Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-GRE configuration | 186.38 KB |
Contents
GRE tunnel operating principle
Restrictions: Hardware compatibility with GRE
Restrictions and guidelines: GRE configuration
Enabling dropping IPv6 packets that use IPv4-compatible IPv6 addresses
Display and maintenance commands for GRE
Example: Configuring an IPv4 over IPv4 GRE tunnel
Example: Configuring an IPv4 over IPv6 GRE tunnel
Hosts at both ends of a GRE tunnel cannot ping each other
Configuring GRE
About GRE
GRE encapsulation format
As shown in Figure 1, a GRE-tunneled packet includes the following parts:
· Payload packet—Original packet. The protocol type of the payload packet is called the passenger protocol. The passenger protocol can be any network layer protocol.
· GRE header—Header that is added to the payload packet to change the payload packet to a GRE packet. A GRE header includes the number of encapsulations, version, passenger protocol type, checksum, and key. GRE is called the encapsulation protocol.
· Delivery header—Header that is added to the GRE packet to deliver it to the tunnel end. The transport protocol (or delivery protocol) is the network layer protocol that transfers GRE packets.
The device supports GRE tunnels with IPv4 and IPv6 as the transport protocols. When the transport protocol is IPv4, the GRE tunnel mode is GRE over IPv4 (GRE/IPv4). When the transport protocol is IPv6, the GRE tunnel mode is GRE over IPv6 (GRE/IPv6).
Figure 1 GRE encapsulation format
GRE tunnel operating principle
As shown in Figure 2, an IPv6 protocol packet traverses an IPv4 network through a GRE tunnel as follows:
1. After receiving an IPv6 packet from the interface connected to IPv6 network 1, Device A processes the packet as follows:
a. Looks up the routing table to identify the outgoing interface for the IPv6 packet.
b. Submits the IPv6 packet to the outgoing interface—the GRE tunnel interface Tunnel 0.
2. Upon receiving the packet, the tunnel interface encapsulates the packet with GRE and then with IPv4. In the IPv4 header:
¡ The source address is the tunnel's source address (the IP address of Interface A of Device A).
¡ The destination address is the tunnel's destination address (the IP address of Interface B of Device B).
3. Device A looks up the routing table according to the destination address in the IPv4 header, and forwards the IPv4 packet out of the physical interface (Interface A) of the GRE tunnel.
4. When the IPv4 arrives at the GRE tunnel destination Device B, Device B checks the destination address. Because the destination is Device B itself and the protocol number in the IP header is 47 (the protocol number for GRE), Device B submits the packet to GRE for de-encapsulation.
5. GRE first removes the IPv4 header, and then checks the GRE key, checksum, and packet sequence number. After GRE finishes the checking, it removes the GRE header, and submits the payload to the IPv6 protocol for forwarding.
Figure 2 IPv6 networks interconnected through a GRE tunnel
GRE security mechanisms
GRE supports the GRE key and GRE checksum security mechanisms.
GRE key
GRE keys ensure packet validity. The sender adds a GRE key into a packet. The receiver compares the GRE key with its own GRE key. If the two keys are the same, the receiver accepts the packet. If the two keys are different, the receiver drops the packet.
GRE checksum
GRE checksums ensure packet integrity. The sender calculates a checksum for the GRE header and payload and sends the packet containing the checksum to the tunnel peer. The receiver calculates a checksum for the received packet and compares it with that carried in the packet. If the checksums are the same, the receiver considers the packet intact and continues to process the packet. If the checksums are different, the receiver discards the packet.
GRE application scenarios
The following shows typical GRE application scenarios:
Connecting networks running different protocols over a single backbone
As shown in Figure 3, IPv6 network 1 and IPv6 network 2 are IPv6 networks, and IPv4 network 1 and IPv4 network 2 are IPv4 networks. Through the GRE tunnel between Device A and Device B, IPv6 network 1 can communicate with IPv6 network 2 and IPv4 network 1 can communicate with IPv4 network 2, without affecting each other.
Enlarging network scope
In an IP network, the maximum TTL value of a packet is 255. If two devices have more than 255 hops in between, they cannot communicate with each other. By using a GRE tunnel, you can hide some hops to enlarge the network scope. As shown in Figure 4, only the tunnel-end devices (Device A and Device D) of the GRE tunnel are counted in hop count calculation. Therefore, there are only three hops between Host A and Host B.
Constructing VPN
As shown in Figure 5, Site 1 and Site 2 both belong to VPN 1 and are located in different cities. Using a GRE tunnel can connect the two VPN sites across the WAN.
Protocols and standards
· RFC 1701, Generic Routing Encapsulation (GRE)
· RFC 1702, Generic Routing Encapsulation over IPv4 networks
· RFC 2784, Generic Routing Encapsulation (GRE)
· RFC 2890, Key and Sequence Number Extensions to GRE
Restrictions: Hardware compatibility with GRE
|
Hardware platform |
Module type |
GRE compatibility |
|
M9006 M9010 M9014 |
Blade IV firewall module |
Yes |
|
Blade V firewall module |
Yes |
|
|
NAT module |
No |
|
|
Application delivery engine (ADE) module |
Yes |
|
|
Anomaly flow cleaner (AFC) module |
Yes |
|
|
M9010-GM |
Encryption module |
Yes |
|
M9016-V |
Blade V firewall module |
Yes |
|
M9008-S M9012-S |
Blade IV firewall module |
Yes |
|
Application delivery engine (ADE) module |
Yes |
|
|
Intrusion prevention service (IPS) module |
Yes |
|
|
Video network gateway module |
Yes |
|
|
Anomaly flow cleaner (AFC) module |
Yes |
|
|
M9008-S-6GW |
IPv6 module |
Yes |
|
M9008-S-V |
Blade IV firewall module |
Yes |
|
M9000-AI-E8 |
Blade V firewall module |
Yes |
|
Application delivery engine (ADE) module |
Yes |
|
|
M9000-AI-E16 |
Blade V firewall module |
Yes |
Restrictions and guidelines: GRE configuration
When you configure a GRE tunnel, follow these restrictions and guidelines:
· You must configure the tunnel source address and destination address at both ends of a tunnel. The tunnel source or destination address at one end must be the tunnel destination or source address at the other end.
· As a best practice, do not configure the same tunnel source and destination addresses for local tunnel interfaces that use the same tunnel mode.
· Do not configure the same tunnel source and destination addresses for a GRE tunnel interface and a GRE P2MP tunnel interface.
· You can enable or disable GRE checksum at each end of a tunnel. If GRE checksum is enabled at a tunnel end, the tunnel end sends packets carrying the checksum to the peer end. A tunnel end checks the GRE checksum of a received packet if the packet carries a GRE checksum, whether or not the tunnel end is enabled with GRE checksum.
· To ensure correct packet forwarding, identify whether the destination network of packets and the IP address of the local tunnel interface are on the same subnet. If they are not, configure a route reaching the destination network through the tunnel interface. You can configure the route by using one of the following methods:
¡ Configure a static route, using the local tunnel interface as the outgoing interface of the route.
¡ Enable a dynamic routing protocol on both the tunnel interface and the interface connecting the private network. This allows the dynamic routing protocol to establish a routing entry with the tunnel interface as the outgoing interface.
· GRE encapsulation and de-encapsulation can decrease the forwarding efficiency of tunnel-end devices.
Configuring a GRE/IPv4 tunnel
Restrictions and guidelines
This task describes only GRE/IPv4 tunnel required tunnel interface commands (the interface tunnel, source, and destination commands). For more tunnel interface commands, see "Configuring tunneling."
Procedure
1. Enter system view.
system-view
2. Create a GRE tunnel interface, and specify the tunnel mode as GRE/IPv4.
interface tunnel number mode gre
You must configure the same tunnel mode on both ends of a tunnel. Otherwise, packet delivery might fail.
3. Configure an IP address for the tunnel interface based on the passenger protocol.
IPv4:
For information about how to assign an IPv4 address to an interface, see "Configuring IP addressing."
IPv6:
For information about how to assign an IPv6 address to an interface, see "Configuring basic IPv6 settings."
By default, no IP address is configured for a tunnel interface.
4. Configure a source address or source interface for the tunnel interface.
source { ip-address | interface-type interface-number }
By default, no source address or interface is configured for a tunnel interface.
If you configure a source address for a tunnel interface, the tunnel interface uses the source address as the source address of the encapsulated packets.
If you configure a source interface for a tunnel interface, the tunnel interface uses the primary IP address of the source interface as the source address of the encapsulated packets.
5. Configure a destination address for the tunnel interface.
destination ip-address
By default, no destination address is configured for a tunnel interface.
The destination address is the address of the physical interface that the tunnel remote end uses to receive packets from the GRE tunnel.
The tunnel local end uses this address as the destination address of the encapsulated packets.
The tunnel destination address and the IP address of the tunnel interface must be in different subnets.
6. (Optional.) Enable GRE keepalive, and set the keepalive interval and keepalive number.
keepalive [ interval [ times ] ]
By default, GRE keepalive is disabled.
7. (Optional.) Configure GRE security mechanisms.
¡ Enable GRE checksum.
gre checksum
By default, GRE checksum is disabled.
¡ Configure a GRE key for the GRE tunnel interface.
gre key key
By default, no GRE key is configured for a GRE tunnel interface.
The two ends of a GRE tunnel must have the same key or both have no key.
8. (Optional.) Set the DF bit for encapsulated packets.
tunnel dfbit enable
By default, the DF bit is not set, allowing encapsulated packets to be fragmented.
Configuring a GRE/IPv6 tunnel
Restrictions and guidelines
This task describes only GRE/IPv6 tunnel required tunnel interface commands (the interface tunnel, source, and destination commands). For more tunnel interface commands, see "Configuring tunneling."
Procedure
1. Enter system view.
system-view
2. Create a GRE tunnel interface, and specify the tunnel mode as GRE/IPv6.
interface tunnel number mode gre ipv6
You must configure the same tunnel mode on both ends of a tunnel. Otherwise, packet delivery might fail.
3. Configure an IP address for the tunnel interface based on the passenger protocol.
IPv4:
For information about how to assign an IPv4 address to an interface, see "Configuring IP addressing."
IPv6:
For information about how to assign an IPv6 address to an interface, see "Configuring basic IPv6 settings."
By default, no IP address is configured for a tunnel interface.
4. Configure a source IPv6 address or source interface for the tunnel interface.
source { ipv6-address | interface-type interface-number }
By default, no source IPv6 address or interface is configured for a tunnel interface.
If you configure a source IPv6 address for a tunnel interface, the tunnel interface uses the source IPv6 address as the source IPv6 address of the encapsulated packets.
If you configure a source interface for a tunnel interface, the tunnel interface uses the IPv6 address of the source interface as the source IPv6 address of the encapsulated packets.
5. Configure a destination IPv6 address for the tunnel interface.
destination ipv6-address
By default, no destination IPv6 address is configured for a tunnel interface.
The destination IPv6 address is the IPv6 address of the physical interface that the tunnel remote end uses to receive packets from the GRE tunnel.
The tunnel local end uses this address as the destination IPv6 address of the encapsulated packets.
The tunnel destination address and the IP address of the tunnel interface must be in different subnets.
6. (Optional.) Configure GRE security mechanisms.
¡ Enable GRE checksum.
gre checksum
By default, GRE checksum is disabled.
¡ (Optional.) Configure a GRE key for the tunnel interface.
gre key key
By default, no GRE key is configured for a GRE tunnel interface.
The two ends of a GRE tunnel must have the same key or both have no key.
Enabling dropping IPv6 packets that use IPv4-compatible IPv6 addresses
About this task
This feature enables the device to check the source and destination IPv6 addresses of the de-encapsulated IPv6 packets from a tunnel. If a packet uses an IPv4-compatible IPv6 address as the source or destination address, the device discards the packet.
Procedure
1. Enter system view.
system-view
2. Configure the device to discard IPv6 packets with IPv4-compatible IPv6 addresses.
tunnel discard ipv4-compatible-packet
By default, the device does not discard such IPv6 packets.
For more information about this command, see tunneling in VPN Command Reference.
