Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Configuring Flexible Tunnel Interfaces

Flexible Tunnel Interfaces Overview

A flexible tunnel interface (FTI) is a type of logical tunnel interface that uses static routing and BGP protocols to exchange routes over a tunnel that connects endpoints to routers.

Flexible Tunnel Interfaces on MX Series Routers

On MX Series routers, FTIs have the following features:

  • FTI supports only VXLAN encapsulation with Layer 2 pseudo-headers.

  • FTI is used between a router and a server hosting multiple virtual machines, or between routers in two different data centers.

  • FTI can be configured as port-mirror destinations.

  • FTI support logical interface statistics streaming.

In the VXLAN encapsulation process, the Layer 2 address is populated with “pseudo” source (source MAC: 00-00-5E-00-52-00) and destination (destination MAC: 00-00-5E-00-52-01) MAC addresses without VLAN tagging; however, these addresses are ignored when the packets reach the remote endpoint. The remote endpoint is identified by the destination IP address and a specified destination UDP port number. The corresponding FTI on the remote endpoint is identified by the virtual network identifier (VNI) value, the source IP address of the tunnel, and the destination UDP port number. All of these values can be configured on an FTI with VXLAN encapsulation.

Figure 1: FTIs Connecting Remote Devices to a Virtual Private Cloud FTIs Connecting Remote Devices to a Virtual Private Cloud

Figure 1 illustrates how an FTI works to provide connectivity into a virtual private cloud from a remote location. Individual flexible tunnels (1 through N) are provisioned for every customer. The customer-facing logical interface and the corresponding FTIs are configured to operate in one routing instance. The FTI uses BGP protocols (eBGP and iBGP) to carry packets from the customer device to the remote gateway and vice versa.

Flexible Tunnel Interfaces on PTX Series Routers and QFX Series Switches

On PTX Series routers and QFX Series switches, FTIs have the following features:

  • FTI is supported in releases starting Junos OS Release 19.3R1.

  • FTI supports only UDP encapsulation.

  • FTI can be initiated at any place in the MPLS tunnel: MPLS transit, ingress, egress, and PHP.

  • FTI with UDP encapsulation supports the following payloads:

    • IPV4 inside IPV4 UDP packet

    • IPV6 inside IPV4 UDP packet

    • MPLS inside IPV4 UDP packet

    • ISO inside IPV4 UDP packet

FTI with UDP encapsulation supports the following features and functionality:

  • MPLS link protection and node-link protection.

  • Manual configuration of RSVP bandwidth.

  • BFD support for liveliness detection, excluding BFD over LDP and RSVP.

  • Support for the following protocols:

    • BGP

    • RSVP

    • LDP

    • OSPF

    • ISIS

  • Static routes.

  • FTI logical interface statistics.

  • MTU configuration on FTI and fragmentation of payload before entering the tunnel.

  • Underlay can be Aggregated Ethernet or regular interface, and can be tagged sub-interface or regular Layer 3 interfaces.

  • Overlay and underlay ECMP.

To configure an FTI interface with UDP encapsulation, include the udp statement at the [edit interfaces fti0 unit unit tunnel encapsulation] hierarchy level.

For example:

MPLS Support for FTI tunnels on PTX Series Routers

Starting In Junos OS Evolved Release 21.4R1, you can configure MPLS protocols over FTI tunnels, thereby transporting MPLS packets over IP networks which does not support MPLS.

In Junos OS Evolved Release 21.4R1, generic routing encapsulation (GRE) and UDP tunnels support MPLS protocol for IPv4 and IPv6 traffic. You can configure encapsulation and decapsulation for the GRE and UDP tunnels.

The following features are supported :

  • Encapsulation and decapsulation for IPv4 and IPv6 traffic

  • UDP port number configuration

  • MPLS node-link protection

  • Ingress, egress, PHP, and transit roles for LSP

  • Ping and traceroute support in ingress, egress, PHP, and transit roles for LSP

  • Overlay and underlay ECMP

  • Manual configuration of RSVP bandwidth.

  • MPLS services

    • L3VPN

    • 6VPE

    • L2 circuit

    • BGP-LU with per nexhop or prefix label

  • Routing instance

  • Class-of-service (CoS) including the configuration of rewrite rules and classifiers

  • MTU configuration and fragmentation of payload

  • BFD support for liveliness detection.

  • Jvision

The following features and functionality are not supported:

  • MPLS link protection

  • RSVP bandwidth Inheritance based on next hop to tunnel destination for FTI interfaces

  • TTL propagation.

  • Class-of-service on tunnel endpoints .

  • FT-over-FT resolution .

  • FT destination IP should be reachable through IGP and not BGP (no indirect next hop). The reachability should be through an IPV4 route and not through an LSP.

  • Path MTU discovery .

To allow the MPLS traffic on the UDP tunnels include the mpls port-number statement at the [edit forwarding-options tunnels udp port-profile profile-name] hierarchy level. To allow the MPLS traffic on the GRE tunnels, include the mpls statement at the [edit interfaces fti0 unit unit family] hierarchy.

For example:

Benefits of Flexible Tunnel Interfaces

  • Entropy and load balancing occur in transit. Unlike over tunnel encapsulations, such as IP in IP or generic routing encapsulation (GRE), VXLAN encapsulation supports passing of the hash computation result in the source port of the UDP datagram. This enables you to load-balance traffic efficiently in transit.

  • FTIs have an extensible design that enables them to support multiple encapsulations.

  • The vni attribute of the VXLAN encapsulation in FTIs helps in customer isolation.

  • FTIs with UDP encapsulation use the source and destination port in the UDP header. Because the UDP source port is derived from the hash value of the inner payload, you can benefit from better traffic distribution over ECMP.

Limitations of Flexible Tunnel Interfaces

  • Policing follows the distributed forwarding model of the FTIs; therefore provisioned bandwidth limits are enforced at an individual Packet Forwarding Engine level. As a result, more traffic might be admitted.

  • Currently, FTI-tunneled traffic is strictly routed in the inet.0 instance. Therefore, FTIs support only IPv4 traffic.

  • The MX80 does not support FTIs.

  • Class-of-service (CoS) configuration, including the configuration of rewrite rules and classifiers is not supported on FTIs.

  • Time-to-live (TTL) on the tunnel header is set to the default value 100.

  • Differentiated Services code point (DSCP) value is set to the default value 0, but internal forwarding class and loss priority fields are retained and can be used to rewrite DSCP in the egress interface rewrite rules.

  • IP fragmentation is not supported on FTIs.

FTI with UDP encapsulation do not support the following features and functionality:

  • BFD over LDP and RSVP is not supported.

  • Aggregate Ethernet member statistics on QFX1000 device is not supported.

  • 10,000 routes per FTI logical interface is not supported.

  • Routing instance is not supported.

  • Logical systems is not supported.

  • Path MTU discovery is not supported.

  • Policing and firewall is not supported.

  • BGP signaling for UDP tunnels is not supported.

  • Class-of-service on tunnel endpoints is not supported.

  • TTL propagation is not supported.

  • Multicast traffic is not supported.

  • Plain IPV6 UDP tunnel is not supported.

  • Anti-spoofing check for tunneled traffic is not supported.

  • MPLS FRR is not supported.

  • FT-over-FT resolution is not supported.

  • FT destination IP should be reachable through IGP and not BGP (no indirect next hop). The reachability should be through an IPV4 route and not through an LSP.

  • FT physical interface level statistics is not supported.

  • All the interfaces under FTI except for fti0 are not supported.

  • Un-numbered address is not supported.

