What Does GRE Mean?
Also known as: Generic Routing Encapsulation, GRE tunnel, RFC 2784
On This Page
Quick Definition
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco and later standardized in RFC 2784. It allows network engineers to encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an IP internetwork. GRE works by taking an original packet (the payload) and wrapping it with a GRE header, then placing that entire unit inside a delivery protocol packet (typically IP). This creates a virtual tunnel between two endpoints, making the encapsulated packets appear as direct traffic to the underlying network. GRE is stateless, meaning it does not provide flow control or error correction; it simply encapsulates and forwards. Its primary purpose is to enable connectivity between networks that use different protocols, to support multicast or broadcast traffic over networks that only allow unicast, or to create secure VPN tunnels when combined with IPsec. GRE is widely used in enterprise and service provider networks for connecting remote sites, carrying routing protocols, and enabling network virtualization.
Must Know for Exams
CompTIA Network+ exams test GRE primarily in the context of network connectivity and tunneling technologies. Key focus areas include: (1) Understanding that GRE is a tunneling protocol that encapsulates packets to transport them across incompatible networks—candidates must know it operates at Layer 3 and uses IP protocol 47. (2) Recognizing that GRE does not provide encryption or authentication; it is often paired with IPsec for secure VPNs.
Exam questions may ask which protocol adds security to a GRE tunnel. (3) Knowing that GRE can carry multicast and broadcast traffic, unlike IPsec in transport mode, making it suitable for routing protocol updates. (4) Identifying GRE's stateless nature—it does not guarantee delivery or provide flow control, so it relies on the underlying transport.
(5) Differentiating GRE from other tunneling protocols like IPsec, L2TP, and PPTP. Network+ questions may present a scenario where a company needs to connect two remote networks using a non-routable protocol or needs to support multicast, and the correct answer is GRE. Candidates should also be aware of the GRE header fields (protocol type, checksum, key, sequence number) and that GRE tunnels are configured with source and destination IP addresses.
Simple Meaning
Imagine you want to send a letter written in French inside an envelope that only accepts English letters. You can't just put the French letter in the mail because the postal service won't understand it. Instead, you write a short note in English on the outside envelope saying 'This envelope contains a French letter for the recipient.'
The postal service delivers the envelope based on the English address, and when it arrives, the recipient opens it and reads the French letter inside. GRE works the same way: it takes a packet that might use a protocol the network doesn't support (like IPv6 or a routing protocol update) and wraps it in a standard IP packet that the network can route. The tunnel endpoints do the wrapping and unwrapping, so the intermediate network just sees regular IP traffic.
This lets you connect different types of networks as if they were directly linked.
Full Technical Definition
GRE is a tunneling protocol that operates at the network layer (Layer 3) of the OSI model, though it can encapsulate payloads from higher layers. It is defined in RFC 2784 (original specification) and RFC 2890 (with optional key and sequence number extensions). The GRE header is typically 4 bytes (without options) and includes fields for protocol type (indicating the payload protocol), checksum presence, key presence, sequence number presence, and a version field (always 0).
The encapsulated packet becomes the payload, and the entire GRE packet is then placed inside a delivery protocol (usually IP) with protocol number 47. GRE tunnels are stateless—they do not maintain connection state, perform error recovery, or guarantee delivery. This simplicity makes GRE lightweight but also means it relies on the underlying transport for reliability.
GRE can encapsulate many protocols, including IPv4, IPv6, MPLS, and even broadcast and multicast traffic. Compared to IPsec, GRE offers no encryption or authentication; it is often used together with IPsec (GRE over IPsec) to provide both tunneling and security. GRE tunnels are configured with source and destination IP addresses, and routing must be set up to direct traffic into the tunnel.
Key characteristics include: no encryption, no flow control, support for multiprotocol payloads, and ability to carry multicast and broadcast traffic. GRE is commonly used in dynamic routing protocols (e.g.
, OSPF, EIGRP) between sites, for VPNs, and for network virtualization.
Real-Life Example
A multinational company has two branch offices: one in New York and one in London. Both offices use IPv4 internally, but the London office also runs an IPv6 test network for a new application. The company's WAN provider only supports IPv4 unicast traffic.
To connect the IPv6 test network across the WAN, the network engineer configures a GRE tunnel between the routers in New York and London. The New York router encapsulates each IPv6 packet from the London-bound test network inside a GRE header, then wraps it in an IPv4 packet addressed to the London router's public IP. The WAN treats it as normal IPv4 traffic.
When the London router receives the packet, it strips the GRE header and forwards the original IPv6 packet to the test network. The IPv6 devices see a direct Layer 3 connection. The engineer also configures OSPFv3 over the GRE tunnel so the two IPv6 networks can exchange routes.