Display and maintenance commands for GRE
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
Remarks |
|
Display information about tunnel interfaces. |
display interface [ tunnel [ number ] ] [ brief [ description | down ] ] |
For more information about the commands, see tunneling in VPN Command Reference. |
|
Display IPv6 information about tunnel interface. |
display ipv6 interface [ tunnel [ number ] ] [ brief ] |
For more information about this command, see IPv6 basics in Layer 3—IP Services Command Reference. |
|
Clear tunnel interface statistics. |
reset counters interface [ tunnel [ number ] ] |
For more information about this command, see tunneling in VPN Command Reference. |
|
Clear IPv6 statistics on tunnel interfaces. |
In standalone mode: reset ipv6 statistics [ slot slot-number [ cpu cpu-number ] ] In IRF mode: reset ipv6 statistics [ chassis chassis-number slot slot-number [ cpu cpu-number ] ] |
For more information about this command, see IPv6 basics in Layer 3—IP Services Command Reference. |
GRE configuration examples
Example: Configuring an IPv4 over IPv4 GRE tunnel
Network configuration
As shown in Figure 6, Group 1 and Group 2 are two private IPv4 networks. The two networks both use private network addresses and belong to the same VPN. Establish a GRE tunnel between Device A and Device B to interconnect the two private IPv4 networks Group 1 and Group 2.
Procedure
1. Configure Device A:
# Assign an IP addresse to interface GigabitEthernet 1/0/1.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 10.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
# Create tunnel interface Tunnel 0, and specify the tunnel mode as GRE/IPv4.
[DeviceA] interface tunnel 0 mode gre
[DeviceA-Tunnel0] ip address 10.1.2.1 255.255.255.0
[DeviceA-Tunnel0] source 1.1.1.1
[DeviceA-Tunnel0] destination 2.2.2.2
[DeviceA-Tunnel0] quit
# Configure settings for routing. This example configures static routes. In the routes, the output interface is Tunnel 0 and the next hop is 1.1.1.2.
[DeviceA] ip route-static 2.2.2.2 24 1.1.1.2
[DeviceA] ip route-static 10.1.3.0 24 tunnel 0
# Add interfaces to security zones.
[DeviceA] security-zone name Untrust
[DeviceA-security-zone-Untrust] import interface Tunnel 0
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name Trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
# Configure a rule named grelocalout in the IPv4 security policy to allow Device A to send packets to Device B.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name grelocalout
[DeviceA-security-policy-ip-1-grelocalout] source-zone local
[DeviceA-security-policy-ip-1-grelocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-grelocalout] source-ip-host 1.1.1.1
[DeviceA-security-policy-ip-1-grelocalout] source-ip-host 10.1.2.1
[DeviceA-security-policy-ip-1-grelocalout] source-ip-host 10.1.1.1
[DeviceA-security-policy-ip-1-grelocalout] destination-ip-host 2.2.2.2
[DeviceA-security-policy-ip-1-grelocalout] destination-ip-host 10.1.2.2
[DeviceA-security-policy-ip-1-grelocalout] destination-ip-host 10.1.3.1
[DeviceA-security-policy-ip-1-grelocalout] action pass
[DeviceA-security-policy-ip-1-grelocalout] quit
# Configure a rule named grelocalin in the IPv4 security policy to allow Device A to receive the packets sent from Device B.
[DeviceA-security-policy-ip] rule name grelocalin
[DeviceA-security-policy-ip-2-grelocalin] source-zone untrust
[DeviceA-security-policy-ip-2-grelocalin] destination-zone local
[DeviceA-security-policy-ip-2-grelocalin] source-ip-host 2.2.2.2
[DeviceA-security-policy-ip-2-grelocalin] source-ip-host 10.1.2.2
[DeviceA-security-policy-ip-2-grelocalin] source-ip-host 10.1.3.1
[DeviceA-security-policy-ip-2-grelocalin] destination-ip-host 1.1.1.1
[DeviceA-security-policy-ip-2-grelocalin] destination-ip-host 10.1.2.1
[DeviceA-security-policy-ip-2-grelocalin] destination-ip-host 10.1.1.1
[DeviceA-security-policy-ip-2-grelocalin] action pass
[DeviceA-security-policy-ip-2-grelocalin] quit
[DeviceA-security-policy-ip] quit
2. Configure Device B:
# Assign an IP addresse to interface GigabitEthernet 1/0/1.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 10.1.3.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
