Real World Configuration Of a VPN GRE Tunnel With BGP


BGP routing information is usually exchanged between competing business entities in the form of internet service providers (ISPs) in an open, hostile environment — the public internet. BGP is very security-focused — for example, all adjacent routers have to be configured manually — and decent BGP implementations provide a rich set of route filters to allow ISPs to defend their networks and control what they advertise to their competitors.

How BGP works

In BGP terminology, an independent routing domain, which almost always means an ISP network, is called an autonomous system.

BGP is always used as the routing protocol of choice between ISPs (known as external BGP), but also as the core routing protocol within large ISP networks (known as internal BGP).

All other routing protocols are concerned solely with finding the optimal path toward all known destinations. It cannot take this simplistic approach because the peering agreements between ISPs almost always result in complex routing policies. To help network operators implement these policies, It carries a large number of attributes with each IP prefix, for example:

  • Autonomous system (AS) path — the complete path documenting which autonomous systems a packet would have to travel through to reach the destination.
  • Local preference — the internal cost of a destination, which is used to ensure AS-wide consistency.
  • Multi-exit discriminator — this attribute gives adjacent ISPs the ability to prefer one peering point over another.
  • Communities — a set of generic tags that can be used to signal various administrative policies between BGP routers.

Because the focus of BGP design and implementation was always on security and scalability, it is harder to configure than other routing protocols, more complex — more so when you start configuring various routing policies — and one of the slowest converging routing protocols.


It’s important to know the difference between Generic Routing Encapsulation and Virtual Private Networks. People should understand more when dealing with tunnels in the future. Both of these protocols are used for tunneling, or establishing a connection between two different points, and many times this means traveling over the public internet. In order to review the difference between the two of these protocols, let’s first discuss how they’re normally used.

A Virtual Private Network (VPN) is a secure method for sending data between networks or locations with limited or no cost. There is no reason to have leased lines installed to have the data communicate safely over the internet and it’s relatively easy to install. The traffic that goes over the VPN is secured and will use either IPsec or SSL when transferring the data between the endpoints. This protects the data in transit and reduces the security concerns of data transfer over the public internet.

A Generic Routing Encapsulation (GRE) tunnel transfers data between two sites — the transfer comes with lower overhead — and allows multicast traffic to be sent over the tunnel — something a VPN has difficulty with — and does so without encryption. A GRE tunnel also assists with encapsulation between protocols and can join networks that might have otherwise been incompatible.


Leave a Reply