VPNInterface Config

tunnel destination [ip]

Specifies the destination IP address for a tunnel interface, used to define the remote endpoint of a point-to-point VPN tunnel.

Syntax·Interface Config

tunnel destination [ip]

When to Use This Command

Configuring the remote endpoint for a GRE tunnel between two branch offices.
Setting the destination for an IPsec tunnel to connect a remote site to a central hub.
Establishing a DMVPN tunnel by specifying the hub router's public IP as the destination.
Defining the peer address for a multipoint tunnel in a hub-and-spoke VPN topology.

Command Examples

Basic GRE Tunnel Destination Configuration

Router(config-if)# tunnel destination 203.0.113.1

Router(config-if)#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to up

The command sets the remote tunnel endpoint to 203.0.113.1. The syslog message indicates the tunnel line protocol came up, meaning the destination is reachable and the tunnel is operational.

Verifying Tunnel Destination with Show Command

Router# show interfaces tunnel 0

Tunnel0 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 10.0.0.1/30
  MTU 1476 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Tunnel source 192.168.1.1, destination 203.0.113.1
  Tunnel protocol/transport GRE/IP
    Key disabled, sequencing disabled
  ...

The output shows the tunnel interface status and configuration. The 'Tunnel source' and 'destination' lines confirm the local and remote endpoints. 'Tunnel protocol/transport GRE/IP' indicates the encapsulation. The interface being 'up/up' means the tunnel is working.

Understanding the Output

The command itself does not produce output; it configures the tunnel destination. To verify, use 'show interfaces tunnel X' or 'show running-config interface tunnel X'. In the show output, look for 'Tunnel source' and 'destination' to confirm the endpoints. The interface status 'up/up' indicates the tunnel is operational. If the line protocol is down, the destination may be unreachable or misconfigured. Pay attention to the tunnel protocol (e.g., GRE/IP, IPsec) to ensure correct encapsulation.

CCNA Exam Tips

CCNA exam tip: The tunnel destination must be reachable via a route; otherwise, the tunnel will not come up.

CCNA exam tip: Remember that tunnel source and destination are required for point-to-point tunnels; multipoint tunnels use different commands.

CCNA exam tip: The tunnel destination IP is typically the public IP of the remote router; private IPs can be used if directly connected.

CCNA exam tip: In DMVPN, the tunnel destination is configured only on spoke routers pointing to the hub; hubs use dynamic mapping.

Common Mistakes

Mistake 1: Forgetting to configure a route to the tunnel destination, causing the tunnel to stay down.

Mistake 2: Using an incorrect IP address (e.g., private IP instead of public) for the destination, leading to unreachability.

Mistake 3: Configuring tunnel destination on a multipoint interface (tunnel mode gre multipoint) where it is not allowed; use tunnel destination only on point-to-point tunnels.

Related Commands

tunnel source [intf|ip]

Specifies the source interface or IP address for a tunnel interface, used to define the tunnel's source address for VPN or overlay networks.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions