9

What is a tunnel interface used for on a cisco router?

What is the difference between setting up a VPN connection and a tunnel interface; or does this serve the same purpose?

Brett Lykins
  • 8,288
  • 5
  • 36
  • 66
Bulki
  • 2,363
  • 7
  • 25
  • 43

3 Answers3

11

Tunnel interfaces have many uses, including participating in a larger VPN configuration. A VPN setup usually has many parts, including encryption, authentication, routing, and finally, the tunneling. Tunneling is also used for IPv4/IPv6 coexistence setups, such as encapsulating IPv6 packets in IPv4 packets payloads, creating GRE tunnels, and multicast tunneling. The point is that while tunnels may be part of a VPN setup, they do not necessarily represent the entire VPN configuration, but only the traffic encapsulation between endpoints.

bu sty
  • 3
  • 3
Yosef Gunsburg
  • 1,615
  • 10
  • 19
  • Also in Cisco-lingo tunnel-interface can also refer to RSVP signaled MPLS Traffic Engineering LSP. – aakso May 29 '13 at 12:01
3

A VPN tunnel uses IPSEC which encrypts the packets, usually between two LANs connected via the Internet. IPSEC tunnels have no multicast support which means that you can't run dynamic routing protocols like EIGRP, OSPF and ISIS over the tunnel.

There are also various forms of VPNs like DMVPN, SSL VPN and GET VPN.

A GRE tunnel can be used for many things, to support multicast, IPv6 or even CLNS which is used for ISIS. A GRE tunnel has no encryption which the VPN tunnel has.

To get support for both routing and encrypting the packets it is common to deploy IPSEC and GRE together so that it's supported to run dynamic routing protocols over it.

There are also other tunneling modes like IP in IP, 6to4, ISATAP and so on.

Daniel Dib
  • 7,478
  • 34
  • 59
  • What might a use-case be for an Enterprise network to use a GRE tunnel? – generalnetworkerror May 29 '13 at 05:31
  • @generalnetworkerror There could be many uses, even for an Enterprise. For example we have remote locations which are connected to the internet and we build an encrypted GRE tunnel to HQ so that we can run a dynamic routing protocol. Another example would be the need to span a VLAN across internet. One could run L2TPv3 inside an encrypted GRE tunnel to the remote location. – Stefan Radovanovici May 29 '13 at 06:36
  • @StefanRadovanovici, I'm going to pose a new question for a specific use-case regarding routing over IPSec VPN tunnels to branch offices. – generalnetworkerror May 29 '13 at 07:34
3

A tunnel give you a route-based VPN option. This allows you to run routing protocols over your tunnels which allows for better failover capabilities. You can also set up a single tunnel, then route many different prefixes over that same single tunnel. If the other side adds a new prefix, just add another static route to the existing tunnel. I also find it easier to do network-wide NAT for overlapping VPN subnets as the tunnel interface is just another layer3 point-to-point interface

Tunnels are also handy for times when you need to run two different VRFs over an interface that doesn't support many subinterfaces. A DSL link is an example. In this case you can run a tunnel over the normal link, and have that tunnel in a different VRF

mellowd
  • 3,824
  • 19
  • 24