1 00:00:02,639 --> 00:00:05,389 (dramatic music) 2 00:00:09,235 --> 00:00:10,278 - In this video I'd like to introduce 3 00:00:10,278 --> 00:00:12,328 the concept of GRE tunnels, 4 00:00:12,328 --> 00:00:13,978 and before I do that, 5 00:00:13,978 --> 00:00:16,175 let me just back up for a moment and talk about 6 00:00:16,175 --> 00:00:18,298 what is a tunnel in the first place? 7 00:00:18,298 --> 00:00:21,093 Here's a real high level of looking at this concept 8 00:00:21,093 --> 00:00:22,093 of a tunnel. 9 00:00:23,179 --> 00:00:25,272 So imagine for a moment an IP packet, 10 00:00:25,272 --> 00:00:28,460 okay so imagine in binary you have a string of bits 11 00:00:28,460 --> 00:00:29,984 which is your data, 12 00:00:29,984 --> 00:00:31,928 maybe your web browsing or whatever, 13 00:00:31,928 --> 00:00:33,677 and then in front of that string of bits you have another 14 00:00:33,677 --> 00:00:37,677 string of bits which is your TCP segment header, 15 00:00:38,726 --> 00:00:41,961 and then in front of that you've go another string of bits 16 00:00:41,961 --> 00:00:43,849 which is your IP header, 17 00:00:43,849 --> 00:00:45,306 and that's where it ends. 18 00:00:45,306 --> 00:00:46,771 So you've got your IP header, 19 00:00:46,771 --> 00:00:47,771 your TCP header, 20 00:00:47,771 --> 00:00:49,482 and then all of your data. 21 00:00:49,482 --> 00:00:52,287 Now, that long string of bits, 22 00:00:52,287 --> 00:00:55,894 can you take that as it is and put it on a wire 23 00:00:55,894 --> 00:00:57,660 and send it out? 24 00:00:57,660 --> 00:00:58,663 Hopefully you said, 25 00:00:58,663 --> 00:01:02,043 "Well no Keith, you can't take a layer three packet 26 00:01:02,043 --> 00:01:04,036 "and place it directly on a wire, 27 00:01:04,036 --> 00:01:07,018 "you can't just bypass the data link layer. 28 00:01:07,018 --> 00:01:08,418 "We need the data link layer." 29 00:01:08,418 --> 00:01:10,594 Why do we need the data link layer? 30 00:01:10,594 --> 00:01:12,511 Well because that wire, 31 00:01:13,758 --> 00:01:16,166 let's just assume it's an Ethernet wire, 32 00:01:16,166 --> 00:01:19,143 that Ethernet wire is expecting ones and zeros 33 00:01:19,143 --> 00:01:21,446 to take the form of Ethernet. 34 00:01:21,446 --> 00:01:24,831 In other words if I send a string of bits to you, 35 00:01:24,831 --> 00:01:26,738 and it arrives on your Ethernet NIC card, 36 00:01:26,738 --> 00:01:30,170 your Ethernet NIC card is assuming the first few ones 37 00:01:30,170 --> 00:01:32,404 and zeros are the preamble, 38 00:01:32,404 --> 00:01:34,334 and then the next few ones and zeros after that 39 00:01:34,334 --> 00:01:36,497 are a destination MAC, 40 00:01:36,497 --> 00:01:38,364 and then there's a source MAC, 41 00:01:38,364 --> 00:01:40,436 so if I just sent you a string of ones and zeros that 42 00:01:40,436 --> 00:01:42,278 started with the IP header 43 00:01:42,278 --> 00:01:44,433 and there was no Ethernet header in front of that, 44 00:01:44,433 --> 00:01:45,925 you wouldn't be able to interpret that, 45 00:01:45,925 --> 00:01:47,884 you wouldn't know what to do with that. 46 00:01:47,884 --> 00:01:51,569 So I need to take that IP packet and wrap it inside of 47 00:01:51,569 --> 00:01:54,094 something that you will understand, 48 00:01:54,094 --> 00:01:57,859 something this cable supports that I can send to you, 49 00:01:57,859 --> 00:02:01,102 because your NIC card does not natively understand IP, 50 00:02:01,102 --> 00:02:04,658 but it does understand another protocol, Ethernet, 51 00:02:04,658 --> 00:02:06,500 which carries IP. 52 00:02:06,500 --> 00:02:09,200 So typically we say that 53 00:02:09,200 --> 00:02:11,395 that's the process of encapsulation, 54 00:02:11,395 --> 00:02:13,606 where I'm taking some protocol, 55 00:02:13,606 --> 00:02:15,932 in this case a layer two protocol Ethernet, 56 00:02:15,932 --> 00:02:20,265 and I'm using it to encapsulate something else, 57 00:02:20,265 --> 00:02:23,661 which in this case is a layer three protocol which is IP. 58 00:02:23,661 --> 00:02:25,462 Another way of saying that is, 59 00:02:25,462 --> 00:02:26,801 tunneling, 60 00:02:26,801 --> 00:02:29,040 in other words I'm taking some protocol that does not 61 00:02:29,040 --> 00:02:30,913 natively go across this wire, 62 00:02:30,913 --> 00:02:33,154 I can't put it on this wire and I'm saying well, 63 00:02:33,154 --> 00:02:35,048 how can I put it across this wire? 64 00:02:35,048 --> 00:02:36,717 What if I take this data, 65 00:02:36,717 --> 00:02:37,802 this structure here, 66 00:02:37,802 --> 00:02:39,154 whatever it is, 67 00:02:39,154 --> 00:02:41,316 and wrapped it in something else 68 00:02:41,316 --> 00:02:45,060 that is supported on this wire and got it through? 69 00:02:45,060 --> 00:02:48,382 Now in the case of Ethernet it's just point to point, 70 00:02:48,382 --> 00:02:51,587 right on Ethernet you and I share an Ethernet wire 71 00:02:51,587 --> 00:02:53,768 so I encapsulated the Ethernet. 72 00:02:53,768 --> 00:02:55,487 Well let's take it one step further. 73 00:02:55,487 --> 00:02:59,513 Let's say that I have a situation like this, 74 00:02:59,513 --> 00:03:03,680 where I have a couple of routers on the end that have 75 00:03:05,087 --> 00:03:09,254 an IPv6 network but in the middle there is no IPv6. 76 00:03:13,776 --> 00:03:18,181 Could I put an IPv6 packet on this wire right here? 77 00:03:18,181 --> 00:03:22,663 No I couldn't because fast Ethernet zero zero on R one 78 00:03:22,663 --> 00:03:24,980 doesn't even have an IPv6 address. 79 00:03:24,980 --> 00:03:28,014 That interface does not understand IPv6, 80 00:03:28,014 --> 00:03:31,459 and even if somehow I could put an IPv6 packet on there, 81 00:03:31,459 --> 00:03:34,460 when it got to this device right here, 82 00:03:34,460 --> 00:03:36,094 he doesn't understand IPv6. 83 00:03:36,094 --> 00:03:40,457 There's no way I could natively put an IPv6 packet 84 00:03:40,457 --> 00:03:43,658 from R one to R two because the devices in the middle 85 00:03:43,658 --> 00:03:46,027 don't support IPv6. 86 00:03:46,027 --> 00:03:48,430 But, what if I could do this? 87 00:03:48,430 --> 00:03:50,626 What if I could take my IPv6 packet, 88 00:03:50,626 --> 00:03:54,793 so maybe on R one I type ping 2001 two two two two, 89 00:03:56,206 --> 00:03:57,039 two two two two, 90 00:03:57,039 --> 00:03:58,219 two two two two, 91 00:03:58,219 --> 00:03:59,132 two two two two, 92 00:03:59,132 --> 00:04:00,610 colon colon two. 93 00:04:00,610 --> 00:04:02,674 So I'm doing an Ipv6 ping. 94 00:04:02,674 --> 00:04:04,578 In order to get that to go across, 95 00:04:04,578 --> 00:04:08,484 what if I took that IPv6 packet and at the front of it, 96 00:04:08,484 --> 00:04:10,234 I put an IPv4 header? 97 00:04:14,171 --> 00:04:15,439 An IPv4 header with 98 00:04:15,439 --> 00:04:17,502 one dot one dot one dot one 99 00:04:17,502 --> 00:04:18,891 as the source, 100 00:04:18,891 --> 00:04:21,616 and how about two dot two dot two dot two 101 00:04:21,616 --> 00:04:23,544 as the destination? 102 00:04:23,544 --> 00:04:25,477 That could go across that wire. 103 00:04:25,477 --> 00:04:27,640 That could go from router one to router two because 104 00:04:27,640 --> 00:04:31,500 all these devices know how to route IPv4. 105 00:04:31,500 --> 00:04:34,417 That is what's called tunneling, 106 00:04:34,417 --> 00:04:37,416 where I create a tunnel and in this case the two end points 107 00:04:37,416 --> 00:04:40,140 of the tunnel would be router one and router two, 108 00:04:40,140 --> 00:04:44,307 and what this tunnel is doing is it's taking information in 109 00:04:46,037 --> 00:04:49,942 that normally could not go across this connection, 110 00:04:49,942 --> 00:04:53,481 and it's somehow wrapping it in some additional header 111 00:04:53,481 --> 00:04:55,308 that my intermediary, 112 00:04:55,308 --> 00:04:59,637 my transit network does understand and can carry it through, 113 00:04:59,637 --> 00:05:02,595 and then once it pops out the other end of the tunnel, 114 00:05:02,595 --> 00:05:05,910 then we can strip off that outer header revealing the 115 00:05:05,910 --> 00:05:08,186 native packet inside and we can process it. 116 00:05:08,186 --> 00:05:11,130 That's what's called tunneling. 117 00:05:11,130 --> 00:05:13,094 Now there's a variety of ways to do tunneling. 