To transport packets in a private and secure path over a public network, we use the process of encapsulating packets inside an IP encapsulation protocol. GRE follows this protocol and sends packets from one network to another through a GRE tunnel. In this blog, we will understand what is encapsulation, the CoS of GRE and firewall filters in GRE.

Understanding GRE – Generic Routing Encapsulation

What is encapsulation? The general internal representation of an object or data or packet is hidden from the outside world. Well, so how do we read it then, for that occurs the counter part of encapsulation i.e. de-encapsulation where the data object or packet is taken back to its original form as it was initially before encapsulation.


In computer networks, we often need this mechanism in order to provide a level of tunneling or security when transporting packets from one place to another or through an otherwise public network is required. Generic Routing Encapsulation, GRE, is an IP encapsulation protocol that is used to transport packets over a network. A tunnel is created from one end of the network to the other.

GRE encapsulates packets into Internet Protocol (IP) packets and redirects them to an intermediary host where the packet(s) are de-encapsulated and routed to their final destination based on routing table.

There are three things that need to be considered based on your network requirement as stated below;

  • Source address also called tunnel source.
  • Destination address also called tunnel endpoint
  • Tunnel IP address

GRE Tunneling

Assuming we have two sites, A and B. Site A being the core or hub and B as branch office. In the configuration part which we are going to explore in our coming article, the source address with reference to site A will be the destination address at site B and vice versa.

As per RFC 2784, switches support it, but not completely. There are also obsolete versions for GRE in RFC 1701 and 1702.

Remember, the tunnel(s) that are formed in GRE are stateless, which simply means that the end point of GRE tunnel will have no information about the far end of GRE tunnel therefore the switch or router or a firewall does not know the state or availability of the other end of the tunnel whether it is up or down.

Class of service on GRE tunnels

When it comes to sending multiple packets simultaneously having a variety of senders and recipients, the network suffers from delay. This results in some of the data packets getting dropped and lost. To deal with this, Class of Service (CoS) is used. It divides the network traffic into separate classes, on which when at different levels of throughput and packet loss, the specific set rules of packet loss is applied.  This allows packet loss according to the configured rules. CoS allows multiple forwarding classes for transmission of packets, makes decisions about which packet to be placed into output queue and schedules the transmission service level for the queue.

For configuration of CoS, each switch in the network needs to be configured.  When there is no configuration of CoS settings on the switch, the default behavior is to ensure that user traffic and protocol packets are forwarded with minimum delay.

Components of CoS

For making CoS, the following components are available on the switch operating as a GRE tunnel source router.

  • At the GRE Tunnel Source, we can apply CoS classifiers on an ingress port (schedulers only; defining output queues and controlling transmission of packets after GRE encapsulation) or on a GRE port (schedulers and rewrite rules; along with schedulers you can rewrite rules to the encapsulated packets).
  • At the GRE tunnel endpoint, we can apply CoS classifiers on GRE port and schedulers and rewrite rules on the egress port for controlling de-encapsulated GRE packet.

Firewall filters on GRE tunnels

Firewall filters are applied on network interfaces.  They define a set of rules that decide if the packet transiting the interface is to be permitted, denied or forwarded to its destination address.  These control the traffic on both the entry (ingress firewall filter) and exit (egress firewall filter) from the port applied.

Components of Firewall Filters

While configuring firewall filters, we first define the family address type, then the filtering conditions and finally the action to take if the condition matches.  The number of filtering conditions per firewall differs for switches.  The components are explained below.

  • Match Conditions – specifies the fields/values that the packet must contain. There can be several match conditions such as the IP address field for source/destination, TCP or UDP port field, TCP flags or interfaces.
  • Action – specifies the action to be performed if the packet matches with the match conditions. The packet could be either accepted or discarded or send to a specific interface.  If this field is left blank, the default action is to permit the packet.
  • Action Modifier – specifies one or multiple actions for the switch. They can be different such as the mirror, rate limit, count or classify packets.

There is more to GRE which are going to come in our next articles. Stay tuned in.