Home > GRE Tunnel Tutorial

GRE Tunnel Tutorial

April 26th, 2018 Go to comments

GRE stands for Generic Routing Encapsulation, which is a very simple form of tunneling. With GRE we can easily create a virtual link between routers and allow them to be directly connected, even if they physically aren’t. Let’s have a look at the topology below:


Suppose R1 and R2 are routers at two far ends of our company. They are connected to two computers who want to communicate. Although R1 and R2 are not physically connected to each other but with GRE Tunnel, they appear to be! This is great when you have multiple end points and don’t care the path between them. The routing tables of two routers show that they are directly connected via GRE Tunnel.

How GRE Tunnel works

When the sending router decides to send a packet into the GRE Tunnel, it will “wrap” the whole packet into another IP packet with two headers: one is the GRE header which uses to manage the tunnel itself. The other is called “Delivery header” which includes the new source and destination IP addresses of two virtual interfaces of the tunnel (called tunnel interfaces). This process is called encapsulation.


In the example above when R1 receives an IP packet, it wraps the whole packet with a GRE header and a delivery header. The delivery header includes new source IP address of (the IP address of R1’s physical interface which is used to create tunnel) and new destination IP address of (the IP address of R2’s physical interface which is used to create tunnel).

It is important to note that the GRE tunnel does not encrypt the packet, only encapsulate it. If we want to encrypt the packet inside GRE Tunnel we must use IPSec but it is out of CCNA scope so we will not mention here.

When the GRE packet arrives at the other end of the tunnel (R2 in this case), the receiving router R2 needs to remove the GRE header and delivery header to get the original packet.

Unlike VPN which does not support multicast, GRE tunnel does support multicast so many popular routing protocols (like OSPF, EIGRP) can operate along with.

Note: The IP addresses of the two ends of GRE Tunnel ( & in this case) can be in the same subnet or different subnet (like over the Internet with public IP addresses), provided that two routers know how to reach each other’s tunnel IP address. For example in this case R1 must know how to reach and R2 must reach

Now you learned the basis of GRE Tunnel. It is important to show you the related GRE configuration of the example above. Suppose OSPF is used in our company.

R1 (GRE config only)
interface s0/0/0
ip address
interface tunnel0
ip address
tunnel mode gre ip //this command can be ignored
tunnel source s0/0/0
tunnel destination
router ospf 1
network area 0
R2 (GRE config only)
interface s0/0/0
ip address
interface tunnel1
ip address
tunnel source
tunnel destination
router ospf 1
network area 0

In the above R1 configuration, the command interface tunnel0 create the virtual tunnel 0 interface, which is called a tunnel interface. We can use any number. The tunnel numbers do not need to match on two routers so on R2 we can use “interface tunnel1” without any problem.

The next line assigns the IP address for the tunnel interface: The IP addresses of two tunnel interfaces must be in the same subnet ( on R1 & on R2 in this case).

The command tunnel mode gre ip is in fact not necessary as this is the default setting. We just want to show you this command and let you know that we are configuring a traditional point-to-point GRE. There are other GRE modes like “tunnel mode gre multipoint” used in DMVPN or “tunnel mode gre ipv6” to encapsulate IPv4 packets in an IPv6 infrastructure.

Next we have to specify the tunnel source and tunnel destination with “tunnel source …” and “tunnel destination” commands. For “tunnel source” command, we can either specify the interface or the IP address of the interface. When we define the tunnel source and tunnel destination in the tunnel interface, the router will add these IP addresses to the GRE packet generated by the tunnel interface. At the receiving end, the router looks for the tunnel destination and decapsulates the packet, then forwards it to the specific tunnel interface.


Note: We can use loopback interface as the tunnel source or destination. Traffic will flow through the best physical path toward the tunnel destination.

One last note, GRE tunnels are stateless which means the tunnel endpoint does not keep any information about the state or availability of the remote tunnel endpoint. Therefore the local tunnel endpoint does not bring the line protocol of the GRE tunnel interface down if the remote tunnel endpoint is unreachable. For example, if R2 tunnel interface is brought down for some reason, R1 tunnel interface will remain in up state.

If you are interested in full config for GRE please read our GRE tunnel Lab to have detailed knowledge of how to configure GRE tunnel.

Comments (10) Comments
  1. MarkL
    April 27th, 2018

    Hi, is there a typo maybe with the PC1 or /and PC2 IP addresses ?
    The tutorial says:
    “The IP addresses of two tunnel interfaces must be in the same subnet ( on R1 & on R2 in this case)”
    and the Host IPs of PC1 and PC2 are:


  2. Rokibul Hasan
    May 2nd, 2018

    Need detailed…with lab

  3. nika
    May 3rd, 2018

    good question

  4. Gregory
    May 8th, 2018

    Hi. Does it matter if interface IPs configured are public or private and the respective Tunnel interface IPs are also public or private ?

    If interface IPs are private then Tunnel IPs must be public and vice versa ? Do both cases work ?

    It is a bit confusing since in GNS3 lab you have private IPs on the interfaces and public on the Tunnel ones while here is the opposite.

  5. Vlonee
    May 10th, 2018

    @Gregory I think the aim of configuring the physical interface with a private address is to enable you see from a virtual perspective how a private address could communicate with another private address via the cloud. Once you ping now you’ll get replies. Secondly the tunnel interface is configured with a public routable address because it is the one that encapsulates the private address in itself making it seem like it is public to enable communication with the other private address.

  6. Anonymous
    May 14th, 2018

    @Gregory -To add to Vlonee’s comment, in a Lab environment, it doesn’t matter what IP addresses you configure on where. But in real world scenario, one of the purposes (or the main purpose) of a GRE Tunnel is to carry a company’s internal private network through the cloud (public internet) to the company’s other branch location or locations. So realistically, the GRE Tunnels are configured with private IP address, while the internet or ISP facing interfaces are configured with public IP addresses.

  7. Tom
    May 19th, 2018

    Hi, what’s the use case for GRE? why not to have the R1 and R2 communicating over standard routing protocol – whichever implemented? Tks. Tom

  8. Andy
    May 21st, 2018

    Hi All,

    I have a ,dump that used on 2 weeks ago about 13-14 May 2018.
    If you want to use it, you can contact me on email {email not allowed}

  9. Amigo
    May 21st, 2018

    Hi Andy we can not see ur email here…

    please send to me on ihussein496(@)gmail.(com)

    thank you in advance

  10. Anonymous
    May 22nd, 2018

    Guys this Dumps Package I purcahse contains all LABS in packet tracer as well as new Dumps MCQs and D&D Questions.


Add a Comment