# Create tunnel interface Tunnel 0 and specify the tunnel mode as GRE/IPv4.
[DeviceB] interface tunnel 0 mode gre
[DeviceB-Tunnel0] ip address 10.1.2.2 255.255.255.0
[DeviceB-Tunnel0] source 2.2.2.2
[DeviceB-Tunnel0] destination 1.1.1.1
[DeviceB-Tunnel0] quit
# Configure settings for routing. This example configures static routes. In the routes, the output interface is Tunnel 0 and the next hop is 2.2.2.3.
[DeviceB] ip route-static 1.1.1.1 24 2.2.2.3
[DeviceB] ip route-static 10.1.1.0 24 tunnel 0
# Add interfaces to security zones.
[DeviceB] security-zone name Untrust
[DeviceB-security-zone-Untrust] import interface Tunnel 0
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
[DeviceB] security-zone name Trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
# Configure a rule named grelocalout in the IPv4 security policy to allow Device B to send packets to Device A.
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule 1 name grelocalout
[DeviceB-security-policy-ip-1-grelocalout] source-zone local
[DeviceB-security-policy-ip-1-grelocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-grelocalout] source-ip-host 2.2.2.2
[DeviceB-security-policy-ip-1-grelocalout] source-ip-host 10.1.2.2
[DeviceB-security-policy-ip-1-grelocalout] source-ip-host 10.1.3.1
[DeviceB-security-policy-ip-1-grelocalout] destination-ip-host 1.1.1.1
[DeviceB-security-policy-ip-1-grelocalout] destination-ip-host 10.1.2.1
[DeviceB-security-policy-ip-1-grelocalout] destination-ip-host 10.1.1.1
[DeviceB-security-policy-ip-1-grelocalout] action pass
[DeviceB-security-policy-ip-1-grelocalout] quit
# Configure a rule named grelocalin in the IPv4 security policy to allow Device B to receive the packets sent from Device A.
[DeviceB-security-policy-ip] rule name grelocalin
[DeviceB-security-policy-ip-2-grelocalin] source-zone untrust
[DeviceB-security-policy-ip-2-grelocalin] destination-zone local
[DeviceB-security-policy-ip-2-grelocalin] source-ip-host 1.1.1.1
[DeviceB-security-policy-ip-2-grelocalin] source-ip-host 10.1.2.1
[DeviceB-security-policy-ip-2-grelocalin] source-ip-host 10.1.1.1
[DeviceB-security-policy-ip-2-grelocalin] destination-ip-host 2.2.2.2
[DeviceB-security-policy-ip-2-grelocalin] destination-ip-host 10.1.2.2
[DeviceB-security-policy-ip-2-grelocalin] destination-ip-host 10.1.3.1
[DeviceB-security-policy-ip-2-grelocalin] action pass
[DeviceB-security-policy-ip-2-grelocalin] quit
[DeviceB-security-policy-ip] quit
Verifying the configuration
# Display tunnel interface information on Device A.
[DeviceA] display interface tunnel 0
Tunnel0
Current state: UP
Line protocol state: UP
Description: Tunnel0 Interface
Bandwidth: 64kbps
Maximum transmission unit: 1476
Internet address: 10.1.2.1/24 (primary)
Tunnel source 1.1.1.1, destination 2.2.2.2
Tunnel keepalive disabled
Tunnel TTL 255
Tunnel protocol/transport GRE/IP
GRE key disabled
Checksumming of GRE packets disabled
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# Display tunnel interface information on Device B.
