Tunnel – How to Configure Two GRE Tunnels in One Subnet

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/868-cisco-router-gre-ipsec.html

In the example above, R1:

R1(config)# interface Tunnel0
R1(config-if)# ip address 172.16.0.1 255.255.255.0
R1(config-if)# tunnel source 1.1.1.10
R1(config-if)# tunnel destination 2.2.2.10

and R2:

R2(config)# interface Tunnel0
R2(config-if)# ip address 172.16.0.2 255.255.255.0
R2(config-if)# tunnel source 2.2.2.10
R2(config-if)# tunnel destination 1.1.1.10

When a packet with dst IP 172.16.0.2 address arrives to R1, how does R1 know where to send it? It checks its routing table and knows that 172.16.0.2 is directly connected? Anyway, it adds new IP header (dst IP set to 2.2.2.10 -tunnel destination) and GRE header to that packet.

When R2 receives the packet, it knows the packet was addressed to its 2.2.2.10 FE0/1 interface and it matches the tunnel source IP address that was set up on R2. So it removes the outer IP and GRE header, leaving the packet with dst IP 172.16.0.2 and routes it forward (not in this case of course, but it would if the dst IP was different).

Suppose there was another router – R3. Is it possible to set up a tunnel between R1 and R3 using the same network – 172.16.0.0/24?

When R1 pings the tunnel interface of R2 – 172.16.0.2, how does it know how to send it there? It probably checks his own Tunnel0 configuration: oh, I should send it to 172.16.0.2, which is in the same subnet as my Tunnel0 interface 172.16.0.1. Then it checks tunnel destination address to learn it's 2.2.2.10. In other words, it can't directly ARP 172.16.0.2 because it's not a physical connection.

Let's say I add R3 with Tunnel1 interface 172.16.0.4/24 whose public IP is 3.3.3.10. Next I configure Tunnel1 on R1:

R1(config)# interface Tunnel1
R1(config-if)# ip address 172.16.0.3 255.255.255.0
R1(config-if)# tunnel source 1.1.1.10
R1(config-if)# tunnel destination 3.3.3.10

Pinging 172.16.0.2 from R1 probably wouldn't work, because now I have two tunnels on R1 using the same subnet (R1-R2 and R1-R3). R1 has no idea which tunnel I mean here and therefore it doesn't know the tunnel destination.

TLDR Does it mean we need a different subnet for each tunnel? If so, shouldn't all tunnel subnets be /30? We only need two IPs for a tunnel – source and destination.

Best Answer

A 'normal' GRE tunnel is a used as a point-to-point connection. A /30 (or even /31) would be a better use of your subnet space. There also exist multipoint GRE tunnels, such as DMVPN. Here you can have multiple tunnel endpoints connected to one tunnel interface. In that case, you will want a bigger subnet.

Best Answer

Related Solutions

Cisco – Stuck at GRE troubleshooting with recursive route

GRE Tunnel – Why Source and Destination Addresses Should Match

Related Topic