Ethernet over GRE (EoGRE) is an unencrypted stateless layer 2 tunneling technology. It is typically used for aggregating WiFi traffic from hotspots to a centralized gateway. This solution enables Customer Premises Equipment (CPE) to bridge the Layer 2 traffic from an end host to an aggregation gateway. The encapsulated traffic consists of Ethernet frames with a GRE header, creating a virtual tunnel.
Note: This feature is only enabled on gateway access points and is not available on access points operating in mesh mode.
Note: The GRE protocol is not compatible with most NAT implementations. If you expect to have a router performing NAT located between the AP and the tunnel concentrator, EoGRE is unlikely to function properly. Please consider using Teleworker VPN to a Meraki MX security appliance instead in such scenarios.
There are two pieces to configuring the EoGRE feature, configuration of Customer Premise Equipment (CPE) and the configuration of the (Non-Meraki) core concentrator. The configuration below outlines the configuration of Meraki MR access Points acting as the Customer Premise Equipment.
EoGRE is enabled on on a per-SSID basis, in Dashboard under Wireless > Configure > Access control Select EoGRE in the Addressing and Traffic section of the page:
The Concentrator Field is a mandatory configuration element that defines the destination for the EoGRE encapsulated traffic. A FQDN or IP address can be used in the field. FQDNs can be used to provide a simple failover mechanism if the DNS server that resolves the FQDN rolls to a new IP address. If an FQDN is used, the access point will re-query the name server after 30 seconds of inactivity on the tunnel in case of a possible tunnel failure.
Note: In order to resolve a FQDN, the AP will need to be configured to use a custom DNS server. An AP's DNS server can be configured on its Local Status Page, or on the AP details page in Dashboard.
GRE keys are flow identifiers intended to identify an individual traffic flow within a tunnel. Entering a number between 0 and 4,294,967,295 in this field will add the optional GRE key field to the GRE header. Meraki devices use this key to differentiate SSID traffic over the same tunnel. Unique IP/key pairs should be used for each SSID on a given network to ensure proper packet routing. Most routers that act as a EoGRE gateway also use a unique key for each tunnel for routing purposes.
Note: Keep in mind that the key is not used to encrypt the payload of the EoGRE frame but is used to identify the tunnel.
If an SSID is configured for EoGRE tunneling and VLAN tagging is in use on the SSID (i.e. the layer 2 traffic on that SSID is tagged with a 802.1q header), then the 802.1q header will be included in the layer 2 payload of the EoGRE frame sent to the concentrator. The GRE packet sent from the AP to the tunnel concentrator will always originate from the AP's management IP address and VLAN, regardless of any VLAN(s) being used inside the tunnel.