[DeviceB] display interface tunnel 0
Tunnel0
Current state: UP
Line protocol state: UP
Description: Tunnel0 Interface
Bandwidth: 64kbps
Maximum transmission unit: 1476
Internet address: 10.1.2.2/24 (primary)
Tunnel source 2.2.2.2, destination 1.1.1.1
Tunnel keepalive disabled
Tunnel TTL 255
Tunnel protocol/transport GRE/IP
GRE key disabled
Checksumming of GRE packets disabled
Last clearing of counters: Never
Last 300 seconds input rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Last 300 seconds output rate: 0 bytes/sec, 0 bits/sec, 0 packets/sec
Input: 0 packets, 0 bytes, 0 drops
Output: 0 packets, 0 bytes, 0 drops
# From Device B, ping the IP address of GigabitEthernet 1/0/1 on Device A.
[DeviceB] ping -a 10.1.3.1 10.1.1.1
Ping 10.1.1.1 (10.1.1.1) from 10.1.3.1: 56 data bytes, press CTRL_C to break
56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=11.000 ms
56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=0.000 ms
56 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=0.000 ms
--- Ping statistics for 10.1.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/2.400/11.000/4.317 ms
The output shows that Device B can successfully ping Device A.
Example: Configuring an IPv4 over IPv6 GRE tunnel
Network configuration
As shown in Figure 7, two IPv4 subnets Group 1 and Group 2 are connected to an IPv6 network. Create a GRE/IPv6 tunnel between Device A and Device B, so the two IPv4 subnets can communicate with each other through the GRE tunnel over the IPv6 network.
Procedure
1. Configure Device A:
# Assign IP addresses to interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 10.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ipv6 address 2002::1.1/64
[DeviceA-GigabitEthernet1/0/2] quit
# Create tunnel interface Tunnel 0, and specify the tunnel mode as GRE/IPv6.
[DeviceA] interface tunnel 0 mode gre ipv6
[DeviceA-Tunnel0] ip address 10.1.2.1 255.255.255.0
[DeviceA-Tunnel0] source 2002::1:1
[DeviceA-Tunnel0] destination 2001::2:1
[DeviceA-Tunnel0] quit
# Configure settings for routing. This example configures static routes. In the routes, the output interface is Tunnel 0 and the next hop is 2002::1:2.
[DeviceA] ipv6 route-static 2001::2:1 64 2002::1:2
[DeviceA] ip route-static 10.1.3.0 24 tunnel 0
# Add interfaces to security zones.
[DeviceA] security-zone name Untrust
[DeviceA-security-zone-Untrust] import interface Tunnel 0
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name Trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
# Configure a rule named grelocalout in the IPv4 security policy to allow Device A to send packets to Device B.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name grelocalout
[DeviceA-security-policy-ip-1-grelocalout] source-zone local
[DeviceA-security-policy-ip-1-grelocalout] destination-zone untrust
[DeviceA-security-policy-ip-1-grelocalout] source-ip-host 10.1.2.1
[DeviceA-security-policy-ip-1-grelocalout] source-ip-host 10.1.1.1
[DeviceA-security-policy-ip-1-grelocalout] destination-ip-host 10.1.2.2
[DeviceA-security-policy-ip-1-grelocalout] destination-ip-host 10.1.3.1
[DeviceA-security-policy-ip-1-grelocalout] action pass
[DeviceA-security-policy-ip-1-grelocalout] quit
[DeviceA-security-policy-ip] quit
[DeviceA] security-policy ipv6
[DeviceA-security-policy-ipv6] rule name grelocalout
[DeviceA-security-policy-ipv6-1-grelocalout] source-zone local
[DeviceA-security-policy-ipv6-1-grelocalout] destination-zone untrust
[DeviceA-security-policy-ipv6-1-grelocalout] source-ip-host 2002::1:1
[DeviceA-security-policy-ipv6-1-grelocalout] destination-ip-host 2001::2:1
[DeviceA-security-policy-ipv6-1-grelocalout] action pass
[DeviceA-security-policy-ipv6-1-grelocalout] quit
[DeviceA-security-policy-ipv6] quit
# Configure a rule named grelocalin in the IPv4 security policy to allow Device A to receive the packets sent from Device B.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name grelocalin
[DeviceA-security-policy-ip-2-grelocalin] source-zone untrust
[DeviceA-security-policy-ip-2-grelocalin] destination-zone local
[DeviceA-security-policy-ip-2-grelocalin] source-ip-host 10.1.2.2
[DeviceA-security-policy-ip-2-grelocalin] source-ip-host 10.1.3.1
[DeviceA-security-policy-ip-2-grelocalin] destination-ip-host 10.1.2.1
[DeviceA-security-policy-ip-2-grelocalin] destination-ip-host 10.1.1.1
[DeviceA-security-policy-ip-2-grelocalin] action pass
[DeviceA-security-policy-ip-2-grelocalin] quit
[DeviceA-security-policy-ip] quit
[DeviceA] security-policy ipv6
[DeviceA-security-policy-ipv6] rule name grelocalin
[DeviceA-security-policy-ipv6-2-grelocalin] source-zone untrust
[DeviceA-security-policy-ipv6-2-grelocalin] destination-zone local
[DeviceA-security-policy-ipv6-2-grelocalin] source-ip-host 2001::2:1
[DeviceA-security-policy-ipv6-2-grelocalin] destination-ip-host 2002::1:1
[DeviceA-security-policy-ipv6-2-grelocalin] action pass
[DeviceA-security-policy-ipv6-2-grelocalin] quit
[DeviceA-security-policy-ipv6] quit
2. Configure Device B:
# Assign IP addresses to interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 10.1.3.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] ipv6 address 2001::2.1/64
[DeviceB-GigabitEthernet1/0/2] quit
# Create tunnel interface Tunnel 0, and specify the tunnel mode as GRE/IPv6.
[DeviceB] interface tunnel 0 mode gre ipv6
[DeviceB-Tunnel0] ip address 10.1.2.2 255.255.255.0
[DeviceB-Tunnel0] source 2001::2:1
[DeviceB-Tunnel0] destination 2002::1:1
[DeviceB-Tunnel0] quit
# Configure settings for routing. This example configures static routes. In the routes, the output interface is Tunnel 0 and the next hop is 2001::2:2.
[DeviceB] ipv6 route-static 2002::1:1 64 2001::2:2
[DeviceB] ip route-static 10.1.1.0 24 tunnel 0
# Add interfaces to security zones.
[DeviceB] security-zone name Untrust
[DeviceB-security-zone-Untrust] import interface Tunnel 0
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
[DeviceB] security-zone name Trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
# Configure a rule named grelocalout in the IPv4 security policy to allow Device B to send packets to Device A.
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name grelocalout
[DeviceB-security-policy-ip-1-grelocalout] source-zone local
[DeviceB-security-policy-ip-1-grelocalout] destination-zone untrust
[DeviceB-security-policy-ip-1-grelocalout] source-ip-host 10.1.2.2
[DeviceB-security-policy-ip-1-grelocalout] source-ip-host 10.1.3.1
[DeviceB-security-policy-ip-1-grelocalout] destination-ip-host 10.1.2.1
[DeviceB-security-policy-ip-1-grelocalout] destination-ip-host 10.1.1.1
[DeviceB-security-policy-ip-1-grelocalout] action pass
[DeviceB-security-policy-ip-1-grelocalout] quit
[DeviceB-security-policy-ip] quit
[DeviceB] security-policy ipv6
[DeviceB-security-policy-ipv6] rule name grelocalout
[DeviceB-security-policy-ipv6-1-grelocalout] source-zone local
[DeviceB-security-policy-ipv6-1-grelocalout] destination-zone untrust
[DeviceB-security-policy-ipv6-1-grelocalout] source-ip-host 2001::2:1
[DeviceB-security-policy-ipv6-1-grelocalout] destination-ip-host 2002::1:1
[DeviceB-security-policy-ipv6-1-grelocalout] action pass
[DeviceB-security-policy-ipv6-1-grelocalout] quit
[DeviceB-security-policy-ipv6] quit
# Configure a rule named grelocalin in the IPv4 security policy to allow Device B to receive the packets sent from Device A.
