100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

What is GRE (Generic Routing Encapsulation)?

Learn what GRE is, how it tunnels traffic across networks, why it pairs with IPsec, and common MTU issues — with interview Q&A.

mediumQ50 of 224 in Computer Networks Est. time: 5 minsLast updated:
Open Code Lab

Expected Interview Answer

GRE (Generic Routing Encapsulation) is a tunneling protocol that wraps one network-layer packet inside another, letting two endpoints carry traffic — including non-IP or private-addressed traffic — across an intermediate network such as the public internet as if there were a direct link between them.

GRE adds its own header between the outer (delivery) IP header and the original inner packet, so the inner packet’s protocol, addressing, and even multicast or broadcast traffic can ride over a network that would not otherwise route it. This is what makes GRE popular for site-to-site tunnels: two routers each add/strip the GRE header, so applications on either side see a single logical hop even though many real hops sit in between. GRE itself provides no encryption or authentication, so it is very commonly paired with IPsec (GRE-over-IPsec) when the tunnel crosses an untrusted network. GRE also has no built-in reliability or congestion control; it simply encapsulates, so packet loss and MTU issues (fragmentation from the added header overhead) are the two most common operational problems.

  • Carries non-IP or private-addressed traffic across a public network
  • Enables routing protocols and multicast to run over a tunnel
  • Simple stateless encapsulation, easy to pair with IPsec for security
  • Creates a logical point-to-point link over an arbitrary underlying path

AI Mentor Explanation

GRE is like shipping a full scoreboard, complete with its own internal wiring and connectors, inside a plain generic crate so it can travel on a courier route that only accepts standard boxes. The crate (outer IP header) is what the courier reads to move it from ground to ground, while the scoreboard itself (the inner packet) is untouched and reassembled exactly as it was. When it arrives, the receiving ground simply unpacks the crate and plugs the scoreboard back into its own local wiring. The courier never had to understand scoreboards, only how to move crates.

Step-by-Step Explanation

  1. Step 1

    Encapsulation

    The sending router wraps the original packet with a GRE header, then an outer IP header addressed to the tunnel peer.

  2. Step 2

    Transit

    The intermediate network routes the packet purely on the outer IP header, unaware of the inner payload.

  3. Step 3

    De-encapsulation

    The receiving router strips the outer IP and GRE headers, recovering the original inner packet.

  4. Step 4

    Delivery

    The original packet is forwarded onward on the destination LAN exactly as it was before entering the tunnel.

What Interviewer Expects

  • Correct definition: tunneling protocol encapsulating one packet inside another
  • Knows GRE has no native encryption and is often paired with IPsec
  • Understands GRE can carry non-IP or private-addressed and multicast traffic
  • Aware of MTU/fragmentation overhead caused by the added GRE header

Common Mistakes

  • Assuming GRE provides encryption on its own
  • Confusing GRE with IPsec instead of describing them as complementary
  • Forgetting the added header overhead can cause fragmentation or MTU issues
  • Not knowing GRE can tunnel multicast and routing protocol traffic, unlike plain IP-in-IP

Best Answer (HR Friendly)

GRE is a way to wrap one type of network traffic inside a generic outer envelope so it can travel across a network, like the public internet, that would not otherwise carry it. Two routers add and remove that envelope, so it feels like a direct private link even though the traffic actually crosses many hops in between. It is often combined with IPsec because GRE itself does not encrypt anything.

Code Example

Creating a basic GRE tunnel on Linux
# Create a GRE tunnel interface between two public endpoints
sudo ip tunnel add gre1 mode gre remote 203.0.113.10 local 203.0.113.5 ttl 255

# Assign a private tunnel address and bring the interface up
sudo ip addr add 10.10.10.1/30 dev gre1
sudo ip link set gre1 up

# Route traffic for the remote private network through the tunnel
sudo ip route add 192.168.50.0/24 dev gre1

# Verify the tunnel interface and encapsulation
ip -d tunnel show gre1

Follow-up Questions

  • Why is GRE usually combined with IPsec rather than used alone?
  • How does GRE differ from a plain IP-in-IP tunnel?
  • What causes MTU and fragmentation issues in a GRE tunnel, and how is it mitigated?
  • How does GRE support carrying multicast or routing protocol traffic across a WAN?

MCQ Practice

1. What does GRE primarily provide?

GRE encapsulates an inner packet inside an outer IP packet to tunnel traffic across an intermediate network; it does not encrypt.

2. Why is GRE commonly paired with IPsec?

GRE provides no encryption or authentication on its own, so IPsec is layered on top to secure the tunnel.

3. A common operational issue with GRE tunnels is:

The GRE and outer IP headers add overhead, which can push packets over the path MTU and cause fragmentation.

Flash Cards

What is GRE?A tunneling protocol that encapsulates one network-layer packet inside another IP packet.

Does GRE encrypt traffic?No — GRE provides no encryption or authentication; it is often paired with IPsec.

What can GRE carry that plain IP-in-IP cannot?Non-IP protocols, private addressing, and multicast/routing protocol traffic.

What issue does GRE header overhead commonly cause?MTU exceedance leading to fragmentation of tunneled packets.

1 / 4

Continue Learning