Login
- Table of Contents
-
- 06-Network
- 01-VRF
- 02-Interface
- 03-Interface pairs
- 04-Interface collaboration
- 05-4G
- 06-Security zones
- 07-VLAN
- 08-MAC
- 09-DNS
- 10-ARP
- 11-ND
- 12-GRE
- 13-IPsec
- 14-ADVPN
- 15-L2TP
- 16-SSL VPN
- 17-Routing table
- 18-Static routing
- 19-Policy-based routing
- 20-OSPF
- 21-BGP
- 22-RIP
- 23-IP multicast routing
- 24-PIM
- 25-IGMP
- 26-DHCP
- 27-HTTP
- 28-SSH
- 29-NTP
- 30-FTP
- 31-Telnet
- 32-MAC authentication
- 33-MAC address whitelist
- 34-MAC access silent MAC info
- 35-MAC access advanced settings
- 36-IP authentication
- 37-IPv4 whitelist
- 38-IPv6 whitelist
- 39-Wireless
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 12-GRE | 40.82 KB |
GRE
This help contains the following topics:
¡ GRE tunnel operating principle
Introduction
Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a protocol (such as IPv4) into a virtual point-to-point tunnel over a network (such as an IPv6 network). Packets are encapsulated at one tunnel end and de-encapsulated at the other tunnel end. The network layer protocol of the packets before encapsulation and after encapsulation can be the same or different.
GRE encapsulation format
A GRE-tunneled packet includes the following parts:
· Payload packet—Original packet. The protocol type of the payload packet is called the passenger protocol. The passenger protocol can be any network layer protocol.
· GRE header—Header that is added to the payload packet to change the payload packet to a GRE packet. A GRE header includes the number of encapsulations, version, passenger protocol type, checksum, and key. GRE is called the encapsulation protocol.
· Delivery header—Header that is added to the GRE packet to deliver it to the tunnel end. The transport protocol (or delivery protocol) is the network layer protocol that transfers GRE packets.
The device supports GRE tunnels with IPv4 and IPv6 as the transport protocols. When the transport protocol is IPv4, the GRE tunnel mode is GRE over IPv4 (GRE/IPv4). When the transport protocol is IPv6, the GRE tunnel mode is GRE over IPv6 (GRE/IPv6).
GRE tunnel operating principle
An IPv4 or IPv6 protocol packet traverses a transport network through a GRE tunnel as follows:
1. After the source device receives an IPv4 or IPv6 protocol packet from a customer-side interface, it processes the packet as follows:
a. Looks up the routing table to identify the outgoing interface for the packet.
b. Submits the packet to the outgoing interface—a GRE tunnel interface.
2. Upon receiving the packet, the tunnel interface encapsulates the packet with GRE and then with the delivery header. In the delivery header, the source address is the tunnel's source address and the destination address is the tunnel's destination address.
3. The source device looks up the routing table according to the destination address in the delivery header. Then, the device forwards the encapsulated packet out of the physical interface of the GRE tunnel.
4. When the packet arrives at the GRE tunnel destination, the destination device checks the destination address. Because the destination is the device itself and the protocol number in the IP header is 47 (the protocol number for GRE), the device submits the packet to GRE for de-encapsulation.
5. GRE first removes the delivery header, and then checks the GRE key, checksum, and packet sequence number. After GRE finishes the checking, it removes the GRE header, and submits the payload to the passenger protocol for forwarding.
GRE keepalive mechanism
This mechanism enables a tunnel interface to send keepalive packets at the specified interval. If the device does not receive any response from the peer within the timeout time, it shuts down the local tunnel interface. The device brings the local tunnel interface up if it receives a keepalive acknowledgment packet from the peer. The timeout time is the result of multiplying the keepalive interval by the keepalive number.
The device always acknowledges the keepalive packets it receives whether or not GRE keepalive is enabled.
GRE security mechanisms
GRE supports the GRE key and GRE checksum security mechanisms.
GRE key
GRE keys ensure packet validity. The sender adds a GRE key into a packet. The receiver compares the GRE key with its own GRE key. If the two keys are the same, the receiver accepts the packet. If the two keys are different, the receiver drops the packet.
GRE checksum
GRE checksums ensure packet integrity. The sender calculates a checksum for the GRE header and payload and sends the packet containing the checksum to the tunnel peer. The receiver calculates a checksum for the received packet and compares it with that carried in the packet. If the checksums are the same, the receiver determines the packet intact and continues to process the packet. If the checksums are different, the receiver discards the packet.
Restrictions and guidelines
When you configure a GRE tunnel, follow the restrictions and guidelines in this section.
Restrictions and guidelines: Address configuration
When the passenger protocol is IPv4, configure an IPv4 address for the tunnel interface at each tunnel end. When the passenger protocol is IPv6, configure an IPv6 address for the tunnel interface at each tunnel end.
You must configure the tunnel source address and destination address at both ends of a tunnel. The tunnel source or destination address at one end must be the tunnel destination or source address at the other end.
The IP address of a tunnel interface and the tunnel destination address configured on the tunnel interface must be in different subnets.
Restrictions and guidelines: Routing configuration
To ensure correct packet forwarding, identify whether the destination network of packets and the IP address of the local tunnel interface are on the same subnet. If they are not, configure a route reaching the destination network through the tunnel interface. You can configure the route by using one of the following methods:
· Configure a static route, using the local tunnel interface as the outgoing interface of the route.
· Enable a dynamic routing protocol on both the tunnel interface and the interface connecting the private network. This allows the dynamic routing protocol to establish a routing entry with the tunnel interface as the outgoing interface.
Restrictions and guidelines: Keepalive configuration
You do not need to enable keepalive on both ends of a GRE tunnel. Enable keepalive on one end of a GRE tunnel as needed.
Restrictions and guidelines: GRE security mechanism configuration
The two ends of a GRE tunnel must have the same key or both have no key.
You can enable or disable GRE checksum at each end of a tunnel. If GRE checksum is enabled at a tunnel end, the tunnel end sends packets carrying the checksum to the peer end. A tunnel end checks the GRE checksum of a received packet if the packet carries a GRE checksum, whether or not the tunnel end is enabled with GRE checksum.
