How are GRE VPNs working with the same private address?

Discussion in 'Routing & Switching' started by [email protected], Jun 16, 2006.

  1. shileibu@163.com

    [email protected] New Member

    3
    0
    13
    My topology is:
    CE11 and CE21 connect to PE1, remote PE2 connects two CE---CE12 and CE22, CE11 and CE12 constructs a VPN, CE21 and CE22 constructs another VPN, suppose the two VPNs use the same ip address 192.168.12.0.
    each VPN has a GRE tunnel between PE1 and PE2.
    How can an ip packet correctly routed from CE to another CE.
    I heard VRF can achieve this,but how can i configure the router.
    I have 4 Cisco 36 as CEs,and 2 Cisco 72 as PEs in my lab.
    Thanks!
     
    Certifications: Computer Science bachelor
    WIP: Computer Science master
  2. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    Hi,

    I can't answer your query, but could you answer mine?

    What is a GRE VPN? Obviously I'm familliar with a VPN, but a GRE VPN?

    Also some of your abbreviations, such as CE11 and PE1, could you explain them further as they are terms I'm not familliar with. :oops:
     
  3. The_Geek

    The_Geek Megabyte Poster

    772
    13
    64
    GRE is a protocol used for some VPN's to work correctly.

    Linky
     
    Certifications: CompTIA and Micro$oft
    WIP: PDI+
  4. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Wow! What a first post! Welcome aboard. Someone should be along who can answer your question; i iwish i could :tune
     
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  5. shileibu@163.com

    [email protected] New Member

    3
    0
    13
    PE means provider edge, CE customer edge
    Traditionally, construct VPN with GRE tunnel is allways configure at CE,but it is more complex for VPN users,now i want to configure GRE Tunnel between PEs,because PE is always provided by NP(network provider).So it is more easy for VPN users in constructing VPN for their company.
    Of course, MPLS is an good idea to construct VPN, but not all NP could provide an MPLS network, IPSEC is better for me, but my routers can not suuport encrypt.
    So i select GRE.
     
    Certifications: Computer Science bachelor
    WIP: Computer Science master
  6. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    GRE's are very handy. A GRE tunnel encapsulates a protocol within ip, allowing it to be transported across an ip network (usually the internet). GRE is handy because it can be used to pass all sorts of traffic, for example multicast, ipx/spx, appletalk, pretty much any protocol.

    IPSec tunnels won't pass multicast, for example, and so you can't link two sites by an ipsec vpn and pass routing updates. But a GRE tunnel can encapsulate all kinds of traffic, enabling you to pass routing information between sites through the Internet.

    GRE is not VPN, GRE is not encrypted or authenticated. The gre packets can be intercepted, copied, spoofed, anything. GRE by itself is wide open. However, when you combine GRE with IPSec you get a secure VPN that can pass traffic (such as multicast, ipx, etc) that an IPSec vpn by itself cannot.

    I use GRE/IPSec tunnels all the time, they are a very handy tool for connecting sites.

    Regarding the original question, the gre tunnels should be between ce11 to ce12 and ce21 to ce22, not between pe1 and pe2. I'm assuming that pe1 and pe2 are the isp/internet in your test setup. Also, why use the same private address space for both tunnels? If ce11/ce12 and ce21/ce22 do not directly connect, it is fine, but if they are connected it will cause problems. I am assuming that all the ce's use a different network. But by setting up the routing protocols correctly you can get a very nice setup. If you have more information I can give better help.

    Are ce11/12/21/22 all setup as a private, internal lan, connecting to another private, internal lan via the pe's, using a tunnel? If so, are they using different internal lan networks, or are you going to nat the addresses? I assume pe1 and pe2 are just carrying the traffic, just as an isp would.

    Spice Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  7. shileibu@163.com

    [email protected] New Member

    3
    0
    13
    Thanks for your help!
    yes, PEs are belongs to ISP,
    ce11/ce12 belongs to VPN1, use private ip address in VPN inner.
    ce21/22 belongs to VPN2, use ip address in VPN inner.
    address in these 2 VPNs may overlap, for example: both 192.168.0.0 255.255.0.0
    Packets from VPN1 ce11 should arrive VPN ce12 correctly, so does VPN2.

    I don't want to use NAT, because some paper said VRF table can solve address overlap problem.

    If tunnels are built between ce, it may more complex for companies, so i want to build tunnels between PEs.ISP provides VPN tunnel's build.
     
    Certifications: Computer Science bachelor
    WIP: Computer Science master
  8. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    I can outline the configs, but I need a bit more info.

    - What are the internal LAN networks of ce11,12,21,22? I assume from you post that they are using the same private network.

    - ce11 connects to ce12, and ce21 to ce22. But does ce11 or ce12 connect to ce21 or ce22?

    - Does the vpn need to support multicast?

    - Will MPLS be used?

    From your post I gather you want most of the config on the pe routers. However, keep in mind that it can be useful to have the config based on the customer equipment, as that way they are independant of the isp.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.