Tunnel creation on Cisco routers using Loopback interfaces

General description

A situation when a provider routes limited ranges of IP addresses, for example, arranges communication between two networks /24, is simulated. On this basis for connecting offices a tunnel is created on loopback-interfaces of two client’s border routers, IP-addresses for Loopback interfaces are chosen from the networks, assigned (routed) by a provider.

For better understanding of the task set in the lab it is suggested to make preliminary preparations. Namely, to consider a standard situation of client’s offices routing through a provider’s network (without tunnel configuring). Let the provider assign to the client office two /24 networks. It is necessary to specify IP-addresses for interfaces and to configure static routes for routers Provider, Router1, Router2, according to the scheme given in the lab, not taking a tunnel and loopback-interfaces into account. Mind that for client’s office networks addressing a mask /24 is used.


As a provider a Cisco 3600 Series router is used, office networks are connected to Cisco 1600 Series routers.

  1. Connect two Cisco 1600 Series routers to a Cisco 3600 Series router. Also connect a computer to each Cisco 1600 Series router.
  2. Connect to a console port of each of the routers and in a global configuration mode specify a name using a command hostname name. For example, Provider1, Router1, Router2.
  3. For each router configure IP-addresses of Ethernet0, Ethernet1 interfaces in interface configuration mode using a command ip address address mask. For addresses of Ethernet0 interfaces of Cisco 1600 routers use a mask /24 (mask
  4. For each computer of client’s office networks configure IP-address, using a mask /24, as a default gateway set IP-address of Ethernet0 interface of a corresponding Cisco 1600 Series router.
  5. At Cisco 3600 Series router (Provider) configure a static routing to assigned networks, using a configuration command ip route ip-address mask next_hop.
  6. At each Cisco 1600 router also configure a static routing to remote office network via a provider’s router.
  7. For routing table state viewing, use a command show ip route.
  8. Using ICMP echo-requests (ping) check the availability of each router from computer(-s) and make sure that connection between client’s offices is established via a provider’s router.

Main setting

Now suppose that the situation has changed. A client needs to use more addresses than available in assigned by the provider networks /24. For this purpose when addressing office networks a mask /16 is used. But the provider still routes and assigns to the client networks /24. A solution to the problem of connecting client’s offices can be a tunnel building on loopback-interfaces of two client’s border routers.

It is worth noting that building of the tunnel can be realized using physical interfaces (Router1::eth1 and Router2::eth1) instead of the virtual ones. However the solution based on the use of the virtual interfaces as tunnel endpoints has essential advantage - it provides a certain fault tolerance in case of several providers or several connections usage. Assume that the client decides to use additionally another provider - Provider2 - and connects to its router his own L3 devices (through Router1:: eth2 and Router2:: eth2 interfaces). We will consider a situation when Tunnel0 uses the physical interfaces eth1. In case of the card with interface eth1 failure the tunnel will cease to function that leads connectivity loss between offices in spite of the fact that a working path between Router1 and Router2 through Provider2 operator exists. For the solution of this problem it is possible to build additional tunnels between routers, however such approach is poorly scalable.

Now let’s consider building of tunnels using the virtual interfaces. In this case the tunnel operation doesn't depend on a status of physical ports. The only necessary condition is existence of IP-connectivity between the tunnel endpoints. It can be provided by means of static routes or dynamic routing protocols between the client and the provider. Thus, failure of one of the physical interfaces will not lead to a remote network isolation.

