How to configure GRE Tunnel on Cisco IOS Router

Hi Nanu,

So can we say that any packet going out of f0/0 of R1 will have source IP (i.e. IP address of tunnel for which f0/0 is configured as source)?

The answer to this is No. A simple counter-example would be any packet going from HQ to the ISP. Presumably, the ISP has no idea that the Tunnel IP space exists, so the packet must be sourced from The key for HQ figuring out whether to use the or address would be what its routing table says is the next hop of the destination. If the next hop is in the Tunnel address space, it will use that.

I think we cannot configure one interface as a source for more than one tunnel…right?

You are correct. While you can have a single interface be the source of a tunnel with multiple destinations (DMVPN does this), technically, this is just a single tunnel. In order to have multiple tunnels, you will need to create loopbacks and source the tunnels from there.

Hi Andrew,

Your explanation has cleared my doubts…thanks a lot…:slight_smile:



Will you do / explain how to do this lab with the IGP being iBGP, with the loopbacks being redistributed into BGP?

Thank you.


Hi Trevor,

The goal of this example is to demonstrate how GRE tunneling works, you could use any other routing protocol. Here’s a quick example though how you can use BGP instead.

First we create an access-list that matches the loopback interface and we create a route-map:

R1(config)#ip access-list standard L0

R1(config)#route-map L0_ONLY permit 10
R1(config-route-map)#match ip address L0

R1(config)#route-map L0_ONLY permit 20

Now you can configure BGP, configure the remote neighbor and redistribute only the loopback interface:

R1(config)#router bgp 13
R1(config-router)#neighbor remote-as 13
R1(config-router)#redistribute connected route-map L0_ONLY

Hope this helps!


19 posts were merged into an existing topic: How to configure GRE Tunnel on Cisco IOS Router

Hello Rene,

I was not able to advertise Lo via tunnel Eigrp process with the given /24 config of yours. I fixed it using /32 bit prefix. It seems LOs cant build adjacency till 32 bit prefix is configured on loopback interface. Also I used successfully a source on one side of the setup as MLPPP and testes tunnel stability when flapped one of the PPP link.

Hi Vitaly,

The loopbacks won’t affect your neighbor adjacency whatsoever. The neighbor adjacency is established on the tunnel interface so any other interfaces don’t have any effect on it. It won’t matter if you use a /24 or /32 on the loopback interfaces :slight_smile:

Do you still have your config with the /24s on the loopback that is not working?



How does a router, in this example HQ or Branch would know to send packets to GRE application to encapsulate those inner packets within the GRE header? Another way to interpret the question is how the control plane of GRE work and is there a way so that only some of the hosts behind the HQ/Branch uses the GRE and some other do not use the tunnel and send the packets using traditional routing (w/o tunneling.)


Hello Ishan,

When the router receives a packet, it checks the destination and does a lookup in the routing table. It finds that the outgoing interface is the tunnel interface, checks the encapsulation type of the tunnel and does its job.

For example, the HQ router receives a packet that is destined to In the routing table, the outgoing interface is the Tunnel1 interface, which means the router has to add a GRE header.

The outer IP header has a destination IP address of so the HQ router does another lookup in the routing table, figures out that 12.2 is the next hop and forwards the IP packet to the ISP router.

The default routing table is global so if you create an entry, it applies to all packets. However, you can use policy-based routing to tell the router that certain packets should be forwarded on another interface. Here’s an example:

I am still working through this but the following information is incorrect for the static route. The configuration that is currently in the lesson for the static route portion does not work.

Need to change to network instead of the specific IP. This is the case on my Cisco equipment anyway.

Need to change to the following:

HQ(config)#ip route

Branch(config)#ip route

Hello Brian

Hmmm, that’s interesting. I tried to lab it up as well and it worked for me with just the specific IP addresses in the ip route commands rather than the whole subnet. I was able to get the tunnel up and running as well as the EIGRP neighbourship. Want to take a look at it again and see if there’s another glitch somewhere?

I hope this has been helpful!


hello Rene, why do we need tunneling, when we already have static and dynamic routing protocol? what’s the need of tunnelng ? maybe if you’ve mentioned but i am still not clear about the advantage and use of Tunnel.

Hello Pinki

The advantages provided by GRE tunnelling (or any kind of network tunnelling) is that it allows us to interconnect two remote sites over a third network as if those remote sites are directly connected to each other. So let’s say you have two branch offices, one in one city and one in another. You have a subnet of at the first office and at the second office. Those two offices will never be able to communicate directly with each other over the Internet, because the Internet uses its own IP address ranges and it does not allow the use of private IP addresses to be routed using static and dynamic routing.

However, you can create a GRE tunnel between the edge routers at each branch office. The packets addressed in the and address ranges will then be tunnelled or encapsulated into IP packets that can be routed over the Internet. Once they arrive at the other edge router, they will be decapsulated and sent onto the local network. In this way, hosts at each branch office will think that the two edge routers are directly connected to each other, allowing you to enable communication between the two offices as if they were really directly connected to each other.

So in summary, a tunnel will allow you to route your private packets over a public or third party network such as the Internet, in such a way so that your networks function as if they are directly connected to each other.

I hope this has been helpful!


1 Like


I have a question about the static route
Is there a difference between:
1-ip route
2-ip route

I think if we use the first one we can only connect to, so we use the ISP to connect the HQ and Branch only
But if we use the default static route we can also connect to the Internet.

Please correct me if I’m wrong.

Hello Rehab

Yes you are correct. Both static routes will indeed allow you to reach the subnet, while the default route will also allow you to reach the Internet as well. In the particular example, connectivity to the Internet was not a requirement, so it wasn’t configured that way, but it will indeed work.

I hope this has been helpful!


Hello Laz,

Thank you for your prompt reply I really appreciate it, and the information was really useful.


1 Like


Is it possible to do this all in IPv6? I notice there is a lot of IPv6 Over IPv4 tunnels, but I am wondering if this is possible to do in IPv6 only (for testing purposes).


Hello Thomas

Yes it is possible to create GRE tunnels using IPv6 for both the internal and external protocol. You can find out more information about this at the following Cisco documentation:

Now in the examples found in there, some implement IPv6 over an IPv4 GRE tunnel. However, IPv6 can be used for both inside and outside of the GRE tunnel.

I hope this has been helpful!


hello lagapides
can i use eigrp instead a static route
like rene have used EIGRP for introduce a network which is running on HQ and same apply in BRANCH office but why he has not introduced a or in EIGRP

Hello Harshit

This is a very good question, and indeed an important one. Rene could have included those networks in EIGRP, however, the problem that would occur is that EIGRP would learn of a “better” route between the Branch to HQ routers via the GRE tunnel. But that means that routes to or would be removed from the routing table in favour of the route via the GRE tunnel. But those routes are needed in order to correctly route the GRE tunnel, so the tunnel would fail. This results in the routes being reinstated only to have the tunnel come back up again and the routing changes again, and it fails… and so on. This is called the GRE tunnel recursive routing error, and you can find out more about it (and how to solve it) in this lesson:

I hope this has been helpful!