What Is GRE Tunnel in Networking?
Also known as: GRE Tunnel, Generic Routing Encapsulation, Cisco GRE tunnel configuration, ENCOR GRE tunnel, GRE vs IPsec
On This Page
Quick Definition
A GRE tunnel is like a secure, private tube that connects two separate networks over the public internet. It takes data packets from one network and puts them inside new packets that can travel across the internet. When they reach the other end, the original packets are taken out and delivered. It helps networks that use different protocols talk to each other.
Must Know for Exams
In Cisco CCNP Enterprise certification exams, particularly the ENCOR (350-401) exam, GRE tunnels are a core topic under the network virtualization and overlay technologies domain. The exam objectives require candidates to understand the purpose, configuration, and troubleshooting of GRE tunnels. You are expected to know how GRE works at a packet level, how it differs from other tunneling protocols, and when to use it versus other solutions like IPsec or MPLS.
Questions can appear in multiple formats. You might see a multiple-choice question asking you to identify the correct command to configure a GRE tunnel interface. For example, you need to know that the tunnel source can be a specific IP address or a physical interface, and that the tunnel destination must be the IP address of the remote router. Another question might ask which protocol GRE can carry, with the correct answer being any Layer 3 protocol, not just IP.
Scenario-based questions are common. The exam might describe a company with two branch offices connected via the internet. The branches need to run OSPF to share routes, but the internet does not support multicast. You would need to choose GRE tunneling as the solution. The question may then ask you to determine the correct configuration steps or identify a problem in a given configuration snippet. Troubleshooting questions might involve MTU issues, where a ping works but larger packets fail, indicating a fragmentation problem caused by GRE overhead.
The ENCOR exam also tests the concept of encapsulating multiple protocols. You may be asked to compare GRE with IPsec. For instance, a question might state that a company needs to encrypt traffic but also needs to support multicast routing protocols. The correct answer would be to use GRE over IPsec, because IPsec alone cannot transport multicast. Understanding these nuances is critical for passing the exam.
Furthermore, the exam expects you to know the GRE header fields, not in detail, but enough to understand that GRE adds a protocol type field. You should be familiar with the configuration commands: interface tunnel number, ip address, tunnel source, tunnel destination, and tunnel mode. The command show interface tunnel shows the status and statistics, and debug tunnel is used for troubleshooting. These commands are tested in both configuration and troubleshooting contexts.
Simple Meaning
Imagine you work in a large office building with two separate sections: one for sales and one for engineering. The two sections have their own internal mail systems that use different types of envelopes. The building also has a central postal service that only handles standard envelopes. To send a message from sales to engineering, you cannot use the engineering envelope directly through the central mail. So, you take the engineering envelope, put it inside a standard envelope, and send it through the central mail. When it arrives in the engineering section, someone opens the standard envelope and takes out the engineering envelope, delivering it to the right person.
In networking, a GRE tunnel works the same way. GRE stands for Generic Routing Encapsulation. A network packet, which is a unit of data, normally has a header that tells it where to go and what protocol it uses. Some networks, like the public internet, only understand certain types of packets, usually IP packets. But your private network might use a different protocol, or you might want to send a special kind of traffic, like a routing update, across the internet. GRE takes that original packet and wraps it inside a standard IP packet as if it were a piece of cargo. This new packet can now travel across any IP network. At the destination, the wrapping is removed, and the original packet is released to continue its journey.
This is not encryption, so the data inside is not hidden or protected. GRE is just a way to transport one type of packet through a network that does not understand it. It is like using a universal mail envelope to send a specialty package through a general mail system.
Full Technical Definition
A GRE tunnel is defined in RFC 2784, which specifies the encapsulation protocol used to carry packets of one protocol over another protocol. The most common use is to transport non-IP protocols, such as Internetwork Packet Exchange (IPX) or AppleTalk, over an IP network, though today it is more frequently used to carry IP multicast or IPv6 traffic over an IPv4 infrastructure. GRE creates a virtual point-to-point link between two routers. Each router has a tunnel interface that is configured with source and destination IP addresses, which are the real IP addresses of the routers. The tunnel itself does not have a set bandwidth or delay value; it behaves like a logical connection.
When a router receives a packet that needs to go through the GRE tunnel, it encapsulates the entire original packet, including its header, as the payload. A new GRE header is added, which contains a protocol type field that identifies the protocol of the payload, such as 0x0800 for IP or 0x86DD for IPv6. Then, a new outer IP header is added, with the source IP set to the local tunnel source and the destination IP set to the remote tunnel destination. This new packet is routed normally across the network.
On the receiving router, the destination IP address is checked. If it matches the tunnel interface, the outer IP header and GRE header are stripped off. The original packet is then processed based on its own header information, as if it had arrived directly on a physical interface. A key consideration is the MTU (Maximum Transmission Unit) size. Because GRE adds 24 bytes of overhead (20 bytes for the IP header and 4 bytes for the GRE header), the effective payload size is reduced. If the original packet is already at the maximum size, it may need to be fragmented. Many implementations adjust the MTU of the tunnel interface automatically to 1476 bytes on Ethernet links to avoid fragmentation.
In Cisco IOS, a GRE tunnel is configured by creating a tunnel interface, assigning an IP address to the tunnel (which is used for routing inside the tunnel), and specifying the tunnel source and destination using the tunnel source and tunnel destination commands. The tunnel mode gre ip is typically the default. GRE tunnels can also carry multicast traffic, which is why they are used to transport routing protocols like OSPF or EIGRP across non-multicast networks. GRE alone does not provide encryption, so it is often combined with IPsec to create a secure VPN. This combination is sometimes called a GRE-over-IPsec tunnel, where the GRE packet is encrypted by IPsec before being sent over the internet.
Real-Life Example
Consider a large university with two separate campuses on opposite sides of a city. Each campus has its own internal phone system that uses a special kind of wiring and signals, but the two systems cannot talk directly to each other because they use different technologies. The university decides to use the public telephone network that everyone uses, which is based on a standard signal, to connect the two campuses.
To do this, they install a device at each campus that takes the special internal phone signal and converts it into a standard phone signal, then sends it over the public network. At the other end, another device converts it back. The special internal signals are wrapped inside the standard signals for the journey. The public telephone network does not even know it is carrying the special signals; it just sees standard phone calls. The two campuses can now make internal calls as if they were in the same building.
This is exactly how a GRE tunnel works. The special internal signals are the original network packets. The public telephone network is the internet. The devices that convert the signals are the routers with GRE tunnel interfaces. The wrapping of the special signal inside the standard signal is the encapsulation. The conversion back at the other end is the decapsulation. The entire system allows two networks that may use different protocols or be separated by a network that does not understand them to communicate as if they were directly connected.
Why This Term Matters
GRE tunnels are a fundamental tool in enterprise networking because they solve a specific problem: network incompatibility. Many organizations have networks that run multiple protocols, or they need to connect remote sites using a network that only supports one protocol, typically IPv4. GRE tunnels provide a simple, standardized way to bridge those gaps without requiring expensive hardware or complex rewiring.
In practice, GRE tunnels are used in several critical scenarios. One common use is to transport multicast traffic. Routing protocols like OSPF and EIGRP use multicast addresses to share routing information. If you have two sites connected only by a public internet link that does not support multicast, you cannot run these routing protocols directly. By creating a GRE tunnel between the two sites, you can send multicast packets through the tunnel, because GRE can encapsulate multicast packets inside unicast IP packets. This keeps routing tables updated across the entire network.
Another important use is connecting IPv6 networks over an IPv4 internet. Many organizations are migrating to IPv6, but the internet backbone still runs on IPv4 in many areas. A GRE tunnel can carry IPv6 packets over an IPv4 network, allowing IPv6-only sites to communicate. This is called IPv6 over IPv4 tunneling.
