GRE Tunnel IP Source and Destination VRF Membership

Feature history for GRE tunnel IP source and destination VRF membership

This table provides release and related information for the features explained in this module.

These features are available in all the releases subsequent to the one they were introduced in, unless noted otherwise.

Release

Feature Name and Description

Supported Platform

Cisco IOS XE 17.18.1

Generic Routing Encapsulation(GRE) Tunnel IP Source and Destination VRF Membership: GRE Tunnel IP Source and Destination VRF Membership feature allows you to configure the source and destination of a tunnel to belong to any VPN VRF table.

Cisco C9350 Series Smart Switches

Cisco C9610 Series Smart Switches

GRE tunnel IP source and destination VRF memberships

A GRE tunnel IP source and destination VRF membership is a tunneling feature that

  • allows the source and destination of a GRE tunnel to be assigned to any Virtual Routing and Forwarding (VRF) table,

  • associates the VPN membership of a customer site with specific VRF instances, and

  • enforces that the tunnel becomes disabled if there is no route to its destination.

A VRF (Virtual Routing and Forwarding) table is a virtualized routing table that stores and maintains separate IP route information for each VPN, defining the VPN membership of each user site attached to a network access server. Each VRF table contains a unique IP routing table, a corresponding Cisco Express Forwarding (CEF) table, and relevant protocol parameters.

Previously, GRE IP tunnels required the destination to be in the global routing table. This feature allows more flexible tunnel topology by enabling both source and destination to reside within any VRF, supporting complex VPN deployments.

Restrictions for GRE Tunnel IP Source and Destination VRF Membership

This topic provides information to recognize unsupported GRE tunnel configurations tied to VRF membership.

  • Both ends of the tunnel must reside within the same VRF.

  • The VRF associated with the tunnel vrf command is the same as the VRF associated with the physical interface over which the tunnel sends packets (outer IP packet routing).

  • The VRF associated with the tunnel by using the ip vrf forwarding command is the VRF that the packets are to be forwarded in as the packets exit the tunnel (inner IP packet routing).

  • The feature does not support the fragmentation of multicast packets passing through a multicast tunnel.

  • The feature does not support the ISIS (Intermediate System to intermediate system) protocol.

  • Keepalive is not supported on VRF aware GRE tunnels.

  • The following restrictions are applicable on the Cisco C9350 Series Smart Switches:

    IPv6 ICMP response packets are not supported over IPv4 GRE tunnels.

  • The following restrictions are applicable on the Cisco C9610 Series Smart Switches:

    • Each interface must be configured with a unique combination of tunnel source and destination.

    • Only 16 unique tunnel sources are supported.

    • BFD is not supported on GRE tunnels.

    • GRE tunnels cannot be part of a routing protocol if it is formed over a Layer 3 VLAN Switch Virtual Interface (SVI).

Configure GRE tunnel IP source and destination VRF membership

Configure a GRE tunnel with source and destination interfaces associated with specific VRF instances on a Cisco device.

Use this task to enable GRE tunnels where both source and destination may belong to different VRF routing domains.

Follow these steps to configure GRE Tunnel IP Source and Destination VRF Membership:

Procedure

Step 1

enable

Example:

Device>enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device#configure terminal

Enters global configuration mode.

Step 3

interface tunnel number

Example:

Device(config)#interface tunnel 0

Enters interface configuration mode for the specified interface.

  • number is the number associated with the tunnel interface.

Step 4

ip vrf forwarding vrf-name

Example:

Device(config-if)#ip vrf forwarding green

Associates a virtual private network (VPN) routing and forwarding (VRF) instance with an interface or subinterface.

  • vrf-name is the name assigned to a VRF.

Step 5

ip address ip-address subnet-mask

Example:

Device(config-if)#ip address 10.7.7.7 255.255.255.255

Specifies the interface IP address and subnet mask.

  • ip-address specifies the IP address of the interface.

  • subnet-mask specifies the subnet mask of the interface.

Step 6

tunnel source { ip-address | type number }

Example:

Device(config-if)#tunnel source loop 0

Specifies the source of the tunnel interface.

  • ip-address specifies the IP address to use as the source address for packets in the tunnel.

  • type specifies the interface type (for example, serial).

  • number specifies the port, connector, or interface card number. The numbers are assigned at the factory at the time of installation or when added to a system, and can be displayed using the show interfaces command.

Step 7

tunnel destination { hostname | ip-address }

Example:

Device(config-if)#tunnel destination 10.5.5.5

Defines the tunnel destination.

  • hostname specifies the name of the host destination.

  • ip-address specifies the IP address of the host destination.

Step 8

tunnel vrf vrf-name

Example:

Device(config-if)#tunnel vrf finance1

Associates a VPN routing and forwarding (VRF) instance with a specific tunnel destination.

  • vrf-name is the name assigned to a VRF.

Example: GRE tunnel IP source and destination VRF memberships

This topic explains how GRE tunnel IP source and destination VRF memberships enable routing flexibility by allowing packets to enter a GRE tunnel from one VRF and exit from a different VRF, supporting complex network segmentation and overlay designs.

In this example, packets received on interface e0 using VRF green are forwarded out of the tunnel through interface e1 using VRF blue. 

ip vrf blue rd 1:1

ip vrf green rd 1:2

interface loop0
ip vrf forwarding blue
ip address 10.7.7.7 255.255.255.255

interface tunnel0
ip vrf forwarding green
ip address 10.3.3.3 255.255.255.0 tunnel source loop 0
tunnel destination 10.5.5.5 tunnel vrf blue

interface ethernet0
ip vrf forwarding green
ip address 10.1.1.1 255.255.255.0

interface ethernet1
ip vrf forwarding blue
ip address 10.2.2.2 255.255.255.0

ip route vrf blue 10.5.5.5 255.255.255.0 ethernet 1