Solved: GRE Tunnel Question

ChristopherCraddock66504 · ‎01-11-2022

Dear Community,

I came across the following blog (https://packetpushers.net/anatomy-of-gre-tunnels/) regarding GRE tunnels but had a question about it. The topology and config are attached. My question is this:

-How is it possible according to this topology for the tunnel source and destinations to be private loopback IP's? How are the packets going to route over the internet where the source and destination addresses are private IP's? This makes no sense to me. Is this a typo in the config?

To me, it makes more sense to use the following configs:

R1:
interface Tunnel100
tunnel mode gre
ip address 102.1.1.1 255.255.255.0
ipv6 enable
tunnel source F2/0
tunnel destination 23.1.1.x

R2:
interface Tunnel100
tunnel mode gre
ip address 102.1.1.2 255.255.255.0
ipv6 enable
tunnel source F3/0
tunnel destination 12.1.1.x

Please let me know if I am missing something. Much appreciated!

Thank you.

Harold Ritter · ‎01-11-2022

Hi @ChristopherCraddock66504 ,

You are correct. For a GRE tunnel going over the Internet, the tunnel source and destination need to be a public IP address.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Harold Ritter · ‎01-11-2022

Hi @ChristopherCraddock66504 ,

You are correct. For a GRE tunnel going over the Internet, the tunnel source and destination need to be a public IP address.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Mathias Garcia · ‎01-12-2022

The 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4 aren't private addresses at all.

Case in point 1.1.1.1 is used by Cloudflare for their public DNS servers.

I remember seeing those addresses being used in Cisco documentations/configuration examples going back 15 years at least and being confused by them initially.

In most of those cases it didn't really matter since they weren't used for actual routing but for router ID's in OSPF and such.

R1 having 1.1.1.1 as router ID and R2 having 2.2.2.2 etc. making it simple to keep track of the routers.

Using them for examples where it will have an effect on actual routing might be unnecessarily confusing.

But technically not any worse than using any other public IP that you don't own in a configuration example.

But as already answered by Harold Ritter if the GRE tunnel is going over the internet the tunnel source and destination needs to be a public IP.

To expand on that the actual IP on the tunnel interfaces can be private addresses.

Here is an example from https://www.ciscopress.com/articles/article.asp?p=2832406&seqNum=7

R1(config)# interface Tunnel0
R1(config-if)# ip address 192.168.2.1 255.255.255.0
R1(config-if)# tunnel source 209.165.201.1
R1(config-if)# tunnel destination 209.165.201.2
R1(config-if)# tunnel mode gre ip
R1(config-if)# exit
R1(config)# router ospf 1
R1(config-router)# network 192.168.2.0 0.0.0.255 area 0
R2(config)# interface Tunnel0
R2(config-if)# ip address 192.168.2.2 255.255.255.0
R2(config-if)# tunnel source 209.165.201.2
R2(config-if)# tunnel destination 209.165.201.1
R2(config-if)# tunnel mode gre ip
R2(config-if)# exit
R2(config)# router ospf 1
R2(config-router)# network 192.168.2.0 0.0.0.255 area 0

ChristopherCraddock66504 · ‎01-12-2022

Mathias,

Thank you for the correction. You're right, 1.1.1.1 and 2.2.2.2 are not private IP addresses, I am not sure what I was thinking there. Like you said, the example in this blog is confusing because they are choosing to use 1.1.1.1 and 2.2.2.2 as tunnel source and destinations while the topology diagram uses completely different IP's for the actual public facing interfaces. Thanks so much for the feedback!