118 00:05:13,094 --> 00:05:15,312 A lot of times in a lot of devices, 119 00:05:15,312 --> 00:05:18,246 you will actually create a tunnel interface 120 00:05:18,246 --> 00:05:20,414 just like we've talked about loopback interfaces 121 00:05:20,414 --> 00:05:21,655 which are logical interfaces, 122 00:05:21,655 --> 00:05:23,813 we've talked about sub-interfaces 123 00:05:23,813 --> 00:05:25,850 which are logical interfaces, 124 00:05:25,850 --> 00:05:27,352 I've talked about dialer interfaces, 125 00:05:27,352 --> 00:05:30,183 well now we're gonna do another logical interface 126 00:05:30,183 --> 00:05:33,981 that does not exist until you create it by typing it in, 127 00:05:33,981 --> 00:05:36,517 which is an interface tunnel. 128 00:05:36,517 --> 00:05:39,616 Now when you create an interface tunnel, 129 00:05:39,616 --> 00:05:41,752 then the question is okay, 130 00:05:41,752 --> 00:05:44,211 well how is it going to encapsulate something, 131 00:05:44,211 --> 00:05:45,326 what's it going to do? 132 00:05:45,326 --> 00:05:48,047 And there's a variety of ways to do that. 133 00:05:48,047 --> 00:05:50,781 And the default way that tunnels encapsulate something 134 00:05:50,781 --> 00:05:54,948 is called Generic Route Encapsulation which is GRE. 135 00:05:56,251 --> 00:05:58,251 So let's talk about GRE. 136 00:05:59,591 --> 00:06:01,204 So that's what GRE stands for, 137 00:06:01,204 --> 00:06:02,479 Generic Route Encapsulation, 138 00:06:02,479 --> 00:06:05,547 it is a standard way of doing tunneling, 139 00:06:05,547 --> 00:06:07,779 one of many ways of doing tunneling, 140 00:06:07,779 --> 00:06:10,578 as defined here in RFC 2784. 141 00:06:10,578 --> 00:06:11,700 You actually could probably read that, 142 00:06:11,700 --> 00:06:13,113 it's very short. 143 00:06:13,113 --> 00:06:16,328 The way GRE works is very very simple. 144 00:06:16,328 --> 00:06:17,637 So GRE, 145 00:06:17,637 --> 00:06:20,971 why is it called Generic Route Encapsulation, 146 00:06:20,971 --> 00:06:22,350 because GRE says look, 147 00:06:22,350 --> 00:06:23,986 I don't care what's in the payload, 148 00:06:23,986 --> 00:06:26,045 what's in the payload is irrelevant to me, 149 00:06:26,045 --> 00:06:28,329 and I'm just gonna slap a new header on that 150 00:06:28,329 --> 00:06:31,246 and then send it out onto the wire. 151 00:06:32,243 --> 00:06:36,410 So GRE basically has a concept of an inner payload 152 00:06:39,137 --> 00:06:40,779 that it's carrying that it's wrapping, 153 00:06:40,779 --> 00:06:44,946 and then GRE itself relies on some outer protocol, 154 00:06:46,075 --> 00:06:48,818 that's what we call the delivery protocol. 155 00:06:48,818 --> 00:06:51,030 Like in my example of what I just drew right there, 156 00:06:51,030 --> 00:06:53,946 my inner protocol would be my IPv6 packet, 157 00:06:53,946 --> 00:06:56,905 and my outer or my delivery protocol would be 158 00:06:56,905 --> 00:06:58,842 IP version four, 159 00:06:58,842 --> 00:07:01,874 and GRE would stick its own special little header 160 00:07:01,874 --> 00:07:03,670 right in the middle. 161 00:07:03,670 --> 00:07:05,763 So this is what it would look like. 162 00:07:05,763 --> 00:07:06,887 So for example, 163 00:07:06,887 --> 00:07:11,136 if I was doing GRE in the example I showed you, 164 00:07:11,136 --> 00:07:15,731 then I would have in my IPv6 packet right here, 165 00:07:15,731 --> 00:07:19,134 with my IPv6 header and all that stuff, 166 00:07:19,134 --> 00:07:21,551 and then GRE adds this stuff. 167 00:07:23,604 --> 00:07:25,640 So GRE adds its own header, 168 00:07:25,640 --> 00:07:28,612 which is consisting of a protocol type, 169 00:07:28,612 --> 00:07:30,739 and the protocol type uses the exact same 170 00:07:30,739 --> 00:07:32,476 type values as Ethernet. 171 00:07:32,476 --> 00:07:33,665 So if you think about it okay, 172 00:07:33,665 --> 00:07:34,759 think about an Ethernet frame. 173 00:07:34,759 --> 00:07:37,161 If I send you an Ethernet frame and 174 00:07:37,161 --> 00:07:40,178 that Ethernet frame has IPv4 packet in it, 175 00:07:40,178 --> 00:07:43,196 and then right behind that I send you another Ethernet frame 176 00:07:43,196 --> 00:07:44,514 that has an IPv6 packet, 177 00:07:44,514 --> 00:07:45,912 at layer two, 178 00:07:45,912 --> 00:07:49,299 how's your NIC card gonna tell the difference? 