  1. For each Cisco 1600 Series router using a command ip address address mask in interface configuration mode configure new IP-addresses for Ethernet0 interfaces, to which client’s office networks are connected, mask /16 (mask should be used.
  2. For each computer of client’s office networks configure a new IP-address using a mask /16.
  3. For each Cisco 1600 router configure IP-address in virtual interface loopback0 configuration mode using a command ip address address mask, /32 should be used as a mask (mask, IP-address is chosen from the network allocated by provider.
  4. For each Cisco 1600 router configure a tunnel interface using a configuration command interface tunnel 0.
  5. In tunnel-interface configuration mode configure IP-address, using a command ip address address mask, /30 should be used as a mask (mask
  6. Using interface commands tunnel source ip-address and tunnel destination ip-address configure IP-addresses of tunnel endpoints. Previously configured loopback-interfaces addresses should be used as ip-address.
  7. Configure a tunneling mode using an interface command tunnel mode mode, where specify, for example, ipip as a mode.
  8. Taking into account the tunnel, configured above, at each Cisco 1600 Series router create a static route to the other office network, using a configuration command ip route network ip-address mask next-hop.
  9. Using ICMP echo-requests (ping) check the availability of each router from computer(-s).
  10. Examine how office networks are routed using a command traceroute ip-address (tracert for Windows).
  11. Look at source and destination IP-addresses of the packets, routed between client’s office networks. To do this, connect Cisco 1600 Series router and Cisco 3600 Series router (Provider) to Cisco 2960 Series switch, to which also connect another computer.
  12. At switch set up SPAN-session for copying the data, going through switch to the port, to which an additional computer is connected. To do this, use configuration commands monitor session 1 source interface interface both, monitor session 1 destination interface interface, where specify the ports, to which an office router and an additional computer are connected, as source interface and destination interface correspondingly.
  13. For viewing the configured SPAN-session use a command show monitor session 1.
  14. Run Wireshark program at the additional computer, connected to switch, capture a packet, sent from one office network to the other. Look at source and destination MAC and IP-addresses.
  15. Realize such packet capturing in different parts of a built network (between office PC of the first office and Router1, between Router1 and Provider, between Provider and Router2, between Router2 and office PC of the second office) using Cisco 2960 Series switch. Tabulate determined source and destination MAC and IP-addresses. Analyze the data received.
Capturing point Source IP and MAC Destination IP and MAC Source IP and MAC in captured data Destination IP and MAC in captured data

Hereafter let’s turn to the second part of the lab.

Run a dynamic routing protocol EIGRP, with which establish adjacency between two office routers via tunnel interfaces. Using this protocol give routing information about all connected networks.

  1. At each Cisco 1600 Series router delete previously configured static route to a corresponding office network with mask /16. It is necessary to do because it is supposed to transfer information about this network via EIGRP further on. Pay your attention to a state of a tunnel.
  2. Run EIGRP at each client’s router. For that a configuration command router eigrp process_number should be used, where specify, for example, 1 as a number.
  3. Using a command network network_ip-address, in a configuration mode of a router specify a network in which EIGRP will work (protocol will turn on all interfaces of a given router, which addresses matched by a specified range).
  4. Turn off automatic summarization of subnet routes using a command no auto-summary in a configuration mode of a router.
  5. Using a command redistribute connected indicate to a router that routing information about all connected networks should be transferred.
  6. To follow the changes use commands show ip route eigrp, show ip eigrp neighbors, show ip eigrp interfaces, show ip eigrp topology.
  7. Pay your attention to a periodical change of a state of a tunnel. This effect is a consequence of a recursive routing. Examine and explain the effect.

With the concurrence of a tutor correct the occurred problem. To solve it a configuration of client’s routers should be changed so that by EIGRP information about all connected networks, except a loopback-interface, was sent. Route-map mechanism will be used for that.

  1. Create route-map at each Cisco 1600 Series router, using a configuration command route-map rm-name deny seq1, specify, for example, 10 as seq1. Deny keyword points at creating of a denying rule.
  2. Type the suppression itself using a command match interface interface, specify loopback-interface of a given router as interface. Go back to global configuration mode.
  3. For created route-map make a permitting rule using a command route-map rm-name permit seq2, where, according to the logics of route-map operating, as seq2 a value, bigger than seq1, should be specified, for example, 20. By default, a permitting rule permits everything, which is not specified in the prior denying rule.
  4. Declare that by EIGRP routing information about all connected networks should be sent using the rules specified in a created route-map. For that purpose delete a command redistribute connected in a router configuration mode for eigrp1 and apply redistribute connected route-map rm-name.
  5. Pay your attention to a state of tunnel. Analyze the changes.
  6. Suggest and perform other ways of a problem solving.

Annotation. Get acquainted with distribute-lists and prefix-lists concerning the given lab.

Add comment

Security code

Found a typo? Please select it and press Ctrl + Enter.