Definition

Generic Routing Encapsulation (GRE)

By

Rahul Awati
Tessa Parmenter, Contributor
Lisa Phifer, Core Competence

What is Generic Routing Encapsulation (GRE)?

Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route various protocols over Internet Protocol (IP) networks. GRE is defined by Internet RFC 2784. GRE was developed as a tunneling tool meant to carry any OSI Layer 3 network protocol over an IP network. In essence, GRE creates a private point-to-point connection like that of a virtual private network (VPN).

The GRE protocol involves encapsulating or wrapping data packets within other data packets. Doing so creates a tunnel (also known as a GRE tunnel) between two routers and establishes a direct or point-to-point connection between separate IP networks or protocols. Such tunneling of packets simplifies the connections between those networks.

Suppose a connection is to be set up between two networks or LANs. Assume that one network uses the IPv6 protocol while the other supports the older IPv4 protocol. Without GRE, the two networks would be unable to communicate with each other due to their protocol differences. But with GRE, the IPv6 packets are encapsulated within the IPv4 packets, allowing the IPv6 packets to pass through the IPv4 network.

Why use Generic Routing Encapsulation?

GRE tunneling can be used when there is a need to set up a direct or point-to-point connection between two networks or protocols, such as in an enterprise where different business units or departments are supported by different networks. Encapsulating packets and creating a GRE tunnel allows routers in two networks to operate as if they have a direct connection, allowing packets to move between them that would not be able to do otherwise.

How does Generic Routing Encapsulation work?

GRE works by encapsulating a payload -- an inner packet that needs to be delivered to a destination network -- inside an outer IP packet. GRE tunnel endpoints send payloads through GRE tunnels by routing encapsulated packets through intervening IP networks. Other IP routers along the way do not parse the payload (the inner packet); they only parse the outer IP packet as they forward it toward the GRE tunnel endpoint. Upon reaching the tunnel endpoint, GRE encapsulation is removed, and the payload is forwarded to its ultimate destination.

Encapsulation is done to create a GRE tunnel between two specific routers at either end of the tunnel. This means that only those routers can send and receive the GRE packets. The router at the sending end encrypts the GRE header and the router at the receiving end decrypts it. Along the way, the encapsulated packet travels through the GRE tunnel in encrypted form and then emerges from the receiving router as the original packet. The receiving router then removes the encapsulation and forwards the inner packet to its final destination on its network.

The other non-GRE-configured routers between the two GRE-configured routers will simply forward the encapsulated packet by referencing the headers surrounding them. They will not decrypt or open the packets; this is the job of the receiving GRE-configured router.

Generic Routing Encapsulation packets and headers

In any network, a packet refers to a unit of data that moves from a source to a destination. All packets consist of a payload and control information. The payload contains the user data (actual information) while the control information includes elements like source and destination addresses and sending sequence. The control information is placed in the packet header, with one header attached to each packet.

Before a GRE tunnel is created, the original or outer packet has an IP header (20 bytes). Creating the tunnel means creating a GRE packet that now has two IP headers. The IP header for the original packet remains intact. When the tunnel is created, the protocol adds a new GRE header (4 bytes), which indicates the type of protocol that will be used by the encapsulated packet. The GRE header also includes information such as the packet's source and destination addresses, sequence number and protocol identifier.

Once both headers are created, the encapsulated packet can travel from the source router to the destination router. The end router will decapsulate the packet and use the header information to route the packet to its destination.

Generic Routing Encapsulation (GRE) diagram. — GRE headers are added to the packet that is being forwarded.

Features of Generic Routing Encapsulation

The main feature of the GRE protocol is its ability to wrap one data packet inside another packet, allowing packets to travel between two otherwise-incompatible protocols or networks. Versatility is another feature of GRE. The protocol can work with numerous Layer 3 protocols, including IP, IPX and DECnet. As a result, one GRE tunnel can carry different types of traffic and route packets to their ultimate destination.

