Generic Routing Encapsulation (GRE) is a tunneling protocol that allows you to encapsulate a wide variety of network layer protocols inside IP tunnels. For the CCNA 200-301 exam (objective 5.7), you need to understand how GRE works, how to configure it, and how it interacts with IPsec for secure site-to-site VPNs. In real networks, GRE is used to connect remote sites over the public internet, carry non-IP protocols, or enable routing protocols across a VPN. Mastering GRE is essential for any network engineer dealing with WAN connectivity and VPNs.
Jump to a section
Imagine you want to send a confidential letter (an IP packet) from New York to Los Angeles, but the postal service only delivers standard envelopes and doesn't allow you to include any special instructions or extra pages. However, you have a special 'Express Envelope' (GRE tunnel) that can hold not only your letter but also any other type of document, like a blueprint (non-IP protocol). You put your letter inside the Express Envelope, write the destination address (the tunnel destination IP) on the outside, and drop it in the mail. The postal service delivers the Express Envelope as a regular package, ignoring its contents. At the destination, the recipient opens the Express Envelope and retrieves the original letter. Now, suppose you also want to ensure the letter is not tampered with or read during transit. You could seal the Express Envelope with a special tamper-proof tape (IPsec). The postal service still delivers the Express Envelope as usual, but now it's secure. In networking terms, the original packet (letter) is encapsulated with a GRE header (Express Envelope) and an outer IP header (address on the envelope). The GRE header can carry a protocol type field (like the type of document inside), allowing it to transport not just IP but also IPX, AppleTalk, or even broadcast traffic. The tunnel endpoints are the sender and recipient who perform the encapsulation and decapsulation. The postal service represents the public internet or transit network. This analogy highlights that GRE provides a virtual point-to-point link between two routers, over which any Layer 3 protocol can be routed.
What is GRE?
Generic Routing Encapsulation (GRE) is a tunneling protocol developed by Cisco that encapsulates a wide variety of network layer protocols inside IP tunnels. It is defined in RFC 2784 and RFC 2890. GRE creates a virtual point-to-point link between two routers over an IP network. The original packet (payload) is wrapped with a GRE header and then an outer IP header. The outer IP header has source and destination addresses that are the tunnel endpoints. The inner packet is carried as the payload and can be any Layer 3 protocol (IPv4, IPv6, IPX, etc.) or even a broadcast frame.
Why GRE Exists
GRE solves several problems: - Multi-protocol transport: GRE can encapsulate non-IP protocols (e.g., IPX, AppleTalk) across an IP-only network. Although CCNA focuses on IP, this capability is a key feature. - Routing protocol support: GRE tunnels allow routing protocols (OSPF, EIGRP) to run over the tunnel interface, enabling dynamic routing across a VPN. Without GRE, you would need static routes or complex configurations. - Connecting discontiguous networks: GRE can connect networks that have overlapping address spaces (by using NAT or VRF-lite, but GRE itself doesn't solve overlap). - Support for multicast and broadcast: GRE can encapsulate multicast and broadcast traffic, which is necessary for routing protocols like OSPF that use multicast.
How GRE Works Step by Step
Packet arrives at tunnel interface: A router receives a packet destined for a network reachable via the GRE tunnel. The router looks up its routing table and forwards the packet out the tunnel interface (e.g., Tunnel0).
Encapsulation: The router takes the original IP packet (or any other protocol packet) and prepends a GRE header. The GRE header is typically 4 bytes (without optional fields) and contains:
- Flags (checksum, key, sequence number presence) - Protocol Type (e.g., 0x0800 for IPv4, 0x86DD for IPv6) 3. Add outer IP header: The router adds a new IP header with source address = tunnel source (the local tunnel endpoint IP) and destination address = tunnel destination (the remote tunnel endpoint IP). The protocol field in the outer IP header is set to 47 (GRE). 4. Transmission: The encapsulated packet is sent out the physical interface towards the tunnel destination. The transit network (internet) routes this packet based on the outer IP header. 5. Decapsulation: The remote router receives the packet with protocol 47. It recognizes it as a GRE packet, removes the outer IP header and GRE header, and retrieves the original payload packet. 6. Forwarding: The remote router then looks up the destination IP of the original packet in its routing table and forwards it out the appropriate interface.
