapsulates and forwards GRE packets as follows:
  1. When a Router receives a data packet (payload) to be tunneled, it sends the packet to the tunnel interface.
  2. The tunnel interface encapsulates the data in a GRE packet.
  3. The system encapsulates the GRE packet in an IP packet.
  4. The IP packet is forwarded based on its destination address and routing table.

De-encapsulation— A Router operating as a tunnel remote router handles GRE packets as follows:
  1. When the destination Router receives the IP packet from the tunnel interface, the Router checks the destination address.
  2. The IP header is removed, and the packet is submitted to the GRE protocol.
  3. The GRE protocol strips off the GRE header and submits the payload packet for forwarding.

Number of Source and Destination Tunnels Allowed on a Switch

Depending on your network, you can configure up to approximately 500 GRE tunnels to operate between switches transmitting IPv4 or IPv6 payload packets over GRE. If a passenger protocol in addition to IPv4 and IPv6 is used, you can configure up to approximately 333 GRE tunnels between the switches.

A switch can have a maximum of 20 tunnel source IP addresses configured, and each tunnel source IP can be configured with up to 20 destination IP addresses on a second switch. As a result, the two connected switches can have a maximum of 400 GRE tunnels. If the first switch is also connected to a third switch, the possible maximum number of tunnels can reach 500.

Example Uses

  1. In conjunction with PPTP(point to point tunnel protocol) to create VPNs.
  2. In conjunction with IPsec VPNs to allow passing of routing information between connected networks.
  3. In Mobility protocols.
  4. In A8/A10 interfaces to encapsulate IP data to/from Packet Control Function (PCF).
  5. Linux and BSD can establish ad-hoc IP over GRE tunnels which are interoperable with Cisco equipment.
  6. Aruba Access Points use GRE tunnels to establish a connection with their respective Aruba Mobility Controller. User data is transferred through this tunnel.
  7. Distributed denial of service (DDoS) protected appliance to an unprotected endpoint.

Example protocol stack


OSI model layer
Protocol
5. Session
X.225
4. Transport
UDP
3. Network (GRE-encapsulated)
IPv6
Encapsulation
GRE
3. Network
IPv4
2. Data Link
Ethernet
1. Physical
Ethernet physical layer
  
Based on the principles of protocol layering in OSI, protocol encapsulation, not specifically GRE, breaks the layering order. It may be viewed as a separator between two different protocol stacks, one acting as a carrier for another.

Packet Header

  • Standard GRE Packet Header

A standard GRE packet header structure, as defined by RFC 2784 and RFC 2890, is represented in the diagram below.

Bits 0–3
4–12
13–15
16–31
C
K
S
Reserved0
Version
Protocol Type
Checksum (optional)
Reserved1 (optional)
Key (optional)
Sequence Number (optional)

  1. C: Checksum bit. Set to 1 if a checksum is present.
  2. K: Key bit. Set to 1 if a key is present.
  3. S: Sequence number bit. Set to 1 if a sequence number is present.
  4. Reserved0: Reserved bits; set to 0.
  5. Version: GRE Version number; set to 0.
  6. Protocol Type: Indicates the ether protocol type of the encapsulated payload. (For IPv4, this would be hex 0800.)
  7. Checksum: Present if the C bit is set; contains the checksum for the GRE header and payload.
  8. Reserved1: Present if the C bit is set; is set to 0.
  9. Key: Present if the K bit is set; contains an application-specific key value.
  10. Sequence Number: Present if the S bit is set; contains a sequence number for the GRE packet.

  • PPTP GRE Packet Header


The Point-to-Point Tunneling Protocol (PPTP), defined in RFC 2637, uses a variant GRE packet header structure, represented below. PPTP creates a GRE tunnel through which the PPTP GRE packets are sent.

Bits 0–4
5–7
8
9-12
13–15
16–31
C
R
K
S
s
Recur
A
Flags
Version
Protocol Type
Key Payload Length
Key Call ID
Sequence Number (optional)
Acknowledgement Number (optional)

  1. C: Checksum bit. For PPTP GRE packets, this is set to 0.
  2. R: Routing bit. For PPTP GRE packets, this is set to 0.
  3. K: Key bit. For PPTP GRE packets, this is set to 1. (All PPTP GRE packets carry a key.)
  4. S: Sequence number bit. Set to 1 if a sequence number is supplied, indicating a PPTP GRE data packet.
  5. s: Strict source route bit. For PPTP GRE packets, this is set to 0.
  6. Recur: Recursion control bits. For PPTP GRE packets, these are set to 0.
  7. A: Acknowledgement number present. Set to 1 if an acknowledgement number is supplied, indicating a PPTP GRE acknowledgement packet.
  8. Flags: Flag bits. For PPTP GRE packets, these are set to 0.
  9. Version: GRE Version number. For PPTP GRE packets, this is set to 1.
  10. Protocol Type: For PPTP GRE packets, this is set to hex 880B.
  11. Key Payload Length: Contains the size of the payload, not including the GRE header.
  12. Key Call ID: Contains the Peer's Call ID for the session to which the packet belongs.
  13. Sequence Number: Present if the S bit is set; contains the GRE payload sequence number.
  14. Acknowledgement Number: Present if the A bit is set; contains the sequence number of the highest GRE payload packet received by the sender.

Example (GRE Tunnel over S2S VPN)

Topology

(Note: 1. R2 and R3 must able to ping each other.
2. Tunnel ip is must to ping each other.)

R2

int t0
 ip add 192.168.1.1 255.255.255.0
 tunnel source se0/0
 tunnel destination 102.1.1.100
 exit

router eigrp 100
  network 192.168.1.0 0.0.0.255
  network 192.10.1.0 0.0.0.255
  network 192.10.2.0 0.0.0.255
  network 192.10.3.0 0.0.0.255
  network 192.10.4.0 0.0.0.255
  no auto-summary
  exit

crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  group 2
  hash sha
  lifetime 1800
  exit

crypto ipsec transform-set tset esp-sha-hmac esp-3des
  exit

crypto isakmp key cisco add 102.1.1.100

crypto ipsec profile IPSEC
  set transform-set tset
  exit

int t0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile IPSEC
  exit

R3

int t0
 ip add 192.168.1.2 255.255.255.0
 tunnel source se0/0
 tunnel destination 101.1.1.100
 exit

router eigrp 100
  network 192.168.1.0 0.0.0.255
  network 192.20.1.0 0.0.0.255
  network 192.20.2.0 0.0.0.255
  network 192.20.3.0 0.0.0.255
  network 192.20.4.0 0.0.0.255
  no auto-summary
  exit

crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  group 2
  hash sha
  lifetime 1800
  exit

crypto ipsec transform-set tset esp-sha-hmac esp-3des
  exit

crypto isakmp key cisco add 101.1.1.100

crypto ipsec profile IPSEC
  set transform-set tset
  exit

int t0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile IPSEC

  exit

----
@NetwaxLab
Read more
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)