Why traffic cannot be transmitted at wire speed over a GRE tunnel

30

When a packet is forwarded through a tunnel, a label is added to the packet at the tunnel egress. That is, the packet length is increased. The GRE tunnel adds 24 or 32 bytes to the original packet, and the length of a label is 4 bytes on the VPN tunnel. In this case, the total traffic exceeds the wire speed. Packets are discarded during forwarding.

Other related questions:
FAQ - Why traffic cannot be transmitted at wire speed when being forwarded through the GRE tunnel
For S series switches excluding the S1700, why traffic cannot be transmitted at wire speed when being forwarded through the GRE tunnel? When a packet is forwarded through a tunnel, a label is added to the packet at the tunnel egress. That is, the packet length is increased. The GRE tunnel adds 24 or 32 bytes to the original packet, and the length of a label is 4 bytes on the VPN tunnel. In this case, the total traffic exceeds the wire speed. Packets are discarded during forwarding.

IPv6 over IPv4 GRE tunnel configuration
To configure an IPv6 over IPv4 GRE tunnel, perform the following steps: 1. Run the system-view command to enter the system view. 2. Run the interface tunnel interface-number command to create a tunnel interface and enter the tunnel interface view. 3. Run the tunnel-protocol gre command to set the tunnel encapsulation type to GRE tunnel. 4. Run the source { ipv4-address | interface-type interface-number } command to specify the source address or source interface of the GRE tunnel. Note: ?You can directly specify the IPv4 address of the interface used to connect to the IPv4 network as the source address or specify this interface as the source interface. ?You can specify a physical port or a logical interface such as the Loopback interface as the source interface of the tunnel. 5. Run the destination ipv4-address command to specify the destination address or domain name of the GRE tunnel. The destination address is the source address of the peer device. As shown in Figure 1, the destination address of FW_A is 1.1.2.1/24, while the destination address of FW_B is 1.1.1.1/24. 6. Run the ipv6 enable command to enable the IPv6 function on the tunnel interface. 7. Run the ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } command to configure the IPv6 address for the tunnel interface. 8. (Optional) Run the gre key key-number command to set the keyword in the GRE packet header. You can set the same key-number on both ends of the tunnel or do not set the key-number.

Why data packets do not pass the IPSec tunnel
Service packets fail to be transmitted after an IPSec tunnel is successfully established. To troubleshoot this fault, perform the following operations: 1. Check whether data packets match any ACL rule. 2. If NAT is configured on an interface, the matching ACL rule must deny data flows protected by IPSec. After confirming that the ACL rule is correctly configured, enable IPSec. 3. If SHA2 authentication is used, configure the ipsec authentication sha2 compatible enable command. 4. Check that the route configuration is correct. 5. Check that data packets can reach the AR router.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top