The tunnel works reliably, and the test application runs successfully across the ocean.
Why This Term Matters
Understanding GRE is essential for IT professionals because it is a fundamental building block for many network connectivity solutions. GRE enables the creation of virtual point-to-point links over arbitrary networks, allowing different protocols to coexist and communicate. It is widely used in enterprise VPNs, especially when combined with IPsec for security.
Network engineers must know how to configure, troubleshoot, and optimize GRE tunnels because misconfigurations can lead to routing loops, MTU issues, or connectivity failures. GRE also appears in many network certification exams, including CompTIA Network+ and Cisco CCNA, as a core tunneling concept. Mastery of GRE demonstrates a solid grasp of encapsulation, tunneling, and protocol interoperability—skills that are critical for designing and managing modern networks.
How It Appears in Exam Questions
Exam questions about GRE often follow these patterns: (1) Scenario-based: 'A company needs to connect two IPv6 networks over an IPv4-only WAN. Which tunneling protocol should be used?' The correct answer is GRE because it can encapsulate IPv6 in IPv4.
Wrong answers might include IPsec (which can also tunnel but is more complex) or L2TP (which is Layer 2). (2) Protocol identification: 'Which IP protocol number is used by GRE?' Answer: 47.
Common wrong answer: 50 (ESP) or 51 (AH). (3) Feature comparison: 'Which of the following is true about GRE?' Correct: It can carry multicast traffic. Wrong: It provides encryption.
(4) Troubleshooting: 'A GRE tunnel is up but no traffic passes. What is the most likely cause?' Answer: Incorrect routing or MTU mismatch. Candidates must remember that GRE adds overhead (typically 24 bytes), which can cause fragmentation issues.
The key to spotting the correct answer is to remember GRE's core properties: stateless, no encryption, supports multiprotocol and multicast, uses IP protocol 47.
Practise GRE Questions
Test your understanding with exam-style practice questions.
Example Scenario
1. A network administrator wants to connect two branch offices that use different routing protocols: one uses OSPF, the other uses EIGRP. 2. The admin configures a GRE tunnel between the two routers using their public IP addresses.
3. The admin assigns an IP address to the tunnel interface on each router (e.g., 10.0.0.1/30 and 10.0.0.2/30). 4. The admin configures OSPF on the tunnel interface on both routers, so they can exchange routing updates over the tunnel.
5. The routers encapsulate OSPF packets (which are multicast) inside GRE, then inside IP, and send them across the WAN. The OSPF neighbors form adjacency over the tunnel, and routes are exchanged.
6. Traffic between the two offices now flows through the GRE tunnel, allowing seamless connectivity despite different routing protocols.
Common Mistakes
GRE provides encryption and authentication.
GRE is a simple encapsulation protocol with no security features. It does not encrypt or authenticate data. Security is added by pairing GRE with IPsec.
GRE = no security. IPsec adds security.
GRE operates at Layer 2 of the OSI model.
GRE encapsulates network layer (Layer 3) packets and operates at Layer 3. It is not a Layer 2 protocol like L2TP or PPP.
GRE is Layer 3, not Layer 2.
GRE can only carry IPv4 traffic.
GRE is multiprotocol; it can encapsulate IPv4, IPv6, MPLS, and many other protocols. The protocol type field in the GRE header indicates the payload protocol.
GRE carries any protocol, not just IPv4.
Exam Trap — Don't Get Fooled
{"trap":"Candidates often choose IPsec instead of GRE when a scenario requires carrying multicast traffic (like routing protocol updates) over a VPN. They assume IPsec can do everything, but IPsec in transport mode cannot carry multicast.","why_learners_choose_it":"IPsec is more well-known and associated with VPNs.
Learners think 'VPN = IPsec' and forget that GRE is needed for multicast support. The question might mention 'routing protocol updates' which are multicast, making GRE the correct choice.","how_to_avoid_it":"Remember: If the scenario mentions multicast, broadcast, or non-IP protocols, the answer is GRE (possibly with IPsec).
IPsec alone cannot carry multicast. Use the mnemonic: 'GRE for Groups (multicast), IPsec for Security.'
Commonly Confused With
IPsec provides encryption and authentication at Layer 3, while GRE only encapsulates packets without security. GRE can carry multicast; IPsec (transport mode) cannot.
Use GRE when you need to carry OSPF updates (multicast); use IPsec when you need encryption.
L2TP is a Layer 2 tunneling protocol that can carry PPP frames, while GRE is Layer 3 and encapsulates network layer packets. L2TP often uses IPsec for security, similar to GRE over IPsec.
L2TP is for remote access VPNs (Layer 2); GRE is for site-to-site tunnels (Layer 3).
