cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1278
Views
5
Helpful
3
Replies

GRE tunnels

ksnarayan43
Level 1
Level 1

Hi : I am looking info on the number of GRE tunnels support on cisco routers?

would appreciate any pointers

1 Accepted Solution

Accepted Solutions

Bobby Thekkekandam
Cisco Employee
Cisco Employee

Hi,

The maximum number of GRE tunnels in a router it totally dependent on the IDB limit.

You can see the IDB limit for your router by typing 'show idb'...

W228.04.12-2801#sh idb

Maximum number of Software IDBs 1200. In use 16.

As you can see, this Cisco 2801 has a total of 1200 IDBs and 16 are currently in use. You can do 'show idb' on your router and verify how many free idbs you have. Of course, you would probably want an encryption module in the router so that the encryption is done in hardware (otherwise, cpu would likely be the limitation...not the number of tunnels).

HTH,

Bobby

*Please rate helpful posts.

View solution in original post

3 Replies 3

Bobby Thekkekandam
Cisco Employee
Cisco Employee

Hi,

The maximum number of GRE tunnels in a router it totally dependent on the IDB limit.

You can see the IDB limit for your router by typing 'show idb'...

W228.04.12-2801#sh idb

Maximum number of Software IDBs 1200. In use 16.

As you can see, this Cisco 2801 has a total of 1200 IDBs and 16 are currently in use. You can do 'show idb' on your router and verify how many free idbs you have. Of course, you would probably want an encryption module in the router so that the encryption is done in hardware (otherwise, cpu would likely be the limitation...not the number of tunnels).

HTH,

Bobby

*Please rate helpful posts.

VLANS

1. Connect all cables and place all devices. Give all devices their hostnames. enable > conf t > hostname

2. Assign all VLANS on the switches: int range (ex. f0/1) > switchport access vlan (ex. 10)

3. Put switch ports to MLS in trunk mode: int (cable connected to MLS, ex. g0/1) > switchport mode trunk

4. MLS ports to switch also in trunk mode: int (cable connected to MLS, ex. g0/1) > switchport trunk encap dot1q > switchport mode trunk

5. TURN MLS on: enable > conf t > ip routing

6. Configure MLS vlans: int vlan XX (ex. 10) > ip address 172.XX.0.1 255.255.0.0

7. On MLS turn the VLAN's on: vlan XX > int vlan XX, (also check if they are online on the switches)

8. Add the ip addresses manually on the computers

9. Test the PC's by pinging them

10. Put WPA2 key on Access Points (Wi-Fi security)

 

ROUTER

1. Router to the public internet: int (ex. g0/0: the port from router to the public internet) > ip address dhcp

2. Give the port between router and MLS an IP-address: xx.xx.xx.1 (ex. 12.0.0.1) for router and on MLS: interface port > no switchport > ip address xx.xx.xx.2 (ex. 12.0.0.2)

3. Add ip route of vlans on router: (ip route 172.10.0.0 255.255.0.0 12.0.0.2) 12.0.0.2 is the next hop it’s the ip address of the port from the MLS to the router

4. Outside is the public domain, inside is the private network

5. Configure NAT on the router: in the interface of the port to the outside: ip nat outside, in the interface of the port to the inside: ip nat inside

6. Temporary accesslist for NAT: accesslist 1 permit any, then activate NAT: router > enable > conf t > ip nat inside source list 1 (the number 1 is the accesslist 1) interface g0/0 (g0/0 is the port to the public) overload

7. Fill in DNS addresses on the PC's (if there is a DNS)

8. Route on the MLS: ip route 0.0.0.0 0.0.0.0 12.0.0.1 (12.0.0.1 is the ip of the port from the router to the MLS)

 

 

 

 

DHCP

 

on MLS:

1. Create ip dhcp pool's on MLS: MLS > enable > conf t > ip dhcp pool VLAN10 > network address: 172.10.0.1 255.255.0.0 > dns xx.xx.xx.xx > default gateway 172.10.0.1

2. Exclude adresses: MLS > enable > conf t > ip dhcp excluded-address 172.20.0.1 172.20.0.100

 

on Router:

1. Create ip dhcp pool's on router: router > enable > conf t > ip dhcp pool VLAN10 > network address: 172.10.0.1 255.255.0.0 > dns xx.xx.xx.xx > default gateway 172.10.0.1

