We think about using a third-party DDoS prevention service that would forward us our scrubbed inbound traffic via a GRE tunnel on a 10 Gbps port. No encryption, just plain GRE encapsulation. And so now we're looking for a low-cost option that would allow us to terminate this GRE tunnel and achieve (close to) 10 Gbps line speed.
Now with RouterOS 7 the CRS317-1G-16S+ supports L3 hardware offloading and so can achieve close to line speed for simple routing. But what happens in case of a GRE tunnel? Can the L3 hardware offload also "unwrap" the GRE packets in hardware? Or would the CPU need to do this and then the hardware offloading feature cannot be used anymore as everything would have to be done in software (with a severe performance penalty then, so only throughputs achievable that will be far below line speed)?
I seem to be unable to find an answer to this question in the RouterOS documentation. While there's a list of features that are known to work, partially work or not work with the L3 hardware offloading, GRE tunnels seem not to be mentioned. The Marvell Prestera datasheets do mention something about a forwarding engine that can handle also GRE packets but I don't know if this is applicable or if Mikrotik's implementation takes advantage of it.
So can the CRS317-1G-16S+ terminate a GRE tunnel in hardware? And if not, is there any other similarly inexpensive switch model that can do it (at 10 Gbps port speed)?
Thanks a lot!