Courseiva
VPNGlobal Config

interface tunnel [number]

Creates a tunnel interface for encapsulating traffic (e.g., GRE, IPsec) to connect remote networks over an untrusted intermediate network.

Syntax·Global Config
interface tunnel [number]

When to Use This Command

  • Connecting two branch offices over the internet using a GRE tunnel to carry private routing protocols.
  • Building a site-to-site IPsec VPN tunnel between a corporate HQ and a remote office.
  • Creating a multipoint GRE (mGRE) tunnel for Dynamic Multipoint VPN (DMVPN) deployments.
  • Tunneling IPv6 traffic over an IPv4-only network using a configured IPv6-over-IPv4 tunnel.

Command Examples

Basic GRE Tunnel Configuration

interface tunnel 0
Router(config)#interface tunnel 0
Router(config-if)#ip address 10.0.0.1 255.255.255.252
Router(config-if)#tunnel source 192.168.1.1
Router(config-if)#tunnel destination 203.0.113.1
Router(config-if)#tunnel mode gre ip
Router(config-if)#no shutdown

This output shows entering tunnel interface configuration mode for tunnel 0. The ip address command assigns a private IP to the tunnel. tunnel source sets the local physical interface IP (or interface name) as the tunnel source. tunnel destination specifies the remote endpoint IP. tunnel mode gre ip sets the encapsulation to GRE over IP. no shutdown activates the interface.

IPsec Tunnel Interface (VTI)

interface tunnel 1
Router(config)#interface tunnel 1
Router(config-if)#ip address 172.16.0.1 255.255.255.252
Router(config-if)#tunnel source GigabitEthernet0/0
Router(config-if)#tunnel destination 198.51.100.1
Router(config-if)#tunnel mode ipsec ipv4
Router(config-if)#tunnel protection ipsec profile VPN-PROFILE
Router(config-if)#no shutdown

This configuration creates a Virtual Tunnel Interface (VTI) for IPsec. tunnel mode ipsec ipv4 enables IPsec tunnel mode. tunnel protection ipsec profile applies an IPsec profile to encrypt traffic. The tunnel source uses an interface name instead of an IP address.

Understanding the Output

When configuring a tunnel interface, the output shows the prompt changing to Router(config-if)# indicating you are in interface configuration mode. The key fields to verify are: ip address (the tunnel's own IP), tunnel source (the local endpoint, either an IP or interface name), tunnel destination (the remote endpoint IP), and tunnel mode (e.g., gre ip, ipsec ipv4). A common issue is forgetting to set tunnel mode, which defaults to GRE. Also ensure no shutdown is applied. In show interfaces tunnel 0 output, look for 'up/up' status; if down/down, check physical reachability or misconfigured endpoints. The tunnel source must be reachable from the destination and vice versa. For IPsec tunnels, verify that the tunnel protection profile is correctly applied and that the IPsec session is active (use show crypto ipsec sa).

CCNA Exam Tips

1.

CCNA exam tip: Remember that tunnel interfaces must have an IP address and both tunnel source and destination configured to be operational.

2.

CCNA exam tip: The default tunnel mode is GRE; if you need IPsec, you must explicitly set tunnel mode ipsec ipv4.

3.

CCNA exam tip: A tunnel interface will stay down if the tunnel destination is not reachable via routing; check the routing table.

4.

CCNA exam tip: In the exam, you may be asked to identify why a tunnel is down — common reasons include mismatched tunnel keys or ACLs blocking traffic.

Common Mistakes

Mistake 1: Forgetting to configure tunnel mode, leaving it as default GRE when IPsec is needed — results in no encryption.

Mistake 2: Using an incorrect tunnel source IP that is not reachable from the destination — tunnel stays down.

Mistake 3: Not applying no shutdown to the tunnel interface — interface remains administratively down.

Related Commands

show crypto ipsec sa

Displays the current state and statistics of IPsec security associations (SAs) to verify VPN tunnel establishment and monitor encrypted traffic.

tunnel destination [ip]

Specifies the destination IP address for a tunnel interface, used to define the remote endpoint of a point-to-point VPN tunnel.

tunnel source [intf|ip]

Specifies the source interface or IP address for a tunnel interface, used to define the tunnel's source address for VPN or overlay networks.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions