1 - never seen deployed. The reason is that if a router can reach a certain address to terminate GRE, the same address shold be used for IPSEC. Also, you would be carring the IP header one more time, as IPSEC cannot run directly on GRE:
IPSec has two modes: tunnel and transport. In tunnel mode you encrypt all: IP header and payload and create an entire new packet. In transport mode IPSec only encrypt the payload, the header is preserved.
Now, just imagine you already have a GRE tunnel set up, and you want add some confidentiality to the data (payload) it carries. In this case, you can cryptograph the data using IPSec in transport mode and the send it into a GRE tunnel. This is the case for IPSEC over GRE. One application to this is to cryptograph multicast traffic, like OSPF, because GRE does support multicast, but IPSec in tunnel mode doesn't. Take a look in DMVPN on Cisco site.
2. GRE over IPSec
This can be a like any other protocol/application encryption. First you create a GRE tunnel and then cryptograph it with IPSec. If you use IPSec in tunnel mode you will create a lot of wasteful overhead and inefficiency. If you use the transport mode you will fall into the "ipsec over gre" (the chicken-egg problem).
You mention "GRE tunnel is created first and over that IPSEC tunnel is created to pass multicast and broadcast traffic".
The correct order for IPSEC over GRE is ...
The GRE tunnel is first created and it is used to pass multicast and broadcast. The GRE data is then encrypted with IPSec (no ipsec tunnel).
There is no IPSec tunnel in this scenario. Remember IPSec transport mode is only encryption. GRE does the tunneling work and IPsec does the encryption part.
"But your definition on GRE over IPSEC seems similar ..."
There is a slightly difference...
1) In IPSec over GRE, you encrypt some data and send it as an IPSec packet into the GRE tunnel. If you look at the IP packet going out the interface, you will see it as an IP packet carrying a GRE protocol.
2) In GRE over IPSec (in tunnel mode), you create the GRE tunnel and send it into IPSec tunnel. If you look at the packet you will see it as an IP packet carrying the IPSec protocol.
3) In GRE over IPSec (in transport mode), you create the GRE tunnel and cryptograph its payload using IPSec. If you look at the packet you will see it as an IP packet carrying the GRE protocol.
That is ...
Case 1 - You have a tunnel inside a tunnel, a wasteful situation that should be avoided, but it can appear in real scenarios.
Case 3 is here only to illustrate the situation. Since IPSec transport mode doesn't carry nothing only encrypt, I would describe this not as "GRE over IPSec", but as "IPsec/GRE combination".
Case 2 is the only useful scenario. So be cautious if you see "GRE over IPSec" again.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...