A packet is traveling through a GRE tunnel from a corporate office in New York to one in London. A router in Frankfurt (not an overlay node) handles the packet in transit. What does the Frankfurt router see when it examines the packet's headers?
AThe original inner packet's source and destination addresses — the corporate office IPs
BOnly the outer GRE header with the London tunnel endpoint's real IP as the destination
CBoth the inner and outer headers, which it must process to determine the correct route
DAn encrypted payload it cannot forward without tunnel decryption keys
Intermediate routers see ONLY the outer header. GRE encapsulates the original packet entirely inside a new outer IP packet addressed to the London tunnel endpoint. From Frankfurt's perspective, this is just a normal IP packet destined for a London address — it has no knowledge of the inner packet, the overlay topology, or the corporate network. This invisibility of the inner packet is the fundamental property of tunneling: the underlay routes the outer packet normally while the overlay structure rides invisibly inside.
Question 2 Multiple Choice
Why does tunneling reduce the effective maximum transmission unit (MTU) available for application data compared to a non-tunneled connection?
AEncryption adds computational overhead that reduces network throughput
BThe outer tunnel headers consume bytes within each packet, leaving less room for the original payload before hitting the physical link's size limit
CTunnel endpoints must fragment all packets to prevent routing loops in the overlay
DIntermediate routers drop oversized packets because they cannot process two nested headers simultaneously
Every physical link has a maximum frame size (MTU, typically 1500 bytes for Ethernet). Tunnel headers — GRE adds ~24 bytes, VXLAN adds ~50 bytes — are part of the outer packet and count against this limit. If the inner packet fills the remaining space, the total outer packet exceeds the link MTU, forcing fragmentation, which hurts performance. Applications and inner protocols must therefore operate with a smaller effective MTU equal to the link MTU minus the tunnel overhead. This overhead is a real and unavoidable cost of overlay networks.
Question 3 True / False
In an overlay network, the logical topology (which nodes appear to be direct neighbors) determines the physical routes that packets follow through the underlying network.
TTrue
FFalse
Answer: False
The logical overlay topology is completely independent of physical routing. Two overlay nodes that appear as direct neighbors in the overlay may be physically separated by dozens of routers — the overlay link is a tunnel, not a wire. Physical routing is determined by the underlay's routing protocols (OSPF, BGP) applied to the outer packet's destination address. The entire point of overlay networks is this decoupling: any logical topology can be built on top of any physical topology, as long as tunnel endpoints are IP-reachable. The physical and logical layers are orthogonal.
Question 4 True / False
VPNs typically encrypt the inner packet before encapsulating it in the outer tunnel packet, so intermediate routers cannot read the original payload.
TTrue
FFalse
Answer: True
This is the standard VPN architecture: the inner packet is encrypted before being wrapped in the outer IP packet. Intermediate routers see only an encrypted blob inside a normal outer packet — they can forward it based on the outer destination address but cannot decode its contents. This provides confidentiality: even if an attacker captures packets in transit, they observe only ciphertext. The tunnel delivers the encrypted payload to the remote endpoint, which decrypts and delivers it. Security and connectivity are orthogonal overlay properties that can be combined independently.
Question 5 Short Answer
Explain how tunneling 'decouples logical connectivity from physical topology' and give a concrete example where this property is essential.
Think about your answer, then reveal below.
Model answer: Tunneling encapsulates overlay packets inside physical packets routed by the underlay, making two overlay nodes appear directly connected even if physically separated by many routers — the physical routers only see and route the outer header. A concrete example: a company with offices in three cities can create an overlay where all three sites appear on the same local network, with the same IP subnet, even though their traffic crosses public internet routers. VPNs use this to give remote employees seamless access to corporate resources as if physically on the office LAN.
The decoupling is what makes overlays so powerful: any logical topology (star, mesh, full-mesh) can be created without reconfiguring physical hardware. Cloud providers use VXLAN overlays to give each tenant an isolated virtual network on shared physical infrastructure — millions of virtual networks on the same physical switches. The internet itself began as an overlay on telephone networks. The cost of this flexibility is tunnel overhead (extra headers, reduced MTU) and added debugging complexity when problems require reasoning about both the overlay and underlay simultaneously.