GRE also plays a role in Virtual Private Networks (VPNs). While GRE itself does not encrypt data, it is often combined with IPsec to provide both tunneling and encryption. The GRE tunnel carries the traffic, and IPsec encrypts the entire GRE packet. This setup is used in many site-to-site VPNs because it allows the VPN to carry multiple protocols and multicast traffic, whereas a pure IPsec VPN might be limited to unicast IP traffic.
For network engineers, understanding GRE tunnels is essential for designing scalable, flexible networks. They allow the separation of the logical network topology from the physical infrastructure, making it easier to manage changes and connect disparate parts of an organization. They also help in bypassing network restrictions, such as when a routing protocol cannot be run directly over a WAN link.
How It Appears in Exam Questions
GRE tunnel questions in Cisco exams appear in various forms, testing both theoretical knowledge and practical configuration skills. One common pattern is the concept check question. For example, a question might state: Which encapsulation is used to transport multiprotocol traffic over a single protocol? The options could include GRE, IPsec, SSL, and L2TP. The correct answer is GRE because it is designed to encapsulate any Layer 3 protocol. Another theoretical question might ask: What is the purpose of the protocol type field in a GRE header? The answer is to identify the protocol of the encapsulated payload, such as IP or IPv6.
Configuration questions usually present a scenario with partial router configurations. You might see a snippet where a tunnel interface is configured with an IP address, but the tunnel source and destination are missing. The question then asks you to complete the configuration. For instance, given that the local router has a public IP of 203.0.113.1 and the remote router has 198.51.100.2, you would need to add: tunnel source 203.0.113.1 and tunnel destination 198.51.100.2. Another variant might ask you to identify why a tunnel is not working, with the answer being that the tunnel destination is misconfigured or that the source interface is down.
Troubleshooting questions are very common. A scenario might describe an engineer who sets up a GRE tunnel and can ping the tunnel IP address of the remote router, but cannot ping a host behind the remote router. The question asks for the probable cause. The answer might be that there is no route on the remote router for the network behind the local router, or that the tunnel interface itself is not included in the routing process. Another troubleshooting question could involve MTU: Users can send small emails but large transfers fail. The solution is to adjust the MTU on the tunnel interface, or ensure that the underlying path supports jumbo frames.
Simulation questions, though less common in the current exam format, may ask you to configure a GRE tunnel from scratch on a virtual router. You would need to enter global configuration mode, create the tunnel interface, assign an IP address, set the source and destination, and then apply the configuration. Some questions combine GRE with IPsec, asking you to configure a GRE tunnel and then apply a crypto map to encrypt the traffic. Finally, design questions might ask you to choose between GRE, IPsec, or MPLS for a given requirement, such as connecting two sites that need to support multicast traffic. Understanding the strengths and limitations of GRE is essential for these questions.
Study encor
Test your understanding with exam-style practice questions.
Example Scenario
A company called TechFlow has two offices, one in New York and one in Chicago. Each office runs a local network that uses IPv6 internally. However, the internet connection between the two offices only supports IPv4. The IT administrator needs to allow devices in New York to communicate directly with devices in Chicago using IPv6.
To solve this, the administrator sets up a GRE tunnel between the two offices. On the router in New York, they create a tunnel interface with an IPv6 address. They set the tunnel source to the New York router's public IPv4 address and the tunnel destination to the Chicago router's public IPv4 address. Then, they configure a static route on the New York router that sends all IPv6 traffic destined for Chicago's network through the tunnel interface. They repeat this configuration on the Chicago router. Now, when a computer in New York sends an IPv6 packet to a server in Chicago, the New York router encapsulates that IPv6 packet inside an IPv4 packet. The new IPv4 packet travels over the internet to Chicago. The Chicago router sees the destination IPv4 address, recognizes it belongs to the tunnel interface, strips off the outer IPv4 and GRE headers, and delivers the original IPv6 packet to the server. The entire process is transparent to the users, who simply see a working IPv6 connection between the two offices.
Common Mistakes
Thinking GRE provides encryption or security for the data it carries.
GRE is purely an encapsulation protocol, not a security protocol. It does not encrypt the payload or add any authentication. The data inside the GRE packet is sent in clear text and can be read by anyone who intercepts it. Security must be added separately, usually with IPsec.
Always remember that GRE is for tunneling, not for security. If you need confidentiality, use GRE over IPsec, not just GRE alone.
Configuring the tunnel source and destination with the same IP address on both ends.
The tunnel source on one router must be the tunnel destination on the other router, and they must be different IP addresses. If you set both to the same IP address, the packet will loop or fail entirely. Each router has its own unique public IP address.
Ensure that Router A's tunnel source is Router A's public IP, and Router A's tunnel destination is Router B's public IP. On Router B, the tunnel source is Router B's public IP, and the tunnel destination is Router A's public IP.
Forgetting to account for GRE overhead when setting MTU values.
GRE adds 24 bytes of overhead to each packet. If the original packet is already at the maximum size of 1500 bytes, the encapsulated packet will be 1524 bytes, which exceeds the Ethernet MTU. This can cause fragmentation or packet loss, leading to performance issues.
When configuring a GRE tunnel, reduce the MTU on the tunnel interface to 1476 bytes, or configure the underlying physical interface to support larger frames (jumbo frames). Cisco routers often do this automatically, but it is good practice to verify and adjust if needed.
Believing that a GRE tunnel can carry only IP traffic.
One of the main purposes of GRE is to carry multiple protocols. It can encapsulate non-IP protocols like IPX, AppleTalk, and CLNP, as well as IPv4, IPv6, and multicast traffic. Limiting it to only IP traffic misses a key feature.
Remember that GRE is a generic encapsulation protocol designed to carry any Layer 3 protocol. The protocol type field in the GRE header identifies what is being carried.
Assuming that a GRE tunnel is a Layer 2 connection.
GRE operates at Layer 3 of the OSI model, meaning it encapsulates Layer 3 packets, not Layer 2 frames. It does not carry Ethernet frames or MAC addresses. If you need a Layer 2 tunnel, you would use technologies like L2TP or VXLAN.
Keep in mind that GRE is for tunneling network layer packets. If you need to extend a Layer 2 network across a WAN, look for Layer 2 tunneling solutions instead.
Exam Trap — Don't Get Fooled
In a troubleshooting question, you see that the GRE tunnel is up and the tunnel interface IP addresses are reachable via ping, but hosts on either side cannot communicate. You might think the tunnel is functioning correctly and look for issues in routing protocols or firewalls. Always check the routing tables on both routers.
The tunnel interface itself may be reachable, but the routers still need routes to the networks behind each other. You must configure either static routes pointing to the tunnel interface or include the tunnel interface in a routing protocol like OSPF. Verify with show ip route that the remote networks appear with the tunnel interface as the next hop.
Commonly Confused With
An IPsec tunnel provides encryption and authentication, making it secure, but it does not natively carry multicast or non-IP traffic. GRE is not secure but can carry any Layer 3 protocol, including multicast. Many implementations use GRE over IPsec to get both benefits.
If you want to send IPv6 and OSPF traffic over the internet and you need it encrypted, you would use a GRE tunnel inside an IPsec tunnel. If you only need to send unicast IP traffic and need encryption, you could use IPsec alone.
VXLAN is a Layer 2 overlay technology that encapsulates Ethernet frames inside UDP packets over IP networks. GRE is a Layer 3 overlay that encapsulates Layer 3 packets. VXLAN is designed for data center networks to create virtualized Layer 2 segments across a Layer 3 fabric, while GRE is simpler and used in enterprise WAN and routing scenarios.
For connecting two virtual machines on different servers in a data center as if they were on the same switch, VXLAN is used. For connecting two branch office routers to exchange routing updates, GRE is used.
L2TP is a Layer 2 tunneling protocol that can carry PPP frames, allowing for remote access VPNs and the transport of multi-protocol traffic over IP networks. GRE is a Layer 3 protocol that directly encapsulates Layer 3 packets without a PPP session. L2TP is often used with IPsec for security, while GRE is simpler and lighter for site-to-site connections.