179 00:07:49,299 --> 00:07:52,083 Well because in that Ethernet frame in the header, 180 00:07:52,083 --> 00:07:54,008 there's an EtherType fact value, 181 00:07:54,008 --> 00:07:55,023 it's called the type code. 182 00:07:55,023 --> 00:07:56,696 And there's one type code that says, 183 00:07:56,696 --> 00:07:59,490 I'm an Ethernet frame carrying IP version four. 184 00:07:59,490 --> 00:08:01,209 There's another type code that says, 185 00:08:01,209 --> 00:08:03,930 I'm an Ethernet frame carrying IP version six. 186 00:08:03,930 --> 00:08:06,220 Well those numbers are the exact same numbers 187 00:08:06,220 --> 00:08:10,460 I used right here in the protocol type field. 188 00:08:10,460 --> 00:08:12,707 And then we have a version which is zero 189 00:08:12,707 --> 00:08:16,308 and then the flags which isn't really used for anything, 190 00:08:16,308 --> 00:08:18,112 and then GRE says, 191 00:08:18,112 --> 00:08:19,481 I don't care what the delivery protocol is 192 00:08:19,481 --> 00:08:22,797 but usually the delivery protocol is IP version four. 193 00:08:22,797 --> 00:08:24,840 So in the IP header, 194 00:08:24,840 --> 00:08:28,137 the protocol number well instead of six for TCP 195 00:08:28,137 --> 00:08:29,304 or 17 for UDP, 196 00:08:30,274 --> 00:08:33,735 you would actually see the protocol number 47. 197 00:08:33,735 --> 00:08:35,842 That means that behind this IP header, 198 00:08:35,842 --> 00:08:37,175 is a GRE header. 199 00:08:38,255 --> 00:08:39,925 So when you configure a tunnel interface, 200 00:08:39,925 --> 00:08:41,948 the defaulting encapsulation type 201 00:08:41,948 --> 00:08:43,393 if you don't specify anything else, 202 00:08:43,393 --> 00:08:44,908 will be this, 203 00:08:44,908 --> 00:08:46,158 it will be GRE. 204 00:08:47,109 --> 00:08:49,675 And configuring a tunnel interface is really simple. 205 00:08:49,675 --> 00:08:54,455 You just type interface tunnel and you give it a number. 206 00:08:54,455 --> 00:08:55,505 For example, 207 00:08:55,505 --> 00:08:56,743 when you create a loopback interface, 208 00:08:56,743 --> 00:08:57,921 does a number really matter? 209 00:08:57,921 --> 00:08:59,169 No. 210 00:08:59,169 --> 00:09:01,545 Most people usually start with interface loopback zero 211 00:09:01,545 --> 00:09:03,454 or interface loopback one but hey, 212 00:09:03,454 --> 00:09:05,316 there's nothing stopping you from 213 00:09:05,316 --> 00:09:07,849 creating interface loopback 99. 214 00:09:07,849 --> 00:09:08,952 Same thing here. 215 00:09:08,952 --> 00:09:11,234 Might as well start with interface tunnel zero, 216 00:09:11,234 --> 00:09:13,348 but you can put any number after that that you want. 217 00:09:13,348 --> 00:09:14,380 And yes, 218 00:09:14,380 --> 00:09:16,646 just like you can have multiple loopback interfaces 219 00:09:16,646 --> 00:09:17,842 in a router, 220 00:09:17,842 --> 00:09:19,185 you could have multiple tunnel interfaces 221 00:09:19,185 --> 00:09:21,149 in a router as well. 222 00:09:21,149 --> 00:09:23,513 Now, the question you have to ask yourself is, 223 00:09:23,513 --> 00:09:27,680 what kind of data is gonna be in the payload of this tunnel? 224 00:09:29,173 --> 00:09:31,304 What is this tunnel gonna be carrying? 225 00:09:31,304 --> 00:09:32,361 In my example I said, 226 00:09:32,361 --> 00:09:35,583 Well, I'm gonna want IPv6 packets tunneled 227 00:09:35,583 --> 00:09:38,747 across an IP version four cloud. 228 00:09:38,747 --> 00:09:41,613 So, Ipv6 is gonna be in the payload 229 00:09:41,613 --> 00:09:43,382 of what's being tunneled. 230 00:09:43,382 --> 00:09:45,279 So if it's IPv6, 231 00:09:45,279 --> 00:09:49,774 then I would need an IPv6 address on my tunnel interface. 232 00:09:49,774 --> 00:09:53,915 If I plan on taking IPv4 packets and tunneling them, 233 00:09:53,915 --> 00:09:56,629 then I would need IPv4 address. 234 00:09:56,629 --> 00:09:58,282 Here's a key thing to think about. 235 00:09:58,282 --> 00:09:59,952 Remember this basic rule, 236 00:09:59,952 --> 00:10:01,552 that an interface, 237 00:10:01,552 --> 00:10:02,579 whether it be a logical interface 238 00:10:02,579 --> 00:10:04,653 like a loopback or a tunnel, 239 00:10:04,653 --> 00:10:08,156 or a physical interface like a fast Ethernet or a serial, 240 00:10:08,156 --> 00:10:11,690 an interface in order to carry some sort of protocol, 241 00:10:11,690 --> 00:10:13,023 like IPv4, IPv6, 242 00:10:14,745 --> 00:10:18,598 has to have an address for that protocol on itself. 