Home > GRE Tunnel

GRE Tunnel

August 1st, 2017 in ROUTE 300-101 Go to comments

Question 1

Explanation

GRE packets are encapsulated within IP and use IP protocol type 47

Question 2

Explanation

A GRE interface definition includes:

+ An IPv4 address on the tunnel
+ A tunnel source
+ A tunnel destination

Below is an example of how to configure a basic GRE tunnel:

interface Tunnel 0
ip address 10.10.10.1 255.255.255.0
tunnel source fa0/0
tunnel destination 172.16.0.2

In this case the “IPv4 address on the tunnel” is 10.10.10.1/24 and “sourced the tunnel from an Ethernet interface” is the command “tunnel source fa0/0”. Therefore it only needs a tunnel destination, which is 172.16.0.2.

Note: A multiple GRE (mGRE) interface does not require a tunnel destination address.

Question 3

Explanation

The tunnel interface is configured in default mode means the tunnel has been configured as a point-to-point (P2P) GRE tunnel. Normally, a P2P GRE Tunnel interface comes up (up/up state) as soon as it is configured with a valid tunnel source address or interface which is up and a tunnel destination IP address which is routable.

Under normal circumstances, there are only three reasons for a GRE tunnel to be in the up/down state:
+ There is no route, which includes the default route, to the tunnel destination address.
+ The interface that anchors the tunnel source is down.
+ The route to the tunnel destination address is through the tunnel itself, which results in recursion.

Therefore if a route towards the tunnel destination has not been configured then the tunnel is stuck in up/down state.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html

Question 4

Explanation

In this question only answer A is a reasonable answer. When the state of the tunnel interface is continuously moving between up and down we must make sure the route towards the tunnel destination address is good. If it is not good then that route may be removed from the routing table -> the tunnel interface comes down.

Question 5

Explanation

The IP protocol was designed for use on a wide variety of transmission links. Although the maximum length of an IP datagram is 65535, most transmission links enforce a smaller maximum packet length limit, called an MTU. The value of the MTU depends on the type of the transmission link. The design of IP accommodates MTU differences since it allows routers to fragment IP datagrams as necessary. The receiving station is responsible for the reassembly of the fragments back into the original full size IP datagram.

Fragmentation and Path Maximum Transmission Unit Discovery (PMTUD) is a standardized technique to determine the maximum transmission unit (MTU) size on the network path between two hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in IPv4. However, all modern operating systems use it on endpoints.

The TCP Maximum Segment Size (TCP MSS) defines the maximum amount of data that a host is willing to accept in a single TCP/IP datagram. This TCP/IP datagram might be fragmented at the IP layer. The MSS value is sent as a TCP header option only in TCP SYN segments. Each side of a TCP connection reports its MSS value to the other side. Contrary to popular belief, the MSS value is not negotiated between hosts. The sending host is required to limit the size of data in a single TCP segment to a value less than or equal to the MSS reported by the receiving host.

TCP MSS takes care of fragmentation at the two endpoints of a TCP connection, but it does not handle the case where there is a smaller MTU link in the middle between these two endpoints. PMTUD was developed in order to avoid fragmentation in the path between the endpoints. It is used to dynamically determine the lowest MTU along the path from a packet’s source to its destination.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/25885-pmtud-ipfrag.html (there is some examples of how TCP MSS avoids IP Fragmentation in this link but it is too long so if you want to read please visit this link)

Note: IP fragmentation involves breaking a datagram into a number of pieces that can be reassembled later.

Question 6

Explanation

A valid tunnel destination is one which is routable (which means the destination is present or there is a default route in the routing table). However, it does not have to be reachable -> Answer B is correct.

Reference: http://www.cisco.com/c/en/us/support/docs/ip/generic-routing-encapsulation-gre/118361-technote-gre-00.html

For a tunnel to be up/up, the source interface must be up/up, it must have an IP address, and the destination must be reachable according to your own routing table.

Question 7

Question 8

Question 9

Explanation

GRE tunnel provides a way to encapsulate any network layer protocol over any other network layer protocol. GRE allows routers to act as if they have a virtual point-to-point connection to each other. GRE tunneling is accomplished by creating routable tunnel endpoints that operate on top of existing physical and/or other logical endpoints. Especially, IPsec does not support multicast traffic so GRE tunnel is a good solution instead (or we can combine both).

Question 10

Question 11

Explanation

When running GRE tunnel over IPSec, a packet is first encapsulated in a GRE packet and then GRE is encrypted by IPSec -> C is correct.

Question 12

Explanation

Four steps to configure GRE tunnel over IPsec are:

1. Create a physical or loopback interface to use as the tunnel endpoint. Using a loopback rather than a physical interface adds stability to the configuration.
2. Create the GRE tunnel interfaces.
3. Add the tunnel subnet to the routing process so that it exchanges routing updates across that interface.
4. Add GRE traffic to the crypto access list, so that IPsec encrypts the GRE tunnel traffic.

An example of configuring GRE Tunnel is shown below:

interface Tunnel0
ip address 192.168.16.2 255.255.255.0
tunnel source FastEthernet1/0
tunnel destination 14.38.88.10
tunnel mode gre ip

Note: The last command is enabled by default so we can ignore it in the configuration)

(Reference: CCNP Routing and Switching Quick Reference)

Question 13

Explanation

The address of the crypto isakmp key (line “crypto isakmp key ******* address 172.16.1.2”) should be 192.168.2.1, not 172.16.1.2 -> A is correct.

Question 14

Explanation

The access-list must also support GRE traffic with the “access-list 102 permit gre host 192.168.1.1 host 192.168.2.1” command -> B is correct.

Below is the correct configuration for GRE over IPsec on router B1 along with descriptions.

Configure_GRE_tunnel_over_IPsec.jpg

The interface tunnel configuration is rather simple so I don’t post it here.

Question 15

Explanation

The “tunnel destination” in interface tunnel should be 192.168.2.1, not 172.16.1.2 -> D is correct.

Comments
Comment pages
1 2 1293
  1. etgggg
    August 28th, 2018

    I purchased 300-101, the information inside is true and effective. Before the exam, the question bank will be updated to take the initiative to communicate with me. The attitude is very good. Any questions will be answered in time, and the information is comprehensive. There is no subject. I passed the exam and shared it with you. I hope it will help you too.
    h tt p://t .cn/RDug3fQ

  2. ccnp route
    October 23rd, 2018

    want to take ccnp route exam please share me the dumps please

  3. _saiko
    October 28th, 2018

    Some new questions…

    Which commands are used to configure IPSEC over GRE tunnel? (choose two)
    A. IP MTU
    B. Tunnel Key
    C. IP TCP Adjust MSS
    D. MPLS MTU
    E. IP unnumbered

    So far GRE over IPSEC was referenced in the questions, here it’s the other way round. I guess since with IPSEC over GRE the payload will be encrypted (unlike the payload+GRE overhead), the GRE interface itself doesn’t need an IP, thus IP unnumbered could be an answer.
    IP TCP Adjust MSS and Tunnel key could also be an answer.

    Thus, B,(C), E

    Anyone else has a comment? :)

  4. quti
    November 5th, 2018

    RRRRR:

    w w w

    The update here is fast, the information is complete, the pass rate is very high, and you can go and see if you need it.

    .cciedumps.xyz/ccie_rs.php?utm_source=bbs&utm_medium=bbs

  5. Dmitry
    November 7th, 2018

    Which commands are used to configure IPSEC over GRE tunnel? (choose two)
    A. IP MTU
    B. Tunnel Key
    C. IP TCP Adjust MSS
    D. MPLS MTU
    E. IP unnumbered

    I think right answers A and C

  6. Dmitry
    November 7th, 2018

    Hmmm, B maybe right to.
    Strange question, not so clear.

  7. Dany1
    December 16th, 2018

    Regarding Q5 and his variances (saiko show one):
    For Q5 answers are TCP MSS and PMTU (like digitaltut wrote). For saiko question, the answers are IP MTP and TCP MSS.
    IP MTU is static definition for MTU and PMTUD ( path-mtu-discovery) is dynamically one, which is much better. So, is desirable tu use R1(config-if)#tunnel path-mtu-discover min-mtu 1200 (for example) in interface tunnel mode command.
    Q13,Q14,Q15 are beautiful questions, at CCIE level and unfortunately, difitaltut answer incorrect to Q13 and Q14, and present wrong explanantion to Q15. Wrong explanation are indeed to all three. I suggest to digitaltut to try to configure crypto map on tunnel interface to see what is happening. That will be the answer
    “R1(config-if)#crypto map test
    % NOTE: crypto map is configured on tunnel interface.
    Currently only GDOI crypto map is supported on tunnel interface.”
    So, please digitaltut correct answers for Q13 and Q14 and write somewhere that ” crypto map is applicable only to physical interface”

  8. Dany1
    December 17th, 2018

    Here is a link where is described what i observe in GNS3
    https://community.cisco.com/t5/vpn-and-anyconnect/problem-with-gre-over-ipsec-with-ios-version-15-1-2-t4/td-p/1751266
    “A crypto map cannot be applied to a tunnel interface. If you try to apply the tunnel interface to a crypto map, an error message is displayed as follows: crypto map is configured on tunnel interface. Currently only Group Domain of Interpretation (GDOI) crypto map is supported on tunnel interface.”

Comment pages
1 2 1293
  1. No trackbacks yet.