How to Use Tunneling in Your Network

Tunneling uses network layer tunneling protocols to connect disjoint networks within the same (trusted) enterprise campus network, resulting in the destination address of the tunnel functioning as a logical next hop.

Data is transmitted in the form of IP packets. The information contained in a data packet is called the payload. A data packet header contains the routing information required to transmit the packet to a remote destination. A tunnel is selected as the route interface based upon a route lookup. Tunneling involves the use of a tunnel protocol that encapsulates the payload of the packet entering the tunnel within another (outer) header based upon tunnel parameters. Thus a tunneled packet has an inner and an outer header.

The inner header contains the original packet header. The IP type (IPv4 or IPv6) of the original header is determined by the original packet source and destination address type. The outer delivery header is the tunnel header. The IP type of the tunnel header is determined by the route lookup source and destination IP address type configured for the tunnel.

The tunnel mode is expressed as the inner IP address type over the outer tunnel IP address type. For example, an IPv6 packet encapsulated into an IPv4 tunnel interface would use a tunnel that supports tunnel mode IPv6 over IPv4. Tunnel modes that support IPv6 over IPv4 are GRE and IPv6 over IPv4, configured using the tunnel mode keyword ipv6ip.

To create a tunnel, both endpoint devices must support the same tunneling mode.

The S- and K-Series platform supports tunneling modes:

• Generic Routing Encapsulation (GRE) which provides generic support for all supported IPv4 and IPv6 tunnel IP type combinations, as defined in RFC 2784, along with the keyword extensions defined in RFC 2890. The GRE mode should be used if you do not want to limit the tunnel to a specific IP header combination. This implementation does not support RFC 1701.
• IP-IP tunneling which provides support for IPv4 over an IPv4 Layer 3 tunnel interface as defined in RFC 2003.
• IPv6 tunneling which provides support for IPv6 over an IPv6 Layer 3 tunnel interface as defined in RFC 2473.
• IPv4 to IPv6 tunneling which supports IPv4 over an IPv6 Layer 3 tunnel interface as defined in RFC 2473.
• IPv6 to IPv4 tunneling which supports IPv6 over an IPv4 Layer 3 tunnel interface as defined in RFC 2473.

A tunnel interface can be assigned to a static route using the ip route or ipv6 route command, depending upon the route IP type. The tunnel source and destination must be reachable either by a configured static route or a supported routing protocol such as RIP, BGP, or OSPF.

If route lookup selects a route using a tunnel, the underlying delivery interface is determined based upon the destination address of the selected route. The tunnel delivery interface is displayed using the show tunnel command.

The S- and K-Series platforms support remote mirroring using a Layer 2 GRE tunnel mode. Remote Mirroring Using a Layer 2 GRE Tunnel for Remote mirroring Layer 2 GRE tunnel details.

The S- and K-Series platforms support the Virtual Private Port Service feature which is a L2 tunnel mode permitting the user to extend a virtual wire through an arbitrary routed network, using GRE with transparent bridging. Virtual Private Port Service for Virtual Private Port Service details.

The S- and K-Series platforms support the Split Horizon feature on L2 GRE tunnels. The Split Horizon feature facilitates loop free mesh topologies without requiring a loop prevention protocol such as Spanning Tree. With Split Horizon configured on the switch, the switch drops packets when:

• A switch bridges a packet from one tunnel bridge port to another in the same VLAN, and
• The tunnels bound to these tunnel bridge ports belong to the same Split Horizon group

See the interface command entry, in the S-, K-, and 7100 Series CLI Reference Guide, for create, enable, and disable tunnel command details.