243 00:10:18,598 --> 00:10:21,220 In other words if I create an interface tunnel 244 00:10:21,220 --> 00:10:23,747 and I don't enable it for IPv6, 245 00:10:23,747 --> 00:10:25,822 I don't put an IPv6 address on there, 246 00:10:25,822 --> 00:10:28,688 there is no way IPv6 packets will ever use 247 00:10:28,688 --> 00:10:32,804 that tunnel interface because it doesn't know what IPv6 is. 248 00:10:32,804 --> 00:10:36,971 Now the second step in creating my tunnel interface. 249 00:10:37,947 --> 00:10:41,662 So I'm gonna have my tunnel interface, 250 00:10:41,662 --> 00:10:44,662 and we know that some sort of data's 251 00:10:46,909 --> 00:10:47,953 going to be going across here, 252 00:10:47,953 --> 00:10:49,879 in my case it was IPv6, 253 00:10:49,879 --> 00:10:53,481 and we know that the tunnel itself in order to transport it, 254 00:10:53,481 --> 00:10:57,635 is gonna slap on there some sort of destination address 255 00:10:57,635 --> 00:11:00,302 and some sort of source address. 256 00:11:01,418 --> 00:11:05,703 Now my particular case is gonna be a source IPv4 address, 257 00:11:05,703 --> 00:11:08,167 and a destination IPv4 address. 258 00:11:08,167 --> 00:11:09,873 So there's gonna be some router here, 259 00:11:09,873 --> 00:11:12,149 we'll just say router A, 260 00:11:12,149 --> 00:11:14,584 some router here which is router B, 261 00:11:14,584 --> 00:11:15,684 and some routers in the middle 262 00:11:15,684 --> 00:11:18,506 which are just carrying this packet. 263 00:11:18,506 --> 00:11:22,154 So the source IP address is gonna have to be 264 00:11:22,154 --> 00:11:26,517 some IP address on router A because he's sourcing a tunnel. 265 00:11:26,517 --> 00:11:29,657 The destination IP address is gonna have to be 266 00:11:29,657 --> 00:11:32,355 some IP address on router B, 267 00:11:32,355 --> 00:11:35,102 because that's where tunnel destination is, 268 00:11:35,102 --> 00:11:36,098 that's where it's ending. 269 00:11:36,098 --> 00:11:40,461 So the commands we actually use for that are tunnel source, 270 00:11:40,461 --> 00:11:42,367 and you can either reference an IP address 271 00:11:42,367 --> 00:11:44,336 on your router itself, 272 00:11:44,336 --> 00:11:45,937 or you can reference an interface, 273 00:11:45,937 --> 00:11:49,343 say okay on my router all these packets are gonna be leaving 274 00:11:49,343 --> 00:11:51,115 fast Ethernet zero zero, 275 00:11:51,115 --> 00:11:53,341 so why don't I just borrow the IP address of 276 00:11:53,341 --> 00:11:55,766 fast Ethernet zero zero as my tunnel source, 277 00:11:55,766 --> 00:11:57,023 so you can do that, 278 00:11:57,023 --> 00:11:59,726 tunnel source, interface, fast Ethernet zero zero. 279 00:11:59,726 --> 00:12:02,808 And then you're gonna use the tunnel destination command, 280 00:12:02,808 --> 00:12:05,772 which gives the IP address of the destination. 281 00:12:05,772 --> 00:12:07,709 So let's do a real example of this, 282 00:12:07,709 --> 00:12:11,297 so this typology I actually already have set up, 283 00:12:11,297 --> 00:12:13,651 I've already pre-configured everything, 284 00:12:13,651 --> 00:12:17,818 and my objective here is I want router one to be able to 285 00:12:19,423 --> 00:12:22,256 IPv6 ping this address right here. 286 00:12:23,277 --> 00:12:24,194 Problem is, 287 00:12:25,172 --> 00:12:28,007 I don't have any IPv6 in the middle, 288 00:12:28,007 --> 00:12:30,551 so I need to create a tunnel between 289 00:12:30,551 --> 00:12:32,718 router one and router two. 290 00:12:35,727 --> 00:12:37,253 So on router one, 291 00:12:37,253 --> 00:12:40,253 I'm gonna create an interface tunnel 292 00:12:43,197 --> 00:12:46,864 and I'll just give it interface tunnel zero, 293 00:12:49,568 --> 00:12:54,040 and now if I want this tunnel to carry IPv6 traffic, 294 00:12:54,040 --> 00:12:55,680 it has to understand IPv6, 295 00:12:55,680 --> 00:12:57,312 so I have a choice. 296 00:12:57,312 --> 00:13:00,105 I could come up with a completely different IPv6 address 297 00:13:00,105 --> 00:13:01,539 and put it on the tunnel, 298 00:13:01,539 --> 00:13:04,427 but one thing nice about IPv6, 299 00:13:04,427 --> 00:13:06,106 I can just enable IPv6, 300 00:13:06,106 --> 00:13:08,106 I could say IPv6 enable, 301 00:13:10,460 --> 00:13:14,627 and that will create a link-local address on my tunnel 302 00:13:16,106 --> 00:13:17,523 and FE80 address. 303 00:13:19,304 --> 00:13:22,637 And then I'm gonna have a tunnel source, 304 00:13:23,487 --> 00:13:27,288 let me expand this a little bit here, 305 00:13:27,288 --> 00:13:28,455 tunnel source, 306 00:13:29,545 --> 00:13:33,712 and I'm just gonna point to fast Ethernet zero zero. 307 00:13:35,644 --> 00:13:37,074 In other words I'm gonna be telling router one 308 00:13:37,074 --> 00:13:39,574 okay, when you take your IPv6 packets 309 00:13:39,574 --> 00:13:42,636 and you apply a GRE header, 310 00:13:42,636 --> 00:13:45,992 and then in front of the GRE header you add a IP header, 311 00:13:45,992 --> 00:13:48,930 I want the source address to be one one one one, 312 00:13:48,930 --> 00:13:50,976 what we see right here. 313 00:13:50,976 --> 00:13:55,143 And then I'm gonna have a tunnel destination of router two. 314 00:13:58,100 --> 00:14:02,267 Tunnel destination is going to be two two two two. 315 00:14:05,798 --> 00:14:07,129 So just those three commands, 316 00:14:07,129 --> 00:14:08,837 actually those four commands, 317 00:14:08,837 --> 00:14:09,923 creating the tunnel in the first place, 318 00:14:09,923 --> 00:14:12,340 enabling the tunnel for IPV6, 319 00:14:13,743 --> 00:14:16,250 saying my source is fast Ethernet zero zero, 320 00:14:16,250 --> 00:14:18,138 my destination is two two two two, 321 00:14:18,138 --> 00:14:20,147 and then there's one other thing I have to do. 322 00:14:20,147 --> 00:14:24,426 If I want to be able to ping this IPv6 network, 323 00:14:24,426 --> 00:14:26,311 R one has to learn about it. 324 00:14:26,311 --> 00:14:27,977 So across the tunnel, 325 00:14:27,977 --> 00:14:31,560 I'm actually gonna be running EIGRP for V6. 326 00:14:36,711 --> 00:14:39,129 I will actually form an EIGRP relationship 327 00:14:39,129 --> 00:14:41,980 between router one and router two across this tunnel. 328 00:14:41,980 --> 00:14:44,563 So I'll enable EIGRPv6 on here, 329 00:14:45,449 --> 00:14:47,222 and then I'm gonna replicate that same thing 330 00:14:47,222 --> 00:14:49,709 but in reverse on router two. 331 00:14:49,709 --> 00:14:51,515 I'll create a tunnel interface on router two, 332 00:14:51,515 --> 00:14:54,353 I will also say IPv6 enable, 333 00:14:54,353 --> 00:14:58,649 I'll say tunnel source will be his fast Ethernet zero one, 334 00:14:58,649 --> 00:15:02,026 so that he uses two two two two as the source IP address, 335 00:15:02,026 --> 00:15:05,406 tunnel destination will be one one one one, 336 00:15:05,406 --> 00:15:09,573 and then I'll enable IPv6 EIGRP on his tunnel interface. 337 00:15:11,005 --> 00:15:13,301 So let me go ahead and build that and 338 00:15:13,301 --> 00:15:15,301 show you how that works. 339 00:15:19,277 --> 00:15:23,444 Okay, so let's start by taking a look at router one. 340 00:15:24,877 --> 00:15:28,044 Let's look at my configuration so far. 341 00:15:29,825 --> 00:15:31,242 So on router one, 342 00:15:32,608 --> 00:15:36,775 I have my loopback address and I'm gonna want EIGRP for IPv6 343 00:15:39,005 --> 00:15:42,508 to advertise that loopback once my tunnel is built. 344 00:15:42,508 --> 00:15:45,283 I have not created any tunnel yet. 345 00:15:45,283 --> 00:15:47,045 And then here's the physical interface that's gonna be 346 00:15:47,045 --> 00:15:48,712 carrying that tunnel traffic, 347 00:15:48,712 --> 00:15:50,686 fast Ethernet zero zero. 348 00:15:50,686 --> 00:15:54,282 So let's go ahead and build the tunnel on this side. 349 00:15:54,282 --> 00:15:55,699 Interface tunnel, 350 00:15:56,781 --> 00:15:58,273 and you can see here I've got a 351 00:15:58,273 --> 00:15:59,350 wide range of numbers I could choose from, 352 00:15:59,350 --> 00:16:03,350 I'm just gonna start with interface tunnel zero. 353 00:16:04,721 --> 00:16:07,142 Now, let's just stop right there. 354 00:16:07,142 --> 00:16:08,678 No other configuration. 