For a remote employee dialing into the corporate network, L2TP with IPsec is typical. For connecting two company routers to share routing information, GRE is preferred because it is more efficient and supports routing protocols directly.
Step-by-Step Breakdown
Step 1: Packet Arrival
A device on the local network sends a packet destined for a remote network. The local router receives this packet on a physical interface. The router determines, based on its routing table, that the best path to the destination is through the GRE tunnel interface. The packet is then passed to the tunnel interface for processing.
Step 2: Encapsulation
The router takes the entire original packet, including its IP header and payload, and treats it as the payload for a new packet. The router adds a GRE header to this payload. The GRE header contains a protocol type field that identifies the original packet's protocol, such as 0x0800 for IPv4.
Step 3: Outer IP Header Addition
The router then adds a new outer IP header in front of the GRE header. The source IP address in this outer header is the router's tunnel source IP address (usually the public IP of the router's physical interface). The destination IP address is the tunnel destination IP address of the remote router. This new packet can now be routed over any IP network.
Step 4: Transit Across the Network
The new encapsulated packet is forwarded out of the router's physical interface and travels across the internet or intermediate network. Intermediate routers see only the outer IP header and route the packet based on the destination IP address. They do not inspect the GRE header or the original packet inside. The packet traverses the network like any other IP packet.
Step 5: Decapsulation at the Destination
The remote router receives the encapsulated packet on its physical interface. It examines the destination IP address and sees that it matches its own IP address, but the packet is destined for the tunnel interface. The router strips off the outer IP header and the GRE header, revealing the original packet. The original packet is then processed by the router's normal forwarding logic, as if it had arrived on a physical interface connected to the remote network.
Step 6: Forwarding to the Final Destination
The remote router checks its routing table for the destination address of the original packet and forwards it out the appropriate physical interface towards the final destination device on the remote network. The process is complete, and the original packet is delivered.
Step 7: Optional Fragmentation Handling
If the encapsulated packet exceeds the MTU of any link in the path, fragmentation may occur. The outer IP packet can be fragmented like any other IP packet, but this can cause inefficiency. Many routers automatically set the tunnel interface MTU to 1476 bytes to avoid fragmentation. Alternatively, the router can set the Don't Fragment (DF) bit and drop packets that are too large, sending an ICMP message back to the source to adjust the packet size.
Practical Mini-Lesson
When you configure a GRE tunnel in a real Cisco environment, you need to understand both the configuration commands and the underlying logic. Start by logging into the router and entering global configuration mode. The first step is to create a tunnel interface with the command interface tunnel <number>. The number can be any integer from 0 to 2147483647. Once inside the tunnel interface configuration, you assign an IP address to the tunnel. This IP address should be from a private subnet that is used only for the tunnel link. For example, you might use 10.0.0.1 255.255.255.252 on one end and 10.0.0.2 with the same mask on the other end. This IP address is important because it becomes the next hop for routes pointing to the remote network.
Next, you specify the tunnel source using the command tunnel source <interface or IP address>. This is the physical interface or the IP address that the router will use as the source in the outer IP header. Typically, you use the router's public-facing interface, such as GigabitEthernet0/1, or its public IP address directly. Then you set the tunnel destination with tunnel destination <IP address>, which is the public IP address of the remote router. You can also leave the tunnel mode as the default, which is gre ip. The command show interface tunnel <number> will display the status of the tunnel, including whether it is up, the IP address, and packet statistics. If the tunnel does not come up, check that both routers have reachability to each other's tunnel destination IP addresses. A simple ping from one router to the other's public IP is a good first test.
Once the tunnel is up, you must ensure routing is in place. You can add a static route on the local router pointing the remote network to the tunnel interface, for example: ip route 192.168.2.0 255.255.255.0 tunnel0. Alternatively, you can run a routing protocol over the tunnel. To do this, include the tunnel interface in the routing protocol configuration. For instance, in OSPF, you would enter the network command for the tunnel subnet or use the ip ospf process area command on the tunnel interface. Because GRE supports multicast, OSPF and EIGRP work perfectly over the tunnel.
