0

As I can find in this support document, in order to configure a GRE tunnel between two routers R1 and R2, I issue the following sets of commands (mtu and mss omitted),

R1

R1(config)# interface Tunnel1    
R1(config-if)# ip address 172.16.1.1 255.255.255.0    
R1(config-if)# tunnel source 1.1.1.1    
R1(config-if)# tunnel destination 2.2.2.2

R2

R2(config)# interface Tunnel1
R2(config-if)# ip address 172.16.1.2 255.255.255.0
R2(config-if)# tunnel source 2.2.2.2
R2(config-if)# tunnel destination 1.1.1.1

What I can not understand is, why we need two addresses at each end? If I am not wrong, R1 is getting the addresses 172.16.1.1 (interface) and 1.1.1.1 (tunnel), and R2 is getting the addresses 172.16.1.2 (interface) and 2.2.2.2 (tunnel). Each router is acting as the destination for other. But why assign two addresses at each end? As per my (mis)understanding, in R1, if we assign 172.16.1.1, why do we need 1.1.1.1? The same question applies to R2.

Moreover, as I find in the same document, further connectivity checks are done by using the

R1# ping 172.16.1.2

command. So, at least, the 1. and 2. addresses are not playing any role in the connectivity test.

I appreciate your clearing the above confusion.

Masroor
  • 183
  • 1
  • 9

3 Answers3

2

The 1.1.1.1 and 2.2.2.2 addresses are virtual endpoints on a point-to-point connection, they are the "road" the traffic takes to get from 172.16.1.1 to 172.16.1.2. GRE is a protocol that voyages inside IP, it's the same sort of concept you'll need if you want to understand the workings of VPNs in general. Instead of using ethernet (or other physical layers) it is using IP as the transport layer.

NickW
  • 10,183
  • 1
  • 18
  • 26
  • Pardon my foolish question, why use the virtual end points, 1.1.1.1 and 2.2.2.2, why not use 172.16.1.1 and 172.16.1.2? Why the former two are special? – Masroor Apr 11 '13 at 10:44
  • 2
    Well, the actual numbers are unimportant, but the concept is that the 172.x addresses are considered as the transport layer, think of them like MAC addresses. Basically between 172.16.1.1 and 172.16.1.2 there is a virtual ethernet cable, and to send traffic over that, you will need addresses. My description is a bit basic, but I hope I am helping to explain the concept. Plugging in an ethernet cable without adding addresses on both sides won't get you far :) – NickW Apr 11 '13 at 10:54
  • Thanks, think I got it. Also the diagram in this page (http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html) helped me to understand better what you are saying. – Masroor Apr 11 '13 at 15:46
  • Isn't that backwards? The 172.x.x.x address is inside the tunnel, and the tunnel is formed from 1.1.1.1 to 2.2.2.2 so it needs to know the address it is using locally (source) and trying to reach (destination)? – cpt_fink Apr 12 '13 at 01:18
  • 1
    Well, the 172 addresses are actually the outside edges of the tunnel, like the gateway address, maybe I could have explained it a bit better with a diagram.. 172.1 -- 1.1 <-> 2.2 -- 172.2 – NickW Apr 12 '13 at 09:08
2

Because the GRE tunnel is a Layer-3 mechanism, and needs a layer-3 address for the forwarding table. If you look at it from the router's perspective, it would need to know what "interface" to send it off to and then once it's inside the interface, where to send it next.

Also note that you can have multiple GRE tunnels on a single router.

If you don't want to use IP's on the tunnels, look into Layer-2 tunneling.

kruczkowski
  • 213
  • 2
  • 5
0

If you use interface routes you don't need IP addresses on the GRE tunnel. The IP address is needed only if you use "next hop" routes to the remote network.

nat_makes_things_difficult
  • 1