[DeviceB] security-policy ip
[DeviceB-security-policy-ip] rule name grelocalin
[DeviceB-security-policy-ip-2-grelocalin] source-zone untrust
[DeviceB-security-policy-ip-2-grelocalin] destination-zone local
[DeviceB-security-policy-ip-2-grelocalin] source-ip-host 10.1.2.1
[DeviceB-security-policy-ip-2-grelocalin] source-ip-host 10.1.1.1
[DeviceB-security-policy-ip-2-grelocalin] destination-ip-host 10.1.2.2
[DeviceB-security-policy-ip-2-grelocalin] destination-ip-host 10.1.3.1
[DeviceB-security-policy-ip-2-grelocalin] action pass
[DeviceB-security-policy-ip-2-grelocalin] quit
[DeviceB-security-policy-ip] quit
[DeviceB] security-policy ipv6
[DeviceB-security-policy-ipv6] rule name grelocalin
[DeviceB-security-policy-ipv6-2-grelocalin] source-zone untrust
[DeviceB-security-policy-ipv6-2-grelocalin] destination-zone local
[DeviceB-security-policy-ipv6-2-grelocalin] source-ip-host 2002::1:1
[DeviceB-security-policy-ipv6-2-grelocalin] destination-ip-host 2001::2:1
[DeviceB-security-policy-ipv6-2-grelocalin] action pass
[DeviceB-security-policy-ipv6-2-grelocalin] quit
[DeviceB-security-policy-ipv6] quit
Verifying the configuration
# Display tunnel interface information on Device A.
[DeviceA] display interface tunnel 0
Tunnel0
Current state: UP
Line protocol state: UP
Description: Tunnel0 Interface
Bandwidth: 64kbps
Maximum transmission unit: 1456
Internet address: 10.1.2.1/24 (primary)
Tunnel source 2002::1:1, destination 2001::2:1
Tunnel TTL 255
Tunnel protocol/transport GRE/IPv6
GRE key disabled
Checksumming of GRE packets disabled
Last clearing of counters: Never
Last 300 seconds input rate: 1 bytes/sec, 8 bits/sec, 0 packets/sec
Last 300 seconds output rate: 1 bytes/sec, 8 bits/sec, 0 packets/sec
Input: 10 packets, 840 bytes, 0 drops
Output: 10 packets, 840 bytes, 0 drops
# Display tunnel interface information on Device B.
[DeviceB] display interface tunnel 0
Tunnel0
Current state: UP
Line protocol state: UP
Description: Tunnel0 Interface
Bandwidth: 64kbps
Maximum transmission unit: 1456
Internet address: 10.1.2.2/24 (primary)
Tunnel source 2001::2:1, destination 2002::1:1
Tunnel TTL 255
Tunnel protocol/transport GRE/IPv6
GRE key disabled
Checksumming of GRE packets disabled
Last clearing of counters: Never
Last 300 seconds input rate: 1 bytes/sec, 8 bits/sec, 0 packets/sec
Last 300 seconds output rate: 1 bytes/sec, 8 bits/sec, 0 packets/sec
Input: 10 packets, 840 bytes, 0 drops
Output: 10 packets, 840 bytes, 0 drops
# From Device B, ping the IP address of GigabitEthernet 1/0/1 on Device A.
[DeviceB] ping -a 10.1.3.1 10.1.1.1
Ping 10.1.1.1 (10.1.1.1) from 10.1.3.1: 56 data bytes, press CTRL_C to break
56 bytes from 10.1.1.1: icmp_seq=0 ttl=255 time=2.000 ms
56 bytes from 10.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 10.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 10.1.1.1: icmp_seq=3 ttl=255 time=0.000 ms
56 bytes from 10.1.1.1: icmp_seq=4 ttl=255 time=1.000 ms
--- Ping statistics for 10.1.1.1 ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.000/1.000/2.000/0.632 ms
The output shows that Device B can successfully ping Device A.
Troubleshooting GRE
The key to configuring GRE is to keep the configuration consistent. Most faults can be located by using the debugging gre or debugging tunnel command. This section analyzes one type of fault for illustration, with the scenario shown in Figure 8.
Hosts at both ends of a GRE tunnel cannot ping each other
Symptom
The interfaces at both ends of the tunnel are configured correctly and can ping each other, but Host A and Host B cannot ping each other.
Solution
To resolve the issue:
1. Execute the display ip routing-table command on Device A and Device C to view whether Device A has a route over tunnel 0 to 10.2.0.0/16 and whether Device C has a route over tunnel 0 to 10.1.0.0/16.
2. If such a route does not exist, execute the ip route-static command in system view to add the route. Take Device A as an example:
[DeviceA] ip route-static 10.2.0.0 255.255.0.0 tunnel 0
3. If the issue persists, contact H3C Support.
