The Generic Routing Encapsulation (GRE) protocol was developed to tunnel network-layer protocols over an IP network to emulate a virtual point-to-point connection. Originally developed by Cisco, it is now an IETF standard specified in RFC 2784 and updated in RFC 2890. It uses IP protocol number 47.
The VPN is not encrypted. What it does offer is the ability to tunnel multicast traffic, which makes peering routing protocol adjacencies over the virtual link possible.
The protocol that is tunneled is called the passenger protocol (such as EIGRP). The protocol that encapsulates the passenger protocol – in this case, GRE – is called the carrier protocol. The protocol that is transporting the carrier protocol is called the transport protocol (such as IPv4). This is illustrated below.
There are a few considerations to keep in mind when deploying GRE:
- It is stateless, and does not track the status of the remote endpoint of the tunnel.
- It is not encrypted and does not provide any flow control; deployment with IPsec may be warranted
- It may skew routing metrics since the tunnel will appear as a preferred, single hop, point-to-point connection when in fact it may be a sub-optimal path
- Recursive routing may occur if the route to the tunnel destination is advertised over the tunnel itself. In this case, you may see a %TUN-5-RECURDOWN syslog message. (Implementing static routes to the remote tunnel source to resolve is one resolution.)
- The additional encapsulation will require a reduced MTU. Best practice is to use an MTU of 1400-bytes, since GRE uses 24-bytes of additional overhead for tunneled packets.
Stuck-in-Active: Journal of an IT-Network Administrator 