decapsulate (Firewall Filter)
Syntax
decapsulate { gre { apply-groups; apply-groups-except; forwarding-class; interface-group(0 -255) no-decrement-ttl; routing-instance; sample; } inet-in-udp { apply-groups; apply-groups-except; forwarding-class; no-decrement-ttl; routing-instance; } inet6-in-udp { apply-groups; apply-groups-except; forwarding-class; no-decrement-ttl; routing-instance; } mpls-in-udp { apply-groups; apply-groups-except; forwarding-class; no-decrement-ttl; routing-instance; } gre-in-udp{ l2tp { apply-groups; apply-groups-except; cookie; forwarding-class; no-decrement-ttl; output-interface; sample; } }
Description
Define the termination action for GRE, UDP, and L2TP tunnels.
inet-in-udp
, inet6-in-udp
, and
mpls-in-udp
are supported only on PTX10003, PTX10004,
PTX10008, PTX10016 and PTX10001-36MR device models.
Caveats
The following are the caveats for using the decapsulate firewall filter action.
-
For GRE tunnel decapsulate action if "payload type" in GRE header is a value other than IPv4, IPv6, or MPLS, the packet will be dropped.
-
For
UDP
tunnel decapsulation, it is expected that the user will configure term match conditions for UDP destination port correctly to term action for decapsulate of IPv4, IPv6 or MPLS. In case of mismatch traffic can be dropped. -
No decrement TTL attribute is not supported for MPLS payload.
-
Output filter cannot match TTL value of outgoing packet for ingress filter decapsulation traffic with no-decrement-ttl configured.
Options
gre
—(Optional) Terminate a GRE tunnel for the filter conditions that
are matched.
inet-in-udp
—(Optional) Terminate a UDP tunnel with IPv4 payload.
inet6-in-udp
—(Optional) Terminate a UDP tunnel with IPv6
payload.
mpls-in-udp
—(Optional) Terminate a UDP tunnel with MPLS payload.
l2tp
—(Optional) Terminate an L2TP tunnel for the filter conditions
that are matched.
output-interface interface-name
—(Optional) For
L2TP tunnels, enable the packet to be duplicated and sent towards the customer or
the network (based on the MAC address in the Ethernet payload),
cookie l2tpv3-cookie
—(Optional) For L2TP tunnels,
specify the L2TP cookie for the duplicated packets. If the tunnel does not contain
the receive-cookie configured, packet injection does not happen. In such a case, any
received tunnel packet is counted and dropped in the same manner in which packets
that arrive with a wrong cookie are counted and dropped.
Required Privilege Level
firewall—To view this statement in the configuration.
firewall-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 7.6.
output-interface
and cookie
options introduced in
Junos OS Release 15.1.
decapsulate gre
introduced in Junos OS Release 15.1F3 and 16.1R2 for
PTX5000 routers with third generation FPCs and Junos OS Release 15.1F6 and 16.1R2
for PTX3000 routers with third-generation FPCs.
no-decrement-ttl
attribute for the decapsulate gre
filter action introduced in Junos OS Release 15.1F6 and 16.2R1 for PTX5000 routers
with third-generation FPCs.
inet-in-udp
, inet6-in-udp
, and
mpls-in-udp
introduced in Junos OS Release 22.3R1.