Configuring a Firewall Filter to De-Encapsulate IP-in-IP Traffic
IP-in-IP encapsulation provides a private, secure path for transporting packets through a network by encapsulating (or tunneling) IP packets. IP-in-IP is a simple tunneling protocol performed by tunnel endpoints that encapsulate or de-encapsulate traffic.
You can use a firewall filter over an IP-in-IP interface to de-encapsulate IP-in-IP traffic without having to create any tunnel interfaces. IP-in-IP packets are special IP tunneling packets with no generic routing encapsulation (GRE) header. You define a filter with filtering terms to classify packets based on packet fields such as destination IP address and IP protocol type. This feature provides significant benefits in terms of scalability, performance, and flexibility because you do not need to create a tunnel interface to perform the de-encapsulation.
You can apply filter-based de-encapsulation to IPv4 or IPv6 tunneling packets. This includes IP-in-IP, IPv6-in-IP, IP-in-IPv6, and IPv6-in-IPv6 tunneling packets. For example, IP-in-IP refers to an IPv6 packet encapsulated within another IPv4 packet and routed across an IPv4 network to reach the destination IPv6 network.
Filter-based de-encapsulation is not supported on the loopback (lo0) interface.
Configuring a Filter to De-Encapsulate IP-in-IP Traffic
The following configuration uses the family inet statement to filter IPv4 traffic. To filter IPv6 traffic, replace family inet with the family inet6 statement where appropriate.
To configure a firewall filter to de-encapsulate IP-in-IP traffic:
- Create a firewall filter and (optionally) specify a source
IP address for the tunnel. [edit ]
You must create the filter by using family inet because the outer header of the packet must be an IP header. If you specify a source IP address, it uses an address on a device that will encapsulate traffic into IP packets.
- Specify a destination IP address for the tunnel.[edit ]user@switch# set firewall family inet filter filter-name term term-name from destination-address address
Use an IP address on the switch interface on which you want the tunnel or tunnels to terminate and the IP-in-IP packets to be de-encapsulated. Then configure this IP address as a tunnel endpoint on all the tunnel source routers that you want to form tunnels with the switch.
- Specify that the filter should match and accept IP-in-IP
traffic.[edit ]user@switch# set firewall family inet filter filter-name term term-name from protocol ipip
- Specify that the filter should de-encapsulate IP-in-IP
traffic.[edit ]user@switch# set firewall family inet filter filter-name term term-name then decapsulate gre
Based on the configuration you have performed so far, the switch forwards the de-encapsulated packets by comparing the inner header to the default routing table (inet0). If you want the switch to use a virtual routing instance to forward the de-encapsulated packets, continue with Steps 5 though 7.
- Specify the name of the virtual routing instance.[edit ]user@switch# set firewall family inet filter filter-name term term-name then decapsulate routing-instance instance-name
- Specify that the virtual routing instance is a virtual
router.[edit ]user@switch# set routing-instances instance-name instance-type virtual-router
- Specify the interfaces that belong to the virtual router.[edit ]user@switch# set routing-instances instance-name interface interface-name
Applying the Firewall Filter to an Interface
After you create the firewall filter, you must also apply it to an interface that will receive IP-in-IP traffic. Be sure to apply it in the input direction. For example, enter:
Because the outer header of an IP-in-IP packet must be an IP header, you must apply the filter to an interface and specify family inet.