Step-by-Step Breakdown
Step 1 — Packet arrives at tunnel source
A router receives a packet destined for a network reachable via a GRE tunnel. The routing table points to the tunnel interface.
Step 2 — Encapsulation with GRE header
The router adds a GRE header to the original packet. The header includes the protocol type (e.g., 0x0800 for IPv4) and optional fields like checksum or key.
Step 3 — Encapsulation with delivery header
The router adds an outer IP header with source = tunnel source IP, destination = tunnel destination IP, and protocol = 47 (GRE). The packet is now ready for transport.
Step 4 — Packet traverses the network
The encapsulated packet is forwarded through the intermediate network like any normal IP packet. Routers along the path see only the outer IP header.
Step 5 — Decapsulation at tunnel destination
The destination router receives the packet, sees protocol 47, removes the outer IP header and GRE header, and forwards the original packet to its final destination.
Practical Mini-Lesson
GRE (Generic Routing Encapsulation) is a simple, lightweight tunneling protocol that creates virtual point-to-point links over an IP network. Its core concept is encapsulation: taking an entire packet (the payload) and wrapping it with a GRE header, then placing that inside a delivery protocol packet (usually IP). This allows any protocol to be transported over a network that might not natively support it.
For example, you can send IPv6 packets over an IPv4-only network, or carry multicast traffic over a unicast-only infrastructure. How it works: When a router receives a packet destined for a remote network reachable via a GRE tunnel, it looks up the routing table and forwards the packet to the tunnel interface. The router then encapsulates the original packet with a GRE header (which includes the protocol type of the payload) and then with an IP header addressed to the tunnel destination.
The encapsulated packet is sent across the network. At the receiving end, the router strips the outer IP header and GRE header, revealing the original packet, which is then forwarded to its final destination. GRE is often compared to IPsec.
While IPsec provides encryption and authentication, GRE does not. However, GRE can carry multicast and broadcast traffic, which IPsec in transport mode cannot. Therefore, they are often used together: GRE provides the tunnel and multiprotocol support, while IPsec adds security.
This combination is known as 'GRE over IPsec' and is a common VPN deployment. Key takeaway: GRE is a versatile tunneling protocol that enables protocol interoperability and supports multicast, but it offers no security. It is a fundamental tool for network engineers and a frequent exam topic.
Memory Tip
GRE = 'Generic Road Envelope' — think of a truck (GRE) that can carry any type of cargo (any protocol) inside a standard shipping container (IP packet). The truck doesn't care what's inside; it just delivers the container. Remember: GRE is Generic, not secure.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
N10-009CompTIA Network+ →200-301Cisco CCNA →Related Glossary Terms
AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection for IP packets.
AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection for IP packets.
An AP (Access Point) bridges wireless clients to a wired network, acting as a central transceiver and controller for Wi-Fi communications.
An API is a set of rules that allows software applications to communicate and exchange data with each other.
BCP is a proactive process that creates a framework to ensure critical business functions continue during and after a disruptive event.
BNC (Bayonet Neill-Concelman Connector) is a miniature coaxial connector used for terminating coaxial cables in networking, video, and RF applications.
Frequently Asked Questions
Does GRE provide any security?
No, GRE does not provide encryption, authentication, or integrity checking. It is a simple encapsulation protocol. For secure tunnels, GRE is often combined with IPsec, which adds encryption and authentication.
How does GRE compare to IPsec?
GRE is a tunneling protocol that can encapsulate any protocol and supports multicast, but offers no security. IPsec provides strong security (encryption, authentication) but in transport mode cannot carry multicast. They are often used together: GRE for tunneling, IPsec for security.
Can GRE carry multicast traffic?
Yes, GRE can encapsulate multicast packets because it treats the entire original packet as payload. This makes it ideal for carrying routing protocol updates (like OSPF or EIGRP) over a tunnel.
What IP protocol number does GRE use?
GRE uses IP protocol number 47. This is a key fact for exams and for configuring firewall rules to allow GRE traffic.
When should I use GRE instead of a direct IPsec tunnel?
Use GRE when you need to carry multicast or broadcast traffic, or when you need to tunnel non-IP protocols. For simple site-to-site VPNs with only unicast IP traffic, IPsec alone may suffice. For complex scenarios, use GRE over IPsec.
Summary
(1) GRE is a tunneling protocol that encapsulates packets of any protocol inside IP packets to transport them across incompatible networks. (2) It is stateless, supports multicast and broadcast, and uses IP protocol 47, but provides no encryption or authentication. (3) The most important exam fact: GRE is often combined with IPsec to add security; it is the go-to choice when you need to carry non-IP protocols or multicast traffic over a network that only supports unicast IP.