gre_vpn_lab
DESCRIPTION
VPN GRE Configuration LabTRANSCRIPT
GNS3 Labs for CCNA GRE Tunnels Configuration and VerificationClick Here!SkillsetWhat's this? Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test.This article will be about generic routing encapsulation (GRE) tunnels.Using tunneling, its possible to carry packets of one protocol within (encapsulated) another protocol. The carried protocol goes by the name of payload protocol, while the protocol that encapsulates this data goes by the name of transport protocol.
GRE is one of the many possible tunneling mechanisms that use IP as a transport protocol. The payload protocols that could be carried by GRE are many and diverse.The tunnels act as point-to-point virtuals.The tunnels are implemented through a virtual interface that is configured by the user based on what is needed. The tunnel interface itself is not tied to any specific payload protocol or transport protocol.The topology used for this article and for the simulation is shown below: The goal of the lab is that the two hosts can reach each other via the GRE tunnel.After the tunnel interface is configured as shown on the diagram, on each router you should configure a static route towards the subnet where the remote host resides through the tunnel interface.Once you download the files (the link is at the beginning of the article), you will notice that, along with GNS3 topology file, you will get the, lets say, startup configuration files for this lab.If you use these configuration files, please adapt the path to them in the GNS3 topology file.Once the topology is loaded and all the devices are powered on, the next step is to configure the two hosts (PC_1 and PC_2) with IP addresses and default gateway.There are two things not shown on the diagram: R1, R2 and R3 are running OSPF protocol so that R1 and R3 can reach each other. The source of the tunnel must be able to reach the destination of the tunnel in order to bring up the tunnel. The subnet used on the tunnel interfaces will be 1.1.1.0/24. 1.1.1.1/24 will be configured on R1 and 1.1.1.3/24 will be configured on R3.This is the routing table of R1:R1#show ip route | begin GatewayGateway of last resort is not set
10.0.0.0/24 is subnetted, 3 subnetsC 10.10.1.0 is directly connected, FastEthernet0/0C 10.10.12.0 is directly connected, FastEthernet1/0O 10.10.23.0 [110/2] via 10.10.12.2, 00:23:07, FastEthernet1/0R1#And this is the routing table of R3:R3#show ip route | begin GatewayGateway of last resort is not set
10.0.0.0/24 is subnetted, 3 subnetsC 10.10.2.0 is directly connected, FastEthernet1/0O 10.10.12.0 [110/2] via 10.10.23.2, 00:22:28, FastEthernet0/0C 10.10.23.0 is directly connected, FastEthernet0/0R3#Before you can configure the hosts, you should know that they are emulated using a lightweight version of Linux. You can download it from here: http://sourceforge.net/projects/gns-3/files/Qemu%20Appliances/linux-microcore-3.8.2.img. Once you download it, you need to configure GNS3. Go to Edit Preferences Qemu. You should see something similar to the figure below. Keep in mind that the path location might be different, depending on where you decided to store the Linux image.
Once you start the hosts, because the configuration doesnt survive any device power-off, you will need to configure the IP address on eth0 of each host and the default gateway pointing to the router to which they are connected, as shown on the diagram.Keep in mind that using tc as username when you access the hosts using the console will log you in directly to shell without asking for any password.This is needed on PC_1 to change the hostname, to add the right IP address on eth0, and to add the default route pointing to R1. Do the similar configuration on PC_2.tc@box:~$ sudo hostname PC_1tc@PC_1:~$ sudo ifconfig eth0 10.10.1.100 netmask 255.255.255.0tc@PC_1:~$ sudo route add default gw 10.10.1.1 eth0This is the confirmation that everything is configured correctly. You can ping your gateway:tc@PC_1:~$ ping 10.10.1.1PING 10.10.1.1 (10.10.1.1): 56 data bytes64 bytes from 10.10.1.1: seq=0 ttl=255 time=49.112 ms^C--- 10.10.1.1 ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max = 49.112/49.112/49.112 mstc@PC_1:~$ route -nKernel IP routing tableDestination Gateway Genmask Flags Metric Ref Use Iface127.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 lo10.10.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth00.0.0.0 10.10.1.1 0.0.0.0 UG 0 0 0 eth0tc@PC_1:~$You can paste this configuration on R1 to configure the tunnel interface and to add the route towards PC_2 subnet through the tunnel interface:R1#show running-config interface Tunnel0Building configuration...
