Common questions about CCNP and CCIE exams: Detailed explanation of GRE virtual private network
IPSec virtual private network is used to provide secure IP communication between two endpoints, but can only encrypt and propagate unicast data, and cannot encrypt and transmit multicast data traffic such as voice, video, and dynamic routing protocol information. The general routing encapsulation protocol GRE provides a mechanism for encapsulating packets of one protocol into packets of another protocol, which is a tunnel encapsulation technology. GRE can encapsulate multicast data and can be used in conjunction with IPSec to ensure the security of multicast services such as voice and video.
GRE can be used to encapsulate packets of certain network layer protocols such as IPX, so that these encapsulated packets can be transmitted in another network layer protocol. GRE is the third layer tunneling protocol of the virtual private network, that is, the tunneling technology is adopted between the protocol layers.
GRE itself does not support encryption, so traffic transmitted through the GRE tunnel is not encrypted. Combining IPSec technology with GRE, you can first establish a GRE tunnel to encapsulate the message, and then establish an IPSec tunnel to encrypt the message to ensure the integrity and privacy of the message transmission.
When GRE encapsulates a packet, the packet before encapsulation is called the payload, and the packet protocol before encapsulation is called the passenger protocol. Then GRE encapsulates the GRE header, and GRE becomes the encapsulation protocol, also called the carrier protocol. The protocol for forwarding the packets is called the transmission protocol.
The process of GRE encapsulating and de-encapsulating packets is as follows:
① After receiving the packet from the interface connected to the private network, the device checks the destination IP address field in the packet header and finds the outgoing interface in the routing table. If the outgoing interface is found to be a tunnel interface, the packet is sent to the tunnel module for processing .
② After receiving the packet, the tunnel module first encapsulates the packet according to the type of passenger agreement and the checksum parameter of the current GRE tunnel configuration, that is, adding the GRE header.
③ The device adds a transmission protocol header, that is, an IP header. The source address of the P packet header is the tunnel source address, and the destination address is the tunnel destination address.
④ The device looks up the corresponding outgoing interface in the routing table according to the newly added IP packet header and destination address, and sends the packet. After that, the encapsulated message will be transmitted on the public network.
⑤ After receiving the message from the interface connected to the public network, the receiving device first analyzes the IP header. If the value of the protocol type field is 47, it means that the protocol is GRE, so the outgoing interface hands the message to the GRE module for processing.
GRE’s Keepalive detection mechanism:
The keepalive detection function is used to detect whether the tunnel link is in the keepalive state, that is, whether the peer end of the tunnel is reachable. If it is unreachable, the tunnel connection will be closed in time to avoid the formation of data black holes. After the keepalive detection function is enabled, the local end of the GRE tunnel periodically sends keepalive detection packets to the peer end. If the peer is reachable, the local end will receive the response message from the peer; if the peer is unreachable, the response message from the peer will not be received.
After the keepalive detection function is enabled, the GRE tunnel will create a counter and periodically send keepalive detection packets. If the source receives a reply message before the counter value reaches the preset value, it indicates that the peer is reachable, otherwise it is unreachable. If it is unreachable, the tunnel connection at the source will be closed.
GRE’s security options:
In order to improve the security of the GRE tunnel, GRE also supports the user to choose to set the identification keyword or key of the Tunnel interface and perform end-to-end verification on the tunnel encapsulated packets.
Key verification refers to the verification of the tunnel interface. This security mechanism can prevent erroneous reception of messages from other devices. If the Key identifier in the GRE packet header is set to 1, the sender and receiver will verify the channel identification keywords. Only when the identification keywords set at both ends of the tunnel are completely consistent can the verification be passed, otherwise the packet will be discarded.
If the Checksum flag in the GRE header is set to 1, the checksum is valid. The sender will calculate the checksum based on the GRE header and payload information, and send the packet containing the checksum to the peer. The receiver calculates the checksum of the received message and compares it with the checksum in the message. If they match, the message is further processed, otherwise it is discarded.
IE-LAB provides valid materials(accurate dumps) to help you pass your CCIE. For the written, we have valid workbooks that cover all real exam questions. You can easily pass the exam, usually 7 days’ preparation in enough. For the Lab exam, we will offer valid workbooks（real exam）, rack which is the same as real exam, one to one support, professional tutor and timely update.
This article is exclusively published by James from IELAB.NETWORK and cannot be reproduced without permission.
We have huge promotion going on right now, this is your best chance to get accurate written and lab materials.
Get any two Cisco written dumps for 150USD only.
Deposit 150USD now and enjoy 50% off for CCIE next-level lab.
Get 100% accurate CCIE/ CCNP/CCNA/HCIE dumps in IELAB .
Please follow us if you like our articles.
visit us: http://ielab.network
Facebook : https://www.facebook.com/ielab.network/