Configuring GRE Tunnels for Layer 3 VPNs
Junos OS allows you to configure a generic routing encapsulation (GRE) tunnel between the PE and CE routers for a Layer 3 VPN. The GRE tunnel can have one or more hops. You can configure the tunnel from the PE router to a local CE router (as shown in Figure 1) or to a remote CE router (as shown in Figure 2).
For more information about how to configure tunnel interfaces, see the Junos OS Services Interfaces Library for Routing Devices.
You can configure the GRE tunnels manually or configure the Junos OS to instantiate GRE tunnels dynamically.
The following sections describe how to configure GRE tunnels manually and dynamically:
Configuring GRE Tunnels Manually Between PE and CE Routers
You can manually configure a GRE tunnel between a PE router and either a local CE router or a remote CE router for a Layer 3 VPN as explained in the following sections:
- Configuring the GRE Tunnel Interface on the PE Router
- Configuring the GRE Tunnel Interface on the CE Router
Configuring the GRE Tunnel Interface on the PE Router
You configure the GRE tunnel as a logical interface on the PE
router. To configure the GRE tunnel interface, include the unit
statement:
unit logical-unit-number { tunnel { source source-address; destination destination-address; routing-instance { destination routing-instance-name; } } family inet { address address; } }
You can include this statement at the following hierarchy levels:
[edit interfaces interface-name]
[edit logical-systems logical-system-name interfaces interface-name]
As part of the GRE tunnel interface configuration, you need to include the following statements:
source source-address
—Specify the source or origin of the GRE tunnel, typically the PE router.destination destination-address
—Specify the destination or end point of the GRE tunnel. The destination can be a Provider router, the local CE router, or the remote CE router.
By default, the tunnel destination address is assumed to be
in the default Internet routing table, inet.0. If the tunnel destination
address is not in inet.0, you need to specify which routing table
to search for the tunnel destination address by configuring the routing-instance
statement. This is the case if the tunnel
encapsulating interface is also configured under the routing instance.
destination
routing-instance-name
—Specify the name of the routing instance when configuring the GRE tunnel interface on the PE router.
To complete the GRE tunnel interface configuration, include
the interface
statement for the GRE interface under the
appropriate routing instance:
interface interface-name;
You can include this statement at the following hierarchy levels:
[edit routing-instances routing-instance-name]
[edit logical-systems logical-system-name routing-instances routing-instance-name]
Configuring the GRE Tunnel Interface on the CE Router
You can configure either the local or the remote CE router to act as the endpoint for the GRE tunnel.
To configure the GRE tunnel interface on the CE router, include
the unit
statement:
unit logical-unit-number { tunnel { source address; destination address; } family inet { address address; } }
You can include this statement at the following hierarchy levels:
[edit interfaces interface-name]
[edit logical-systems logical-system-name interfaces interface-name]
Configuring GRE Tunnels Dynamically
When the router receives a VPN route to a BGP next hop address, but no MPLS path is available, a GRE tunnel can be dynamically generated to carry the VPN traffic across the BGP network. The GRE tunnel is generated and then its routing information is copied into the inet.3 routing table. IPv4 routes are the only type of routes supported for dynamic GRE tunnels. Also, the routing platform must have a tunnel PIC.
When configuring a dynamic GRE tunnel to a remote CE router, do not configure OSPF over the tunnel interface. It creates a routing loop forcing the router to take the GRE tunnel down. The router attempts to reestablish the GRE tunnel, but will be forced to take it down again when OSPF becomes active on the tunnel interface and discovers a route to the tunnel endpoint. This is not an issue when configuring static GRE tunnels to a remote CE router.
To generate GRE tunnels dynamically, include the dynamic-tunnels
statement:
dynamic-tunnels tunnel-name { destination-networks prefix; source-address address; }
You can include this statement at the following hierarchy levels:
-
[edit routing-options]
-
[edit routing-instances routing-instance-name routing-options]
-
[edit logical-systems logical-system-name routing-options]
-
[edit logical-systems logical-system-name routing-instances routing-instance-name routing-options ]
Specify the IPv4 prefix range (for example, 10/8 or 11.1/16) for the destination
network by including the destination-networks
statement. Only
tunnels within the specified IPv4 prefix range are allowed to be
initiated.
destination-networks prefix;
You can include this statement at the following hierarchy levels:
-
[edit routing-options]
-
[edit routing-instances routing-instance-name routing-options]
-
[edit logical-systems logical-system-name routing-options]
-
[edit logical-systems logical-system-name routing-instances routing-instance-name routing-options ]
Specify the source address for the GRE tunnels by including the
source-address
statement. The source address specifies the
address used as the source for the local tunnel endpoint. This could be any local
address on the router (typically the router ID or the loopback address).
source-address address;
You can include this statement at the following hierarchy levels:
-
[edit routing-options]
-
[edit routing-instances routing-instance-name routing-options]
-
[edit logical-systems logical-system-name routing-options]
-
[edit logical-systems logical-system-name routing-instances routing-instance-name routing-options ]