Configuring Flexible Tunnel Interfaces

Flexible Tunnel Interfaces on MX Series Routers and SRX Series Firewalls

FTIs have the following features on MX Series routers and SRX Series firewalls:

• FTI supports only VXLAN encapsulation with Layer 2 pseudo-headers.

• FTI is used between a router and a server hosting multiple virtual machines, or between routers in two different data centers.

• FTI can be configured as port-mirror destinations.

• FTI support logical interface statistics streaming.

In the VXLAN encapsulation process, the Layer 2 address is populated with “pseudo” source (source MAC: 00-00-5E-00-52-00) and destination (destination MAC: 00-00-5E-00-52-01) MAC addresses without VLAN tagging; however, these addresses are ignored when the packets reach the remote endpoint. The remote endpoint is identified by the destination IP address and a specified destination UDP port number. The corresponding FTI on the remote endpoint is identified by the virtual network identifier (VNI) value, the source IP address of the tunnel, and the destination UDP port number. All of these values can be configured on an FTI with VXLAN encapsulation.

Figure 1: FTIs Connecting Remote Devices to a Virtual Private Cloud

Figure 1 illustrates how an FTI works to provide connectivity into a virtual private cloud from a remote location. Individual flexible tunnels (1 through N) are provisioned for every customer. The customer-facing logical interface and the corresponding FTIs are configured to operate in one routing instance. The FTI uses BGP protocols (eBGP and iBGP) to carry packets from the customer device to the remote gateway and vice versa.

Flexible Tunnel Interfaces on PTX Series Routers and QFX Series Switches

Some PTX Series routers and QFX Series switches support FTIs. For details on platform and Junos version support, see Feature Explorer. FTI support on PTX and QFX switches include the following features:

• FTI is supported in releases starting Junos OS Release 19.3R1.

• FTI supports only UDP encapsulation.

• FTI can be initiated at any place in the MPLS tunnel: MPLS transit, ingress, egress, and PHP.

• FTI with UDP encapsulation supports the following payloads:

  • IPV4 inside IPV4 UDP packet

  • IPV6 inside IPV4 UDP packet

  • MPLS inside IPV4 UDP packet

  • ISO inside IPV4 UDP packet

FTI with UDP encapsulation supports the following features and functionality:

• MPLS link protection and node-link protection.

• Manual configuration of RSVP bandwidth.

• BFD support for liveliness detection, excluding BFD over LDP and RSVP.

• Support for the following protocols:

  • BGP

  • RSVP

  • LDP

  • OSPF

  • ISIS

• Static routes.

• FTI logical interface statistics.

• MTU configuration on FTI and fragmentation of payload before entering the tunnel.

• Underlay can be Aggregated Ethernet or regular interface, and can be tagged sub-interface or regular Layer 3 interfaces.

• Overlay and underlay ECMP.

To configure an FTI interface with UDP encapsulation, include the udp statement at the [edit interfaces fti0 unit unit tunnel encapsulation] hierarchy level.

For example:

MPLS Support for FTI tunnels on PTX Series Routers

Starting In Junos OS Evolved Release 21.4R1, you can configure MPLS protocols over FTI tunnels, thereby transporting MPLS packets over IP networks which does not support MPLS.

In Junos OS Evolved Release 21.4R1, generic routing encapsulation (GRE) and UDP tunnels support MPLS protocol for IPv4 and IPv6 traffic. You can configure encapsulation and decapsulation for the GRE and UDP tunnels.

The following features are supported :

• Encapsulation and decapsulation for IPv4 and IPv6 traffic

• UDP port number configuration

• MPLS node-link protection

• Ingress, egress, PHP, and transit roles for LSP

• Ping and traceroute support in ingress, egress, PHP, and transit roles for LSP

• Overlay and underlay ECMP

• Manual configuration of RSVP bandwidth.

• MPLS services

  • L3VPN

  • 6VPE

  • L2 circuit

  • BGP-LU with per nexhop or prefix label

• Routing instance

• Class-of-service (CoS) including the configuration of rewrite rules and classifiers

• MTU configuration and fragmentation of payload

• BFD support for liveliness detection.

• Jvision

The following features and functionality are not supported:

• MPLS link protection

• RSVP bandwidth Inheritance based on next hop to tunnel destination for FTI interfaces

• TTL propagation.

• Class-of-service on tunnel endpoints .

• FT-over-FT resolution .

• FT destination IP should be reachable through IGP and not BGP (no indirect next hop). The reachability should be through an IPV4 route and not through an LSP.

• Path MTU discovery .

To allow the MPLS traffic on the UDP tunnels include the mpls port-number statement at the [edit forwarding-options tunnels udp port-profile profile-name] hierarchy level. To allow the MPLS traffic on the GRE tunnels, include the mpls statement at the [edit interfaces fti0 unit unit family] hierarchy.

For example:

Benefits of Flexible Tunnel Interfaces

• Entropy and load balancing occur in transit. Unlike over tunnel encapsulations, such as IP in IP or generic routing encapsulation (GRE), VXLAN encapsulation supports passing of the hash computation result in the source port of the UDP datagram. This enables you to load-balance traffic efficiently in transit.

• FTIs have an extensible design that enables them to support multiple encapsulations.

• The vni attribute of the VXLAN encapsulation in FTIs helps in customer isolation.

• FTIs with UDP encapsulation use the source and destination port in the UDP header. Because the UDP source port is derived from the hash value of the inner payload, you can benefit from better traffic distribution over ECMP.

Limitations of Flexible Tunnel Interfaces

• Policing follows the distributed forwarding model of the FTIs; therefore provisioned bandwidth limits are enforced at an individual Packet Forwarding Engine level. As a result, more traffic might be admitted.

• Currently, FTI-tunneled traffic is strictly routed in the inet.0 instance. Therefore, FTIs support only IPv4 traffic.

• The MX80 does not support FTIs.

• Class-of-service (CoS) configuration, including the configuration of rewrite rules and classifiers is not supported on FTIs.

• Time-to-live (TTL) on the tunnel header is set to the default value 64.

• Differentiated Services code point (DSCP) value is set to the default value 0, but internal forwarding class and loss priority fields are retained and can be used to rewrite DSCP in the egress interface rewrite rules.

• IP fragmentation is not supported on FTIs.

FTI with UDP encapsulation do not support the following features and functionality:

• BFD over LDP and RSVP is not supported.

• Aggregate Ethernet member statistics on QFX1000 device is not supported.

• 10,000 routes per FTI logical interface is not supported.

• Routing instance is not supported.

• Logical systems is not supported.

• Path MTU discovery is not supported.

• Policing and firewall is not supported.

• BGP signaling for UDP tunnels is not supported.

• Class-of-service on tunnel endpoints is not supported.

• TTL propagation is not supported.

• Multicast traffic is not supported.

• Plain IPV6 UDP tunnel is not supported.

• Anti-spoofing check for tunneled traffic is not supported.

• MPLS FRR is not supported.

• FT-over-FT resolution is not supported.

• FT destination IP should be reachable through IGP and not BGP (no indirect next hop). The reachability should be through an IPV4 route and not through an LSP.

• FT physical interface level statistics is not supported.

• All the interfaces under FTI except for fti0 are not supported.

• Un-numbered address is not supported.

Verify Flexible Tunnel Creation

Use the show interfaces fti0.0 command to display information about the flexible tunnel interface: