Solved: Re: Multiple GRE tunnel question

ColForbin · ‎07-11-2025

I’m just making sure on this. If you have two GRE tunnels whose source is the same interface, both MTU would still be 1476 correct?

For instance

Interface gig 1/0/1

ip addr 192.168.1.1 255.255.255.252

tunnel 1

ip mtu 1476

ip tcp adjust-mss 1436

tunnel source 192.168.1.1

tunnel 2

ip mtu 1476

ip tcp adjust-mss 1436

tunnel source 192.168.1.1

and the destinations would be different.

Thanks. Just a sanity check I hope.

Joseph W. Doherty · ‎07-11-2025

Correct.

View solution in original post

Joseph W. Doherty · ‎07-11-2025

Correct.

MHM Cisco World · ‎07-12-2025

This second post

We try hard inform you this wrong design but I dont know maybe you want to test

But in real network that so so bad design use tunnel IP as source of other tunnel

One of point you will face is high overhead of IP

Here there two tunnel header so sure MTU not same mtu of second must be lower than first with at least 40 bytes

To be sure run wireshark see how traffic look like.

MHM

Joseph W. Doherty · ‎07-12-2025

But in real network that so so bad design use tunnel IP as source of other tunnel

Was this reply meant for another thread? I ask, because both tunnels are using the physical interface IP.

Interface gig 1/0/1

ip addr 192.168.1.1 255.255.255.252

tunnel 1

tunnel source 192.168.1.1

tunnel 2

tunnel source 192.168.1.1

Here there two tunnel header so sure MTU not same mtu of second must be lower than first with at least 40 bytes

Why 40, as the usual GRE header uses 24 bytes (the GRE IP header and GRE header)?

MHM Cisco World · ‎07-12-2025

Check IP he use tunnel one IP use as tunnel source

Why 40 bytes ? Gre normal is 24 but it not secure if we use iPsec with it so at least we need 40 bytes.

To check let him try use wireshark' let him see how traffic pass how GRE look like'

Engineer without wireshark like blind

MHM

Joseph W. Doherty · ‎07-12-2025

Check IP he use tunnel one IP use as tunnel source

I don't see, in OP, what tunnel IPs are, as it appears that wasn't provided, so, I'm confused with what you're describing.

Why 40 bytes ? Gre normal is 24 but it not secure if we use iPsec with it so at least we need 40 bytes.

Fully agree that GRE/IPSec overhead is more than 24 bytes. However, in my experience often the overhead is more than 40 bytes; believe Cisco recommends allowing for 100 bytes. (Interesting overhead calculator mentioned in https://community.cisco.com/t5/security-knowledge-base/ipsec-overhead-calculator-tool/ta-p/3162650.). Also, agree GRE, alone, isn't secure, but OP didn't mention such a need.

To check let him try use wireshark' let him see how traffic pass how GRE look like'

You certainly could do that, but often when checking MTU, I find that might be answered using ping with specific packet sizes in conjunction with setting DF.

Historically, you provide great lab results, so, wondering, could you demonstrate the issues you've describe?

ColForbin · ‎07-12-2025

Just so there’s no confusion. A previous post I discovered a gre tunnel that was using another gre tunnel IP as its own source. So i posted about that because it was up and passing traffic. And my instincts were this was a bad design and was looking for confirmation.

This second post was after I fixed that config, which by the way resulted in a small blip only, so it was a fast fix…but once I had the two separate tunnels configured with the same source IP, so the same physical interface, I didn’t see any problems, it just got me thinking about the mtu. This instance they are both just gre. I was pretty sure each tunnel is separate so each one should have an mtu of 1500-24=1,476 and it appears that bears out..

Joseph W. Doherty · ‎07-12-2025

@ColForbin wrote:

A previous post I discovered a gre tunnel that was using another gre tunnel IP as its own source.

Thanks, now @MHM Cisco World 's initial reply in this thread, and its initial "This second post", makes much more sense, as he was thinking you were still doing what you originally did.