GRE Header Details
The standard GRE header (RFC 2784) is 4 bytes:
Bit 0: Checksum Present (C)
Bit 1: Routing Present (R) – deprecated, should be 0
Bit 2: Key Present (K)
Bit 3: Sequence Number Present (S)
Bit 4: Strict Source Route (s) – deprecated
Bits 5-7: Reserved
Bits 8-15: Version (must be 0)
Bits 16-31: Protocol Type (e.g., 0x0800 for IPv4)
Optional fields (if flags set):
Checksum (2 bytes)
Key (4 bytes) – used for identifying a tunnel flow, often used for QoS or to prevent misconfiguration
Sequence Number (4 bytes) – used for ordering packets
GRE Tunnel Interface Configuration
On Cisco IOS, a GRE tunnel is configured as a logical interface. Example:
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source GigabitEthernet0/0
tunnel destination 203.0.113.2
tunnel mode gre iptunnel source can be an interface or an IP address. If an interface is used, the router uses that interface's primary IP.
tunnel destination is the IP address of the remote tunnel endpoint.
tunnel mode gre ip is the default mode.
Verification Commands
show ip interface brief
show interfaces tunnel 0
show ip route
show running-config interface tunnel 0Example output of show interfaces tunnel 0:
Tunnel0 is up, line protocol is up
Hardware is Tunnel
Internet address is 10.0.0.1/30
MTU 1476 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 192.168.1.1, destination 203.0.113.2
Tunnel protocol/transport GRE/IP
Tunnel TTL 255Note the MTU: GRE adds 24 bytes overhead (20 outer IP + 4 GRE) to the original packet, reducing the MTU from 1500 to 1476. This can cause fragmentation issues if the path MTU is not adjusted.
GRE and IPsec
GRE alone provides no encryption or authentication. For secure VPNs, GRE is often combined with IPsec. Two common approaches: - GRE over IPsec: The GRE packet is encrypted by IPsec. This is flexible because IPsec can be applied to the physical interface or a crypto map. - IPsec over GRE: The original packet is encrypted first, then encapsulated in GRE. Less common.
Cisco recommends GRE over IPsec for site-to-site VPNs because it allows routing protocols to run over the tunnel and provides encryption.
GRE Keepalives
GRE tunnels do not inherently detect if the remote endpoint is reachable. Cisco routers support GRE keepalives (tunnel keepalive) to monitor the tunnel's health. If keepalives are enabled, the router sends periodic GRE keepalive packets (which are encapsulated in GRE) and expects a reply. If no reply is received after a configured number of retries, the tunnel interface goes down. This is useful for triggering route failover. Configuration:
interface Tunnel0
keepalive 10 3This sends a keepalive every 10 seconds, and if 3 consecutive replies are missed, the tunnel is considered down.
GRE and Routing
Because a GRE tunnel is a virtual point-to-point link, you can run a routing protocol over it. For example, you can configure OSPF on the tunnel interface:
router ospf 1
network 10.0.0.0 0.0.0.3 area 0This allows dynamic routing of networks behind each GRE endpoint. Without GRE, you would need static routes to reach remote networks across an IPsec VPN.
Key Points for CCNA
GRE encapsulates a payload packet with a GRE header and an outer IP header.
Protocol type 47 in the outer IP header indicates GRE.
GRE supports multiprotocol transport (IPv4, IPv6, etc.).
GRE supports multicast and broadcast, enabling routing protocols.
GRE adds 24 bytes overhead (20 IP + 4 GRE).
GRE is stateless (no session establishment).
GRE can be secured with IPsec.
tunnel source and tunnel destination define the endpoints.
show interfaces tunnel x verifies tunnel status.
Keepalives are optional but recommended for fast failure detection.
Common Traps on the Exam
GRE vs IPsec: GRE does not provide encryption. Many candidates think GRE is secure. It is not.
GRE overhead: The exam may ask about MTU changes. GRE adds 24 bytes, not 20 or 50.
Protocol 47: The outer IP header protocol field is 47, not 50 (ESP) or 51 (AH).
GRE tunnels are point-to-point: Not multipoint by default (unless using mGRE).
Keepalive behavior: Keepalives are sent inside the GRE tunnel, not as separate ICMP packets.
Configure tunnel interface
Enter global configuration mode and create a tunnel interface: `interface Tunnel0`. This logical interface will serve as the endpoint for the GRE tunnel. Assign an IP address to the tunnel interface (e.g., `ip address 10.0.0.1 255.255.255.252`). This address is used for routing between the tunnel endpoints. It can be from a private subnet used only for the tunnel.
Set tunnel source
Specify the source of the tunnel with `tunnel source {interface | ip-address}`. Typically, you use the physical interface that connects to the WAN, e.g., `tunnel source GigabitEthernet0/0`. The router will use the primary IP address of that interface as the source IP in the outer IP header. Alternatively, you can specify a specific IP address if you have multiple IPs on the interface.
Set tunnel destination
Define the remote tunnel endpoint with `tunnel destination {ip-address}`. This is the IP address of the remote router's physical interface (or loopback) that will receive the GRE packets. For example, `tunnel destination 203.0.113.2`. Ensure that this IP is reachable via the physical network.