GRE tunnels are stateless, meaning the tunnel endpoints (routers) do not keep any information about the receiving router, including its state and availability. As a result, the source router does not have the ability to change the state of the tunnel interface or bring down its line protocol if the receiving router is unreachable.

Advantages and disadvantages of Generic Routing Encapsulation

Creating a GRE tunnel enables the use of protocols that are not supported by a network, thus enabling connectivity between networks and sub-networks. Further, the protocol is highly reliable because adding a GRE header to a packet ensures that it will reach its destination.

In contrast to IP-to-IP tunneling, GRE tunneling can transport multicast and IPv6 traffic between networks. Further, GRE provides a stateless private connection so the tunnel interface will remain active even if the end of the tunnel is unreachable.

Other advantages of GRE tunnels include the following:

GRE tunnels encase multiple protocols over a single-protocol backbone.
GRE tunnels provide workarounds for networks with limited hops.
GRE tunnels connect discontinuous sub-networks.
GRE tunnels allow VPNs to operate across wide area networks.

The chief disadvantage of GRE is that it is not considered a secure protocol because it doesn't use encryption like the IP Security (IPsec) Encapsulating Security Payload, defined by RFC 2406. As a result, GRE tunnels can be used to launch DDoS attacks. Cyber attackers can build a botnet, control it via GRE, and then use it to jam a network with junk traffic, making the network inaccessible for legitimate users. This risk can be minimized by configuring authentication and encryption mechanisms on the GRE tunnels.

Explore the differences between GRE and IPsec tunnels. See how network functions virtualization (NFV) architecture works.

This was last updated in November 2023

Continue Reading About Generic Routing Encapsulation (GRE)

IPv6 addresses: Security recommendations for usage

What's the difference between a MAC address and IP address?

Layer 3 switches explained

Layer 3 network integration from Datera uses nodes as endpoints

A Deep Dive Into Border Gateway Protocol

Dig Deeper on Network infrastructure

Search Unified Communications

UCaaS vs. CCaaS vs. CPaaS: What's the difference?
It can be difficult to make sense of popular cloud communications service models. Compare UCaaS vs. CCaaS vs. CPaaS to understand...
5 steps to address hybrid meeting equity
Taking the steps necessary to ensure that employees can attend meetings, regardless of location, takes time, but new tools can ...
Hybrid meeting technology helps AV teams address equity
Ensuring remote and in-office workers share the same meeting experience is a constant challenge. Vendors are helping companies ...

Search Mobile Computing

5 top mobile security courses and certifications for IT
To stay on top of new threats, IT pros can test their skills with mobile security training. Explore the top programs to learn ...
How to incorporate smishing into security awareness training
Smishing is a major threat on enterprise smartphones, but users might not know how it compares to traditional email phishing. IT ...
Building mobile security awareness training for end users
Do concerns of malware, social engineering and unpatched software on employee mobile devices have you up at night? One good place...

Search Data Center

Dell Technologies pitches its hardware for AI data centers
Servers, networking and storage hardware take center stage at Dell Technologies World 2025, as well as a tightly integrated ...
Single-tenant vs. multi-tenant cloud architecture
Single-tenant and multi-tenant cloud architecture offer unique advantages and disadvantages. Understanding both is crucial for ...
Nutanix platform may benefit from VMware customer unrest
Nutanix's Next 2025 conference attendees are jumping ship to the platform after Broadcom's VMware buy, as Nutanix executives plan...

Search ITChannel

AWS Marketplace channel partners rev software, service sales
Partners are building a new route to market on AWS Marketplace. One has surpassed $1 billion in total sales and another expects ...
Guide to building and executing an MSP business model
This managed service guide provides an overview of the business model, covers the basics of building a service provider business ...
Partner's Apple Watch referee app lets NHL stripes keep focus
Presidio designed the NHL Watch Comms App to sync with a hockey arena's game and penalty clocks and use haptic notifications to ...

Close