One common problem is that the tunnel works for a while and then stops. This is often caused by a route flapping or a change in the underlying IP address of the physical interface. If the physical interface gets a new IP address via DHCP, the tunnel source will be wrong. To avoid this, use the interface name as the tunnel source rather than a fixed IP address, when possible. Another issue is that the tunnel may work but throughput is low. This can be due to fragmentation. Use the command ip mtu 1476 on the tunnel interface to adjust the MTU. Also, consider the tunnel path MTU discovery, which can be enabled with ip tcp adjust-mss 1360 on the tunnel interface to prevent TCP packets from being too large.
For professionals, GRE tunnels are often part of larger VPN designs. When combined with IPsec, you first create the GRE tunnel, then configure an IPsec transform set and crypto map that matches traffic from the tunnel source to the tunnel destination. The IPsec then encrypts the entire GRE packet. This is a very robust solution because it allows you to run routing protocols and carry multicast traffic over a secure link. In summary, mastering GRE tunnels gives you a flexible tool for connecting networks across any IP infrastructure, and it is a key skill for any CCNP-level network engineer.
Memory Tip
Think of GRE as a plain envelope inside a standard postal envelope: the inner envelope can be any shape or size, but the outer envelope must be the standard type. GRE encapsulates any protocol inside an IP envelope, but does not lock or seal it.
Covered in These Exams
Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
Frequently Asked Questions
Does a GRE tunnel encrypt my data?
No, GRE does not provide encryption. It only encapsulates packets. If you need encryption, you must combine GRE with IPsec, which will encrypt the entire GRE packet.
What is the difference between a GRE tunnel and a VPN?
A GRE tunnel is a type of tunneling protocol that can be part of a VPN. A VPN typically includes encryption, which GRE alone does not. GRE is often used inside a VPN to carry multicast or non-IP traffic.
Can a GRE tunnel carry multicast traffic?
Yes, GRE can encapsulate multicast packets. This is one of its main advantages, as it allows routing protocols like OSPF that rely on multicast to work across networks that do not support multicast natively.
What are the main configuration commands for a GRE tunnel on a Cisco router?
The key commands are interface tunnel number, ip address, tunnel source, and tunnel destination. Optionally, you can set tunnel mode gre ip, though that is usually the default.
Why is my GRE tunnel up but I cannot ping hosts on the other side?
This usually means the tunnel is working but there is no route to the remote network. Check the routing table on both routers. You need a static route or a routing protocol that advertises the remote networks through the tunnel interface.
What does the protocol type field in the GRE header do?
It identifies the protocol of the encapsulated payload, such as IPv4, IPv6, or MPLS. This allows the receiving router to correctly decapsulate and process the original packet.
Can I use a GRE tunnel to connect two networks that use the same protocol?
Yes, GRE can encapsulate any Layer 3 protocol, so it can carry IPv4 over IPv4, IPv6 over IPv4, or IPv4 over IPv6, among others. It is often used to connect IPv6 islands over an IPv4 internet.
Summary
A GRE tunnel is a versatile and foundational networking tool that allows one protocol to be transported over another by encapsulating packets. It is defined in RFC 2784 and operates at Layer 3, making it ideal for carrying multicast, IPv6, or any other Layer 3 traffic across networks that only support a single protocol, like IPv4. GRE does not provide encryption, so it is frequently used in combination with IPsec for secure site-to-site VPNs.
In Cisco CCNP Enterprise exams, especially ENCOR, GRE tunnels appear in configuration, troubleshooting, and design questions. You need to understand the encapsulation process, the necessity of correct routing, and common pitfalls such as MTU issues and misconfigured tunnel endpoints. For real IT work, GRE tunnels enable network engineers to connect disparate networks flexibly and cost-effectively, supporting dynamic routing protocols and overcoming protocol incompatibilities.
Mastery of GRE tunnels is a core skill for any enterprise network professional.