2. Exclude adresses: router > enable > conf t > ip dhcp excluded-address 172.20.0.1 172.20.0.100

3. Helper address (only if DHCP is on router): on MLS > int vlan 10 > ip helper-address 172.10.0.1 (do this in all vlan interfaces)

 

on a DHCP server:

1. DHCP server gets its own VLAN (ex. 172.40.0.0)

2. Activate the VLAN on all the switches: (int vlan 40 and vlan 40)

3. A cable from the MLS to the DHCP server (enable vlan 40 on the cable, so: on MLS > interface (ex. f0/4) switchport access vlan 40

4. On the DHCP server: 172.10.0.1 = default gateway, 180.115.0.6 = DNS, 172.10.0.101 = start ip address, 255.255.0.0 = subnet, 50 = max users, this is for VLAN 10 (also do this for all other VLAN's)

5. On the MLS > int vlan 10 > ip helper-address 172.40.0.101 (172.40.0.100 is ip address of the DHCP server)

6. Allow VLAN 40 on the accesslists

 

ACCESS LIST

 

block VLAN from internet:

1. How to block a vlan from the internet (if you dont want to block a vlan from the internet, leave the temporary access-list as is)

2. Change access-list 1 on the router: router > enable > conf t > no access-list 1 > access-list 100 permit ip 172.10.0.0 0.0.255.255 any > access-list 100 permit ip 172.20.0.0 0.0.255.255 any > access-list 100 deny ip any any

3. Change overload list: router > enable > conf t > no ip nat inside source list 1 interface g0/0 overload > ip nat inside source list 100 interface g0/0 overload

VLAN 30 has now no access to the internet and VLAN 20 and 10 do have access to the internet

3. Test website: in pc command prompt: ping www.nu.nl

 

block VLAN's from each other:

1. Block traffic from VLAN 30 to other VLAN's: on MLS > enable > conf t > access-list 150 deny ip 172.30.0.0 0.0.255.255 172.20.0.0 0.0.255.255 > access-list 150 deny ip 172.30.0.0 0.0.255.255 172.10.0.0 0.0.255.255 > access-list 150 permit ip 172.30.0.0 0.0.255.255 any

2. Put access-list in VLAN interface: on MLS > enable > conf t > int vlan 30 > ip access-group 150 in

Now you can't ping from VLAN 30 to other VLAN's, it is still possible to ping from other VLAN's to VLAN 30.

3. Now block traffic from other VLAN's to VLAN 30 aswell: on MLS > enable > conf t > access-list 151 deny ip 172.20.0.0 0.0.255.255 172.30.0.0 0.0.255.255 > access-list 151 permit ip 172.20.0.0 0.0.255.255 any (this is for vlan 20) on MLS > enable > conf t > access-list 152 deny ip 172.10.0.0 0.0.255.255 172.30.0.0 0.0.255.255 > access-list 152 permit ip 172.10.0.0 0.0.255.255 any (this is for vlan 10)

4. Put access-lists in VLAN interface's: on MLS > enable > conf t > int vlan 20 > ip access-group 151 in (for vlan 20) on MLS > enable > conf t > int vlan 10 > ip access-group 152 in (for vlan 10)

5. Test with pings from computer in one VLAN to another VLAN (you should get "destination host unreachable" if you try to ping from VLAN 10 to VLAN 30(because of access-lists), pinging from VLAN 10 to VLAN 20 should work successfully)

 

VPN

 

1. Routers should be able to ping with each other before you can configure VPN. (test with ping xx.xx.xx.xx in CLE)

2. On router 1: enable > conf t > ip route 0.0.0.0 0.0.0.0 g0/0 (g0/0 is the port to the public)

3. Test if everything still works (site, ping between router and computers)

4. Update the license of the router: on router > enable > conf t > license boot module c2900 technology-package securityk9 > exit > reload

5. Configure VPN on R1: enable > conf t > crypto isakmp policy 1 > authentication pre-share > exit > crypto isakmp key CISCO address 88.86.86.91 (88.68.68.91 is the ip to the public from ROUTER 2!!)

6. Set transform set: on R1 > enable > conf t > crypto ipsec transform-set MIJNSET esp-aes-sha-hmac > crypto MIJNMAP 1 ipsec-isakmp > set peer 88.86.86.91 (88.68.68.91 is the ip to the public from ROUTER 2!!) > set transform-set MIJNSET > crypto map MIJNMAP 1 ipsec-isakmp > match address 180

7. Make VPN access-list: on R1 > enable > conf t > access-list 180 permit ip 172.10.0.0 0.0.255.255 172.50.0.0 0.0.255.255 (172.50.0.0 is the VLAN network on the other side you want to reach) > access-list 180 permit ip 172.20.0.0 0.0.255.255 172.50.0.0 0.0.255.255 > access-list 180 permit ip 172.30.0.0 0.0.255.255 172.50.0.0 0.0.255.255

8. Change the overload access-list: on R1 > enable > conf t > no access-list 100 (or no access-list 1, if you kept the temporary access-list) > access-list 100 deny ip 172.10.0.0 0.0.255.255 172.50.0.0 0.0.255.255 > access-list 100 deny ip 172.20.0.0 0.0.255.255 172.50.0.0 0.0.255.255 > access-list 100 deny ip 172.30.0.0 0.0.255.255 172.50.0.0 0.0.255.255 > access-list 100 permit ip 172.10.0.0 0.0.255.255 any > access-list 100 permit ip 172.20.0.0 0.0.255.255 any > access-list 100 permit ip 172.30.0.0 0.0.255.255 any

 

9. Do step 2 to 8 on router 2 aswell:

2. On router 2: enable > conf t > ip route 0.0.0.0 0.0.0.0 g0/0 (g0/0 is the port to the public)

3. Test if everything still works (site, ping between router and computers)

4. Update the license of the router: on router > enable > conf t > license boot module c2900 technology-package securityk9 > exit > reload

5. Configure VPN on R2: enable > conf t > crypto isakmp policy 1 > authentication pre-share > exit > crypto isakmp key CISCO address 88.86.86.92 (88.68.68.92 is the ip to the public from ROUTER 1!!)

6. Set transform set: on R2 > enable > conf t > crypto ipsec transform-set MIJNSET esp-aes-sha-hmac > crypto MIJNMAP 1 ipsec-isakmp > set peer 88.86.86.92 (88.68.68.92 is the ip to the public from ROUTER 1!!) > set transform-set MIJNSET > crypto map MIJNMAP 1 ipsec-isakmp > match address 180

7. Make VPN access-list: on R2 > enable > conf t > access-list 180 permit ip 172.10.0.0 0.0.255.255 172.50.0.0 0.0.255.255 (172.50.0.0 is the VLAN network on this side that you want to reach) > access-list 180 permit ip 172.20.0.0 0.0.255.255 172.50.0.0 0.0.255.255 > access-list 180 permit ip 172.30.0.0 0.0.255.255 172.50.0.0 0.0.255.255

8. Change the overload access-list: on R2 > enable > conf t > no access-list 100 (depends on what the overload access-list number is) > access-list 100 deny ip 172.10.0.0 0.0.255.255 172.50.0.0 0.0.255.255 > access-list 100 deny ip 172.20.0.0 0.0.255.255 172.50.0.0 0.0.255.255 > access-list 100 deny ip 172.30.0.0 0.0.255.255 172.50.0.0 0.0.255.255 > access-list 100 permit ip 172.10.0.0 0.0.255.255 any > access-list 100 permit ip 172.20.0.0 0.0.255.255 any > access-list 100 permit ip 172.30.0.0 0.0.255.255 any

 

10. Activate the VPN on router 1: on router 1 > enable > conf t > int g0/0 (g0/0 is the port to the public) > crypto map MIJNMAP

11. Activate the VPN on router 2: on router 2 > enable > conf t > int g0/0 (g0/0 is the port to the public) > crypto map MIJNMAP

12. Ping from the side where you activated it first, so if you first did step 10 on router 1, ping from router 1 to router 2 (ip address of port to the public from router 2) and ping in CLE

13. How to test VPN: tracert on computer to the other side, so from a PC in VLAN 10 to VLAN 50 (ex. tracert 172.50.0.101 on PC in VLAN 10)

and once you pinged: router 1 > enable > show crypto isakmp sa

New R2 the above router. GRE over IP tunnel

Left router first CLI

En
conf t
int tun0
ip address 192.168.2.1 255.255.255.0
tunnel source g0/1
tunnel destination 201.150.200.6
tunnel mode gre ip
exit
ip route 192.168.3.0 255.255.255.0 192.168.2.2
copy run start


Right router first cli
en
conf t
int tun 0
ip address 192.168.2.2 255.255.255.0
tunnel source g0/1
tunnel destination 201.150.200.1
tunnel mode gre ip
exit
ip route 192.168.1.0 255.255.255.0 192.168.2.1
show ip route


ping PC's