Configure tunnel mode
By default, the tunnel mode is GRE over IP (tunnel mode gre ip). This is the standard for CCNA. You can verify with `show running-config interface Tunnel0`. If you need to change it (e.g., to IPsec), you would use `tunnel mode ipsec ipv4`, but for basic GRE, the default is fine.
Enable keepalives (optional)
To monitor tunnel liveness, configure keepalives: `keepalive 10 3`. This sends a keepalive packet every 10 seconds. If 3 consecutive keepalives are not replied to, the tunnel interface goes down. This is optional but recommended for fast failure detection. Without keepalives, the tunnel stays up even if the remote endpoint is unreachable.
Configure routing
Add a static route or run a routing protocol over the tunnel. For a simple site-to-site VPN, you can add a static route: `ip route 192.168.2.0 255.255.255.0 Tunnel0`. This sends traffic for the remote LAN (192.168.2.0/24) through the tunnel. Alternatively, enable OSPF or EIGRP on the tunnel interface to advertise networks dynamically.
Verify the tunnel
Use `show interfaces tunnel 0` to check tunnel status. Look for 'Tunnel0 is up, line protocol is up'. Also use `ping` from the tunnel IP to the remote tunnel IP. Use `show ip route` to confirm the tunnel route is in the routing table. Use `debug tunnel` for troubleshooting (if needed).
In enterprise networks, GRE tunnels are commonly used to connect branch offices to a central headquarters over the internet. For example, a company with a main office in New York and a branch in London might set up a GRE tunnel between their edge routers. The tunnel interface on each router gets an IP address from a private subnet (e.g., 10.0.0.0/30). Static routes or dynamic routing protocols like OSPF are configured to advertise the internal networks (e.g., 192.168.1.0/24 in NY and 192.168.2.0/24 in London). The GRE tunnel allows the two sites to communicate as if they were directly connected. However, since GRE does not provide encryption, the traffic is sent in cleartext over the internet. To secure it, the GRE tunnel is often combined with IPsec. A typical deployment is 'GRE over IPsec', where the GRE packets are encrypted by an IPsec tunnel. This provides both the multiprotocol capability of GRE and the security of IPsec.
Another scenario is when an organization needs to carry non-IP traffic (e.g., legacy IPX) across an IP-only WAN. GRE can encapsulate IPX packets, allowing the legacy protocol to coexist with modern IP networks. Although rare today, this was a key use case in the past.
A common misconfiguration is forgetting to set the tunnel source and destination correctly, or using an unreachable destination IP. Another issue is MTU mismatch: GRE adds 24 bytes of overhead, so the path MTU must be at least 1476 bytes for a 1500-byte payload. If the physical interface has an MTU of 1500, the router will fragment packets that exceed 1476 bytes. To avoid fragmentation, you can set ip mtu 1476 on the tunnel interface. In production, you might also use ip tcp adjust-mss 1436 on the tunnel interface to prevent TCP MSS issues.
Performance considerations: GRE tunneling adds CPU overhead due to encapsulation/decapsulation. On modern routers, this is minimal, but on low-end devices, it can impact throughput. Also, GRE tunnels do not have built-in QoS, so you need to apply QoS policies on the physical interface.
When a GRE tunnel is misconfigured (e.g., wrong destination IP), the tunnel interface may be up/up but no traffic flows because the outer IP packets are not reaching the destination. Using ping from the tunnel source to the tunnel destination over the physical interface can help diagnose reachability issues.
For CCNA 200-301 exam objective 5.7 (Configure and verify site-to-site VPNs using IPsec and GRE), the focus is on understanding GRE's role as a tunneling protocol that can be secured with IPsec. The exam expects you to know:
GRE encapsulation process: original packet -> GRE header -> outer IP header (protocol 47).
GRE overhead: 24 bytes (20 IP + 4 GRE).
GRE supports multicast and broadcast, enabling routing protocols.
GRE does not provide encryption or authentication.
Configuration of a GRE tunnel: interface Tunnel0, tunnel source, tunnel destination.
Verification commands: show interfaces tunnel 0, show ip interface brief.
Common wrong answers: 1. 'GRE uses protocol 50 (ESP)': This is IPsec ESP, not GRE. GRE uses protocol 47. 2. 'GRE provides encryption': No, GRE is plaintext. IPsec must be added for encryption. 3. 'GRE tunnels are point-to-multipoint': By default, GRE is point-to-point. Multipoint GRE (mGRE) is used for DMVPN, but that's beyond CCNA. 4. 'GRE keepalives use ICMP': Keepalives are GRE encapsulated packets, not ICMP.
