GRE Tunnels

Forgive me for posting in CCNP section when this is possibly a CCNA question, but it is regarding CCNP literature.

I have been reading the new 300-101 OCG and I am confused by the author's GRE example configuration.

I always believed that when specifying the endpoints of a GRE tunnel, you used the IP address of the egress interface as the tunnel source and the ingress of the other side as the tunnel destination, with the configuration reversed on the other side.
In the new 300-101 the author when describing GRE shows a topology, p54, in which he shows a configuration of using loopbacks on each router as being the source and destination endpoints of the tunnel.

Can someone explain how this is possible?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

AwesomeGarrett

You're configuring which IP addresses will be inserted in the IP header before the GRE header in the packet. If these IP addresses are reachable via the underlay IGP or through static routing, then the IP addresses you use for the tunnel source and destination are irrelevant.

Hondabuff

In production, The GRE destination address is almost always the WAN interface of the remote router. Like AwsomeGarrett said, IGP would have to be running to allow visibility to the loopback. There needs to be a Cisco Press book release for production use titled "Cisco for the real world applications".

fitzybhoy

Thanks for replies. I've been thinking back to my early study days and seem to remember that it isn't always the ingress/egress method as I posted. TBH I've been reading CCNA OCGs and the like and I'm getting used to it being dumbed down. Suppose I'm going to have to get out of that mindset for CCNP and start to see the bigger picture instead of taking book examples as gospel.

d4nz1g

Do not limit your studies to books only...do a little research about use case studies and real world implementation, because yes, most part of the examples on books do not aply to real world cases.

powmia

It is useful to see that tunnels aren't bound to physical interfaces, just a source IP. Using loopbacks is one way to allow you to terminate multiple tunnels on a single WAN link, you just source each tunnel from a different loopback. In the real world, it's most common to source from a physical interface; and it would be the internet, not an IGP between you and the destination.

Hondabuff

The main reason you see labs done to Loopbacks because the tunnel will always be up. If you doing you labs and build your tunnel to the WAN interface but you are protecting the LAN traffic and you did not plug any equipment into say Fa0/0, the tunnel will not come up no matter what you do. I do a lot of remote sites that have a HWIC installed in the router and I terminate the tunnel to a VLAN, then I assign the switchports to the VLAN and then use the Autostate command on the VLAN to keep it up even though our field techs have not install any of the cell phone tower equipment yet. That way I can verify the tunnel is up and import the router into Solarwinds to begin monitoring. Little tricks you pick up along the way! I use virtual tunnels with GRE for everything, No messing with Crypto ACL's to protect the traffic. All you need is a static route to direct the protected traffic to the tunnel or use a IGP to auto discover.

networker050184

I always build tunnels with loopbacks in the real world unless there is no way around using an interface IP.

Hondabuff

networker050184 wrote: »

I always build tunnels with loopbacks in the real world unless there is no way around using an interface IP.

Any reason why? I always like to hear other Engineers point of view. Might be something new I learn. I even set my tunnels up as "IP unnumbered" and don't use a crypto ACL only a IPsec transform set with isakmp policy. I always figured the loopback is just an extra hop and one more thing I could screw up doing the config. I really like doing a Virtual tunnels with IPsec once I learned how to do them. Simple, clean and they always work.

networker050184

Interface IPs change. I don't tie anything to them unless absolutely necessary. Unnumbered is a good way to go about it too. Leaves it easier to move. Say you get a new router and want to gracefully migrate services over without pulling down the whole WAN link and move it because you tied your config to that IP. Or you just want to move it to another spot in the infrastructure but can't move the link.