355 00:16:08,678 --> 00:16:10,928 Show interface tunnel zero. 356 00:16:15,769 --> 00:16:17,919 So right now it's down because 357 00:16:17,919 --> 00:16:19,680 I haven't given it the necessary information, 358 00:16:19,680 --> 00:16:21,650 I haven't told what the source is yet, 359 00:16:21,650 --> 00:16:23,647 I haven't told what the destination is yet, 360 00:16:23,647 --> 00:16:24,696 but look at this. 361 00:16:24,696 --> 00:16:26,613 Tunnel protocol is GRE. 362 00:16:28,226 --> 00:16:30,652 Transport method is IP. 363 00:16:30,652 --> 00:16:32,246 So this is saying by default, 364 00:16:32,246 --> 00:16:34,416 it's gonna use IP version four 365 00:16:34,416 --> 00:16:35,684 as the source and destination, 366 00:16:35,684 --> 00:16:38,147 I just haven't told it what addresses to use yet, 367 00:16:38,147 --> 00:16:41,065 and then behind the IP version four header, 368 00:16:41,065 --> 00:16:45,232 it's gonna create that additional GRE header as well. 369 00:16:46,114 --> 00:16:47,748 So let's finish out my configuration of that 370 00:16:47,748 --> 00:16:49,581 interface tunnel zero, 371 00:16:51,824 --> 00:16:53,918 so I'll say tunnel source and 372 00:16:53,918 --> 00:16:57,118 according to my picture right here, 373 00:16:57,118 --> 00:16:59,903 I want the tunnel source to be fast Ethernet zero zero, 374 00:16:59,903 --> 00:17:01,483 I want you to borrow that IP address 375 00:17:01,483 --> 00:17:03,650 as your source IP address. 376 00:17:07,384 --> 00:17:09,382 Tunnel destination, 377 00:17:09,382 --> 00:17:10,977 this destination of your packets is gonna be 378 00:17:10,977 --> 00:17:13,310 two dot two dot two dot two, 379 00:17:18,753 --> 00:17:21,225 and now that I've given it a source and destination, 380 00:17:21,225 --> 00:17:22,848 the tunnel came up. 381 00:17:22,848 --> 00:17:24,481 Now it's not fully up yet because 382 00:17:24,481 --> 00:17:27,769 I haven't configured the other side. 383 00:17:27,769 --> 00:17:31,318 Now if I want IPv6 to go across that I have to enable IPv6, 384 00:17:31,318 --> 00:17:33,092 I could give it an IPv6 address, 385 00:17:33,092 --> 00:17:36,009 but I'm just gonna say IPv6 enable, 386 00:17:37,517 --> 00:17:40,206 because if I want EIGRP running across this tunnel remember, 387 00:17:40,206 --> 00:17:44,785 your IPv6 routing protocols like EIGRP and OSPF, 388 00:17:44,785 --> 00:17:46,474 they form neighbor relationships 389 00:17:46,474 --> 00:17:48,857 with their link-local addresses. 390 00:17:48,857 --> 00:17:52,104 I don't even need a global address to form a 391 00:17:52,104 --> 00:17:54,156 neighbor relationship between two routers 392 00:17:54,156 --> 00:17:57,719 running an EIGRP or OSPF for IPv6. 393 00:17:57,719 --> 00:18:00,217 So I'm just gonna enable that and then, 394 00:18:00,217 --> 00:18:02,550 I'm gonna enable IPv6 EIGRP. 395 00:18:06,477 --> 00:18:08,387 So before I complete the tunnel 396 00:18:08,387 --> 00:18:10,185 on the other side on router two, 397 00:18:10,185 --> 00:18:13,185 let's look at what I've done so far. 398 00:18:16,532 --> 00:18:18,122 Okay so I've got my loopback here, 399 00:18:18,122 --> 00:18:22,136 I've already got that included in my EIGRP process, 400 00:18:22,136 --> 00:18:24,953 now I've created my tunnel interface, 401 00:18:24,953 --> 00:18:29,120 I said I'm allowing you to have IPv6 run across this tunnel, 402 00:18:30,456 --> 00:18:33,084 I'm allowing you to have EIGRP run across the tunnel, 403 00:18:33,084 --> 00:18:35,392 so whoever's at the other end of the tunnel, 404 00:18:35,392 --> 00:18:38,187 if they're also participating in EIGRP 405 00:18:38,187 --> 00:18:39,731 autonomous-system 100, 406 00:18:39,731 --> 00:18:41,824 you can talk to them, 407 00:18:41,824 --> 00:18:44,253 and then I have my tunnel source as being the fast Ethernet 408 00:18:44,253 --> 00:18:46,456 and the tunnel destination being R two 409 00:18:46,456 --> 00:18:48,373 over on the other side. 410 00:18:49,331 --> 00:18:53,498 So, let's go ahead and I'm just gonna copy all that, 411 00:18:55,652 --> 00:19:00,450 and I'm gonna go over to R two on the other side. 412 00:19:00,450 --> 00:19:01,620 I'm gonna paste it in and 413 00:19:01,620 --> 00:19:04,620 just make a couple of minor changes. 414 00:19:06,986 --> 00:19:08,659 Okay so number one. 415 00:19:08,659 --> 00:19:12,125 Tunnel destination's not going to be two two two two, 416 00:19:12,125 --> 00:19:15,150 so now my tunnel destination is gonna be pointing back to 417 00:19:15,150 --> 00:19:16,483 one one one one, 418 00:19:20,687 --> 00:19:23,288 and my tunnel source is not gonna be 419 00:19:23,288 --> 00:19:25,288 fast Ethernet zero zero, 420 00:19:26,838 --> 00:19:31,005 my tunnel source is gonna be fast Ethernet zero slash one. 421 00:19:39,482 --> 00:19:40,923 And there we go look at that. 422 00:19:40,923 --> 00:19:42,557 Not only did the tunnel come up, 423 00:19:42,557 --> 00:19:45,823 by my EIGRP neighbor relationship across that tunnel 424 00:19:45,823 --> 00:19:47,567 immediately came up as well. 425 00:19:47,567 --> 00:19:49,650 Show IPv6 EIGRP neighbor, 426 00:19:54,183 --> 00:19:55,922 and we can see that I have formed a neighbor 427 00:19:55,922 --> 00:19:58,765 across my tunnel interface. 