On the exam, you may be given a scenario where two routers need to exchange routing updates over a VPN. The correct answer will involve configuring a GRE tunnel and running OSPF/EIGRP over it. A distractor might suggest using IPsec alone, but IPsec (tunnel mode) does not support multicast, so routing protocols cannot run over it directly.
Decision rule: If the question requires transport of multicast or routing protocols, GRE is needed. If only encryption is needed, IPsec alone may suffice. But for site-to-site VPN with dynamic routing, GRE over IPsec is the standard.
Calculation trap: If a packet is 1500 bytes and passes through a GRE tunnel, the new packet size is 1500 + 24 = 1524 bytes. If the physical interface has an MTU of 1500, fragmentation occurs. You may be asked to adjust MTU or MSS.
GRE encapsulates payload with a GRE header (4 bytes) and outer IP header (20 bytes), total 24 bytes overhead.
Outer IP header protocol field is 47 (GRE).
GRE tunnels are point-to-point logical interfaces that support multicast and broadcast.
GRE does not provide encryption; use IPsec for security.
Configuration commands: interface Tunnel0, tunnel source, tunnel destination.
Verification: show interfaces tunnel 0, show ip route.
GRE keepalives are optional; without them, the tunnel remains up even if remote is unreachable.
These come up on the exam all the time. Here's how to tell them apart.
GRE Tunnel
Encapsulates any Layer 3 protocol (multi-protocol)
Supports multicast and broadcast
No encryption or authentication
Adds 24 bytes overhead (20 IP + 4 GRE)
Uses IP protocol 47
Stateless, no SA negotiation
IPsec Tunnel Mode
Encapsulates only IP packets (with ESP/AH)
Does not support multicast (unless with GRE)
Provides encryption and authentication
Adds 50-60 bytes overhead (tunnel mode ESP)
Uses IP protocols 50 (ESP) and 51 (AH)
Stateful, requires IKE SA negotiation
Mistake
GRE provides encryption and authentication.
Correct
GRE only encapsulates packets; it offers no security. Encryption requires IPsec or other VPN protocols.
Many candidates assume any tunneling protocol is secure because they associate tunnels with VPNs.
Mistake
GRE uses IP protocol 50 (ESP) or 51 (AH).
Correct
GRE uses IP protocol 47. ESP is protocol 50, AH is 51.
Confusion with IPsec protocols because GRE is often used with IPsec.
Mistake
GRE tunnels are point-to-multipoint by default.
Correct
Standard GRE tunnels are point-to-point. Multipoint GRE (mGRE) is a different technology used in DMVPN.
The word 'generic' may imply flexibility, but Cisco's implementation is point-to-point.
Mistake
GRE keepalives are ICMP echo requests.
Correct
GRE keepalives are GRE-encapsulated packets sent to the tunnel destination; they are not ICMP.
Keepalive sounds like ping, but the mechanism is different.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
GRE is a tunneling protocol that encapsulates packets (including non-IP protocols) and supports multicast, but provides no security. IPsec is a suite of protocols that provides encryption, authentication, and integrity, but typically only supports IP unicast (tunnel mode can encapsulate IP, but not multicast). For site-to-site VPNs that need dynamic routing, GRE over IPsec is used: GRE carries the routing protocols, and IPsec encrypts the GRE packets.
Yes. GRE can encapsulate IPv6 packets by setting the protocol type field to 0x86DD. The outer IP header can be IPv4 or IPv6. For CCNA, you only need to know that GRE is protocol-agnostic.
Without keepalive, a GRE tunnel remains up even if the remote endpoint becomes unreachable. This can cause blackholing of traffic. Keepalive sends periodic GRE encapsulated packets; if no reply is received, the tunnel interface goes down, allowing route failover. Use `keepalive <seconds> <retries>` on the tunnel interface.
The default MTU of a GRE tunnel interface is 1476 bytes (1500 - 24 overhead). If the physical interface has an MTU of 1500, packets larger than 1476 will be fragmented. You can adjust the tunnel MTU with `ip mtu 1476` or use `ip tcp adjust-mss 1436` to prevent TCP issues.
Yes. GRE supports multicast, which EIGRP uses (224.0.0.10). Configure EIGRP on the tunnel interface just like any other interface. This allows dynamic routing across the tunnel.
IP-in-IP (protocol 4) encapsulates IP packets inside IP, but it only supports IP as the passenger protocol. GRE can encapsulate any Layer 3 protocol (IP, IPX, etc.) and includes a protocol type field. GRE is more flexible and is the standard for Cisco.
Use `show interfaces tunnel 0` to check if the interface is up/up. Use `ping` from the tunnel IP to the remote tunnel IP. Use `show ip route` to see the route through the tunnel. Use `debug tunnel` or `debug ip packet` for detailed troubleshooting (caution: debug can be CPU intensive).
You've just covered GRE Tunnels — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?