Current configuration : 132 bytes!interface Tunnel0 ip address 1.1.1.1 255.255.255.0 keepalive 10 3 tunnel source 10.10.12.1 tunnel destination 10.10.23.3end
R1#
R1#show running-config | i 10.10.2.0ip route 10.10.2.0 255.255.255.0 1.1.1.3R1#And this is the configuration from R3:R3#show running-config interface Tunnel0Building configuration...
Current configuration : 132 bytes!interface Tunnel0 ip address 1.1.1.3 255.255.255.0 keepalive 10 3 tunnel source 10.10.23.3 tunnel destination 10.10.12.1end
R3#
R3#show running-config | i 10.10.1.0ip route 10.10.1.0 255.255.255.0 1.1.1.1R3#If this has been configured, its time to check the operational status of the tunnel interface. This is on R1:R1#show interfaces Tunnel0Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 1.1.1.1/24 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive set (10 sec), retries 3 Tunnel source 10.10.12.1, destination 10.10.23.3 Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255 Fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 00:05:44, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 50 packets input, 2604 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 66 packets output, 3510 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped outR1#As you can see, the interface is up and the transport protocol is GRE (as we configured it). The keepalive is configured with the default timers and values, 10 seconds between each keepalive, and the tunnel will be brought down if three keepalives are missed, hence you need 30 seconds to detect a failure between the source and the destination of the tunnel.The purpose of the lab was to have the two hosts communicating through the tunnel interfaces configured on R1 and R3.After the static route was configured, it will appear in the routing table. For instance on R1:R1#show ip route static 10.0.0.0/24 is subnetted, 4 subnetsS 10.10.2.0 [1/0] via 1.1.1.3R1#And PC_1 should be able to ping PC_2:tc@PC_1:~$ ping 10.10.2.100PING 10.10.2.100 (10.10.2.100): 56 data bytes64 bytes from 10.10.2.100: seq=0 ttl=62 time=69.858 ms^C--- 10.10.2.100 ping statistics ---1 packets transmitted, 1 packets received, 0% packet lossround-trip min/avg/max = 69.858/69.858/69.858 mstc@PC_1:~$Also, when you are checking the status of the interface, you can see that there is traffic through the tunnel and it cannot be anything but the traffic between the two hosts or the actual keepalive packets.Lets clear the interface counters on R1 and send five icmp packets from PC_1 to PC_2 and check after that again the counters on R1.Clear the counters:R1#clear countersClear "show interface" counters on all interfaces [confirm]R1#*Mar 1 00:55:43.695: %CLEAR-5-COUNTERS: Clear counter on all interfaces by consoleR1#Send the ICMP packets from PC_1 to PC_2:tc@PC_1:~$ ping 10.10.2.100PING 10.10.2.100 (10.10.2.100): 56 data bytes64 bytes from 10.10.2.100: seq=0 ttl=62 time=66.542 ms64 bytes from 10.10.2.100: seq=1 ttl=62 time=85.004 ms64 bytes from 10.10.2.100: seq=2 ttl=62 time=53.098 ms64 bytes from 10.10.2.100: seq=3 ttl=62 time=72.986 ms64 bytes from 10.10.2.100: seq=4 ttl=62 time=80.438 ms^C--- 10.10.2.100 ping statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max = 53.098/71.613/85.004 mstc@PC_1:~$Check the counters again on R1:R1#show interfaces Tunnel0Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 1.1.1.1/24 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive set (10 sec), retries 3 Tunnel source 10.10.12.1, destination 10.10.23.3 Tunnel protocol/transport GRE/IP Key disabled, sequencing disabled Checksumming of packets disabled Tunnel TTL 255 Fast tunneling enabled Tunnel transmit bandwidth 8000 (kbps) Tunnel receive bandwidth 8000 (kbps) Last input 00:13:41, output 00:00:07, output hang never Last clearing of "show interface" counters 00:00:06 Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 5 packets input, 540 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 5 packets output, 540 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped outR1#As you can see, there is a match between the number of the packets sent and the number of packets that went through the tunnel.The reason that one would configure a tunnel interface would be to keep the data hidden to the devices in between the source and destination of the tunnel or to make devices believe that the routers configured with the source and destination of the tunnels are directly connected.Check the output when a traceroute is issued from PC_2 towards PC_1:tc@PC_2:~$ traceroute 10.10.1.100traceroute to 10.10.1.100 (10.10.1.100), 30 hops max, 38 byte packets 1 10.10.2.1 (10.10.2.1) 12.950 ms 4.201 ms 38.739 ms 2 1.1.1.1 (1.1.1.1) 85.533 ms 37.812 ms 71.899 ms 3 10.10.1.100 (10.10.1.100) 79.307 ms 106.123 ms 131.049 mstc@PC_2:~$As you can see, the first hop is R3, the second hop is R1 (1.1.1.1 is configured on the tunnel interface on R1) and the third one is PC_1.There is no mention about R2 anywhere. Its as if it doesnt exist.However it does exist but, for R2, any type of traffic sent between R1 and R3 through the tunnel will appear as GRE, even though it might be ICMP, FTP or HTTP or something else.As you can see, the GRE tunnel configuration required for CCNA exam is pretty straightforward. At the minimum, you need only to configure the source, the destination of the tunnel and the IP address.However, the problems with GRE tunnels are very common and this is because they traverse domains that are not under your authority.Always check if both ends can reach the destination of the tunnels, check if the GRE protocol is allowed on the networks that are not under your administration.References1. How to configure a GRE tunnel(link to https://supportforums.cisco.com/document/13576/how-configure-gre-tunnel)2. How GRE Keepalives Work(link to http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/63760-gre-keepalives-63760.html
GNS3LabGRETunnels/configs/R1.cfg!
!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname R1!boot-start-markerboot-end-marker!!no aaa new-modelmemory-size iomem 5!!ip cefno ip domain lookupip domain name lab.local!!!!!!!!!!!!!!!!!! !!!!interface FastEthernet0/0 ip address 10.10.1.1 255.255.255.0 duplex auto speed auto!interface FastEthernet1/0 ip address 10.10.12.1 255.255.255.0 duplex auto speed auto!router ospf 1 log-adjacency-changes network 10.10.12.1 0.0.0.0 area 0!no ip http serverno ip http secure-server!!!!!!control-plane!!!!!!!!!!line con 0 exec-timeout 0 0 privilege level 15 logging synchronousline aux 0 exec-timeout 0 0 privilege level 15 logging synchronousline vty 0 4 login!!end
__MACOSX/GNS3LabGRETunnels/configs/._R1.cfgMac OS X 2ATTRFFcom.apple.quarantineq/0001;53768f06;Google\x20Chrome;45A315FE-0221-475E-8D06-0DEDC2CB07AC
GNS3LabGRETunnels/configs/R2.cfg!
!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname R2!boot-start-markerboot-end-marker!!no aaa new-modelmemory-size iomem 5!!ip cefno ip domain lookupip domain name lab.local!!!!!!!!!!!!!!!!!! !!!!interface FastEthernet0/0 ip address 10.10.12.2 255.255.255.0 duplex auto speed auto!interface FastEthernet1/0 ip address 10.10.23.2 255.255.255.0 duplex auto speed auto!router ospf 1 log-adjacency-changes network 10.10.12.2 0.0.0.0 area 0 network 10.10.23.2 0.0.0.0 area 0!no ip http serverno ip http secure-server!!!!!!control-plane!!!!!!!!!!line con 0 exec-timeout 0 0 privilege level 15 logging synchronousline aux 0 exec-timeout 0 0 privilege level 15 logging synchronousline vty 0 4 login!!end
__MACOSX/GNS3LabGRETunnels/configs/._R2.cfgMac OS X 2ATTRFFcom.apple.quarantineq/0001;53768f06;Google\x20Chrome;45A315FE-0221-475E-8D06-0DEDC2CB07AC
GNS3LabGRETunnels/configs/R3.cfg!
!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname R3!boot-start-markerboot-end-marker!!no aaa new-modelmemory-size iomem 5!!ip cefno ip domain lookupip domain name lab.local!!!!!!!!!!!!!!!!!! !!!!interface FastEthernet0/0 ip address 10.10.23.3 255.255.255.0 duplex auto speed auto!interface FastEthernet1/0 ip address 10.10.2.1 255.255.255.0 duplex auto speed auto!router ospf 1 log-adjacency-changes network 10.10.23.3 0.0.0.0 area 0!no ip http serverno ip http secure-server!!!!!!control-plane!!!!!!!!!!line con 0 exec-timeout 0 0 privilege level 15 logging synchronousline aux 0 exec-timeout 0 0 privilege level 15 logging synchronousline vty 0 4 login!!end
__MACOSX/GNS3LabGRETunnels/configs/._R3.cfgMac OS X 2ATTRFFcom.apple.quarantineq/0001;53768f06;Google\x20Chrome;45A315FE-0221-475E-8D06-0DEDC2CB07AC
__MACOSX/GNS3LabGRETunnels/._configs
GNS3LabGRETunnels/topology.netautostart = Falseversion = 0.8.3.1[qemu 127.0.0.1:10525] workingdir = C:\Users\parau\AppData\Local\Temp udp = 40000 qemupath = C:\Program Files\GNS3\qemu.exe qemuimgpath = C:\Program Files\GNS3\qemu-img.exe [[QemuDevice]] image = C:\Users\parau\GNS3\ios\linux-microcore-3.8.2.img ram = 128 nics = 1 netcard = e1000 [[QEMU PC_2]] e0 = R3 f1/0 x = 493.884776311 y = -58.186291501 z = 1.0 [[QEMU PC_1]] e0 = R1 f0/0 x = -421.612698372 y = -56.9142135624 z = 1.0[127.0.0.1:7200] workingdir = C:\Users\parau\AppData\Local\Temp udp = 10000 [[3640]] image = C:\Users\parau\GNS3\ios\c3640-jk9s-mz.124-12.bin.extracted idlepc = 0x604bbf70 sparsemem = True ghostios = True chassis = 3640 [[ROUTER R3]] model = 3640 console = 2003 aux = 2503 cnfg = configs\R3.cfg slot0 = NM-1FE-TX f0/0 = R2 f1/0 slot1 = NM-1FE-TX f1/0 = PC_2 e0 x = 263.330952442 y = -48.1005050634 z = 1.0 [[ROUTER R1]] model = 3640 console = 2001 aux = 2501 cnfg = configs\R1.cfg slot0 = NM-1FE-TX f0/0 = PC_1 e0 slot1 = NM-1FE-TX f1/0 = R2 f0/0 x = -183.384776311 y = -49.0 z = 1.0 [[ROUTER R2]] model = 3640 console = 2002 aux = 2502 cnfg = configs\R2.cfg slot0 = NM-1FE-TX f0/0 = R1 f1/0 slot1 = NM-1FE-TX f1/0 = R3 f0/0 x = 39.1299423149 y = -49.1715728753 z = 1.0[GNS3-DATA] configs = configs [[NOTE 1]] text = ".2" x = 119.0 y = -64.0 [[NOTE 2]] text = ".1" x = -101.0 y = -62.0 [[NOTE 3]] text = ".1" x = -215.0 y = -64.0 [[NOTE 4]] text = ".100" x = 459.0 y = -65.0 [[NOTE 5]] text = ".100" x = -359.0 y = -66.0 [[NOTE 6]] text = ".2" x = 10.0 y = -64.0 [[NOTE 7]] text = ".1" x = 339.0 y = -63.0 [[NOTE 8]] text = " Static route on R3\n to 10.10.1.0/24 \nthrough Tunnel interface" x = 204.0 y = -216.0 [[NOTE 9]] text = "10.10.23.0/24" x = 127.0 y = -105.0 [[NOTE 10]] text = " Static route on R1\n to 10.10.2.0/24 \nthrough Tunnel interface" x = -239.0 y = -213.0 [[NOTE 11]] text = "10.10.2.0/24" x = 362.0 y = -105.0 [[NOTE 12]] text = "10.10.12.0/24" x = -90.0 y = -109.0 [[NOTE 13]] text = "10.10.1.0/24" x = -313.0 y = -115.0 [[NOTE 14]] text = ".3" x = 237.0 y = -64.0 [[NOTE 15]] text = "GRE Tunnel" x = 35.0 y = -139.0 [[SHAPE 1]] type = rectangle x = -180.0 y = -134.0 width = 504.0 height = 14.0 fill_color = "#ff0000" border_color = "#ff0000"
__MACOSX/GNS3LabGRETunnels/._topology.net
__MACOSX/._GNS3LabGRETunnels