Skip to main content

 

Cisco Meraki Documentation

EoGRE Concentration for SSIDs

  1. Last updated
  2. Save as PDF

Ethernet over GRE (EoGRE) is an unencrypted stateless layer 2 tunneling technology. It is typically used for aggregating Wi-Fi traffic from hotspots to a centralized gateway. This solution enables Customer Premises Equipment (CPE) to bridge the Layer 2 traffic from an end host to an aggregation gateway. The encapsulated traffic consists of Ethernet frames with a GRE header, creating a virtual tunnel.

 Note: This feature is only enabled on gateway access points and is not available on access points operating in mesh mode.

 Note: The GRE protocol is not compatible with most NAT implementations. If you expect to have a router performing NAT located between the AP and the tunnel concentrator, EoGRE is unlikely to function properly. Please consider using Teleworker VPN to a Meraki MX security appliance instead in such scenarios.

Configuration

There are two pieces to configuring the EoGRE feature, configuration of Customer Premise Equipment (CPE) and the configuration of the (Non-Meraki) core concentrator. The configuration below outlines the configuration of Meraki MR access Points acting as the Customer Premise Equipment. 

EoGRE is enabled on on a per-SSID basis, in Dashboard under Wireless > Configure > Access control Select EoGRE in the Addressing and Traffic section of the page:

Ethernet over GRE configuration

Concentrator

The Concentrator Field is a mandatory configuration element that defines the destination for the EoGRE encapsulated traffic. A FQDN or IP address can be used in the field. FQDNs can be used to provide a simple failover mechanism if the DNS server that resolves the FQDN rolls to a new IP address. If an FQDN is used, the access point will re-query the name server after 30 seconds of inactivity on the tunnel in case of a possible tunnel failure.

Note: In order to resolve a FQDN, the AP will need to be configured to use a custom DNS server. An AP's DNS server can be configured on its Local Status Page, or on the AP's Summary tab in the Dashboard. 

 

GRE Key

GRE keys are flow identifiers intended to identify an individual traffic flow within a tunnel. Entering a number between 0 and 4,294,967,295 in this field will add the optional GRE key field to the GRE header. Meraki devices use this key to differentiate SSID traffic over the same tunnel. Unique IP/key pairs should be used for each SSID on a given network to ensure proper packet routing. Most routers that act as a EoGRE gateway also use a unique key for each tunnel for routing purposes. 

Note: Keep in mind that the key is not used to encrypt the payload of the EoGRE frame but is used to identify the tunnel. 

VLANs

If an SSID is configured for EoGRE tunneling and VLAN tagging is in use on the SSID (i.e. the layer 2 traffic on that SSID is tagged with a 802.1q header), then the 802.1q header will be included in the layer 2 payload of the EoGRE frame sent to the concentrator. The GRE packet sent from the AP to the tunnel concentrator will always originate from the AP's management IP address and VLAN, regardless of any VLAN(s) being used inside the tunnel.  

IPv4 Client Isolation for EoGRE Tunneled SSIDs

Overview:
Support for IPv4 client isolation which prevents wireless clients from communicating with each other (client-to-client isolation) while still allowing them to receive DHCP leases from the LAN on the other side of the EoGRE tunnel within the same subnet.

Firmware:
MR 32.2.1

Configuration:

  1. Navigate: Wireless > Configure > Access control
  2. Select EoGRE in the Addressing and Traffic section of the page
  3. Enable Client Isolation

clipboard_e2cc4854e0779bf743e65170466317374.png

DHCP Option 82 for Tunneled SSIDs

Overview:
 Support for DHCP relay with Ethernet over GRE tunneled SSIDs.

Firmware:
MR 32.2.1

Configuration

  1. Navigate Wireless > Configure > Access control

  2. Select EoGRE in the Addressing and Traffic section of the page

  3.  Enable DHCP option 82

  4. Input parameters for DHCP relay

Default values:

  1. cid_params ap-mac, ssid-name,ssid-type
  2. rid_params client-mac
  3. mac_format column
  4. override enabled

clipboard_eea507eddc2d86df45f5b2ee8b06b2d73.png

IPv6 Support for Tunneled SSIDs

Overview:
Dashboard now accepts the IPv6 address of the concentrator on the access control page allowing APs to build EoGRE tunnels over IPv6. 
APs now pass dual-stack IPv4/IPv6 traffic inside the EoGRE over the IPv6 tunnel.

Firmware:
MR 32.2.1

Configuration:

clipboard_ec8fafe74a4e3dd49ab515839f0ed0fd0.png

  1. Navigate Wireless > Configure > Access control
  2. Select EoGRE in the Addressing and Traffic section of the page:
  3. Enter the IPv6 address of the Concentrator.
  4. Save configuration
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
    Stage
    Final
  2. Tags
    1. service provider