GRE Tunnel Recursive Routing Error

Do the IP addresses of the Tunnel need to be in the same subnet in order to connect?

Hello Mark

By definition, a GRE tunnel will connect two tunnel interfaces on two different routers across a network such as the internet, as if they are directly connected. So by definition, these interfaces must be on the same subnet. In other words, you’re tricking the routers into thinking they’re directly connected. Two directly connected routers must have their interfaces on the same subnet. Does that make sense?

I hope this has been helpful!


Immensely helpful; thank you! I was certain that is the case but I was getting some real push back by another engineer that I work with and just wanted to sanity check myself. Thanks again.

1 Like

Hi Rene, thank you for this good work. I’m confused about this. i did some research before studying this section of GRE Tunnel Recursive Route and I’ve learned that to overcome this problem, we MUST NOT advertise the internet facing interfaces on any routing protocols. or if there are physical interfaces configured with ip addresses, they shouldn’t be advertised on any routing protocol… please correct me if I’m wrong. thank you.

Hello Chris

You’re on the right track. In the context of GRE Tunnel Recursive Route, the issue arises when the IP address of the interface terminating the tunnel is reachable via the tunnel itself. Often, it is the Internet-facing interface that terminates the tunnel, and under such circumstances, that IP address shouldn’t be advertised via the tunnel itself. So the best practice you are suggesting is specific to the particular implementation.

In the lesson, Rene used the loopback interfaces as the tunnel-terminating interfaces. So in this case, it is the loopback addresses that should not be advertised via the tunnel.

The more generalized rule to follow is what Rene mentioned in the lesson:

Don’t advertise the tunnel destination IP address on the tunnel interface. Either don’t advertise it at all, or use route filtering.

The rule that states "don’t advertise Internet-facing IP addresses in a routing protocol is not necessarily a hard and fast rule that you must never violate. In some cases, it might be necessary, depending on the specific network design and requirements. The key is to ensure that you’re not creating a recursive routing loop.

Rene gives three solutions to the recursive routing problem, the first of which is the most often implemented because of the reasons you state. The other options are doable as well, but may not be appropriate for use with your ISP. The purpose of the lesson was to show all possible permutations of the problem and its solutions. However, there are other considerations in real-world scenarios that may limit your options. Does that make sense?

I hope this has been helpful!