428 00:19:58,765 --> 00:20:00,328 How do I know it actually worked? 429 00:20:00,328 --> 00:20:01,661 Show IPv6 route, 430 00:20:04,036 --> 00:20:07,988 and we can see that I learned of the loopback interface of 431 00:20:07,988 --> 00:20:10,488 router one across that tunnel, 432 00:20:12,062 --> 00:20:13,971 the tunnel interface is the next hop, 433 00:20:13,971 --> 00:20:15,470 and now I can ping it. 434 00:20:15,470 --> 00:20:19,025 from router two I can ping the IPv6, 435 00:20:19,025 --> 00:20:22,792 the loopback interface of router one, 436 00:20:22,792 --> 00:20:27,459 and that's because it's going across the tunnel. 437 00:20:27,459 --> 00:20:29,626 If I do a debug IP packet, 438 00:20:31,858 --> 00:20:34,108 and then do that same ping, 439 00:20:39,258 --> 00:20:42,258 let's turn off the debug packet now. 440 00:20:48,323 --> 00:20:51,285 Okay, so here was my IPv6 ping, 441 00:20:51,285 --> 00:20:53,118 and notice it created, 442 00:20:53,996 --> 00:20:58,256 so this is OSPF because actually I have OSPF 443 00:20:58,256 --> 00:20:59,923 running across IPv4, 444 00:21:01,094 --> 00:21:03,071 that's how router one even knew how to 445 00:21:03,071 --> 00:21:04,903 get to two two two two, 446 00:21:04,903 --> 00:21:06,413 and that's how router two even knew how to 447 00:21:06,413 --> 00:21:07,436 get to one one one one, 448 00:21:07,436 --> 00:21:10,453 if I did not have reachability of my tunnel endpoints, 449 00:21:10,453 --> 00:21:11,655 it would be pointless, 450 00:21:11,655 --> 00:21:14,190 so I had to have some sort of routing protocol running 451 00:21:14,190 --> 00:21:17,207 between all four devices so my tunnel endpoints 452 00:21:17,207 --> 00:21:19,457 could actually reach other, 453 00:21:20,324 --> 00:21:21,512 but here we see. 454 00:21:21,512 --> 00:21:25,679 Here is my IPv6 packet is actually inside of that, 455 00:21:28,141 --> 00:21:31,102 and actually I think we could do even more if I do, 456 00:21:31,102 --> 00:21:32,269 let's do this, 457 00:21:33,501 --> 00:21:37,668 debug IP packet detail and then do the ping again, 458 00:21:41,293 --> 00:21:42,315 ugh. 459 00:21:42,315 --> 00:21:44,232 Debug IP packet detail, 460 00:21:49,475 --> 00:21:52,491 come on, where is that ping? 461 00:21:52,491 --> 00:21:53,491 There we go. 462 00:21:58,201 --> 00:21:59,368 So right here. 463 00:22:01,258 --> 00:22:03,341 Come on stop, stop, stop! 464 00:22:05,326 --> 00:22:06,318 Un all, 465 00:22:06,318 --> 00:22:07,151 okay. 466 00:22:08,796 --> 00:22:11,112 So this is what I'm looking for. 467 00:22:11,112 --> 00:22:12,925 Now we can actually see the protocol field, 468 00:22:12,925 --> 00:22:14,971 notice protocol 47. 469 00:22:14,971 --> 00:22:18,308 That is the protocol that's reserved for GRE. 470 00:22:18,308 --> 00:22:19,338 So this is me, 471 00:22:19,338 --> 00:22:23,364 router two sending an IPv version four packet to router one, 472 00:22:23,364 --> 00:22:25,738 but the protocol is 47. 473 00:22:25,738 --> 00:22:26,949 So when router one gets that, 474 00:22:26,949 --> 00:22:27,966 he'll say, 475 00:22:27,966 --> 00:22:28,980 Oh, 47, 476 00:22:28,980 --> 00:22:31,060 I need to redirect that to my tunnel interface 477 00:22:31,060 --> 00:22:34,050 because that's the one that's actually doing GRE. 478 00:22:34,050 --> 00:22:36,167 And then the tunnel interface will strip off this 479 00:22:36,167 --> 00:22:37,845 IP version four header, 480 00:22:37,845 --> 00:22:40,323 revealing the IPv6 inside, 481 00:22:40,323 --> 00:22:43,823 and that's why my IPv6 ping is successful, 482 00:22:45,659 --> 00:22:48,127 which is way up here. 483 00:22:48,127 --> 00:22:51,227 That shows my successful IPv6 ping. 484 00:22:51,227 --> 00:22:54,189 So that concludes this discussion of 485 00:22:54,189 --> 00:22:56,189 configuring GRE tunnels. 486 00:22:57,401 --> 00:23:00,151 (dramatic music)