See Also

Configuring Flexible Tunnel Interfaces

You can configure flexible tunnel Interfaces (FTIs) that support the Virtual Extensible LAN (VXLAN) encapsulation with Layer 2 pseudo-headers on MX Series routers, or UDP encapsulation on PTX Series routers and QFX Series switches. A flexible tunnel interface (FTI) is a point-to-point Layer 3 interface that can be used to create IPv4 and IPv6 overlays over an IPv4 transport network. A BGP protocol session can be configured to run over FTIs in order to distribute routing information.

The following sections describe how to configure FTIs on your device and to enable multiple encapsulations using the udp or vxlan-gpe parameter under the mandatory tunnel-endpoint vxlan encapsulation identified with the vni and destination-udp-port values:

Configuring FTI on PE1

You can configure an FTI by including the tunnel-endpoint vxlan statement at the [edit interfaces] hierarchy level.

To configure an FTI and define its attributes for an IPv4 network:

  1. In configuration mode, go to the [edit interfaces] hierarchy level.
  2. On MX Series routers, configure a logical unit for the interface and the encapsulation vxlan-gpe. The unit is a logical interface configured on the physical device. Specify the value of the unit from 0 through 8191. VXLAN is defined as an encapsulation format that encapsulates Ethernet frames in an outer UDP/IP transport.
    Note:

    The capabilities of VXLAN-GPE are a super-set of what VXLAN without protocol extension offers. Therefore generic vxlan-gpe hierarchy is introduced to configure VXLAN tunnel encapsulation attributes; however, only regular VXLAN encapsulation without protocol extensions and pseudo Layer 2 MAC is used. The pseudo Layer 2 address is populated with “pseudo” source (source MAC: 00-00-5E-00-52-00) and destination (destination MAC: 00-00-5E-00-52-01) MAC addresses without VLAN tagging.

    On MX Series routers:

    Starting in Junos OS Release 19.3R1, you can configure flexible tunnel interfaces (FTIs) with UDP encapsulation on the PTX Series routers and the QFX Series switches, which provide support for static UDP tunnels only.

    FTIs with UDP encapsulation provides the benefit of better traffic distribution over ECMP, that is achieved by the UDP source port derived from the hash value of the inner payload. In addition to this, the other benefits of this feature include, shortened interface hop counts, smooth IGP domain separation, and reduced operational complexity.

    On PTX Series routers and QFX Series switches:

  3. Configure the source address for the interface. The source address is the IPv4 address or address range of the encapsulator (the local ingress PE router).
    Note:

    The source address can be a global WAN address and loopback address (lo0) is not mandatory.

  4. Configure the destination address for the interface. The destination address is the IPv4 address of the tunnel endpoint destination.
  5. Configure tunnel-endpoint with the encapsulation vxlan. This step is mandatory to enable Layer 2 pseudo-header with VXLAN encapsulation.
  6. Specify the UDP port value of the destination to be used in the UDP header for the generated frames. The numeric value for destination-udp-port identifies the endpoint. Specify the value of destination-udp-port from 1 through 65,535.
  7. Specify the virtual network identifier (VNI) value to be used to identify the encapsulation, vxlan-gpe. Specify the value of the vni from 0 through 16,777,214.
  8. Configure an IPv4 address of an interface (signified by family inet). For IPv6 address configuration, use the inet6 family.

    If you are done configuring the device, enter commit from configuration mode.

Verification

Purpose

Verify that the FTI is configured and verify its status.

Action

In configuration mode, you can verify if FTI on MX Series router has been configured by executing the show interfaces fti number command.

Similarly you can execute the show interfaces fti0 detail, show interfaces fti0 extensive, show interfaces fti0 terse, and show interfaces fti0 statistics commands to get more details FTIs. See show interfaces fti.

Meaning

The show interfaces fti0 command displays the status of the FTIs that have been configured with the new encapsulation vxlan-gpe. The output verifies that the FTI is configured and the physical link is up.

See Also

Example: Configuring Flexible Tunnel Interfaces on MX Series Routers

Requirements

This example uses the following hardware and software components:

  • An MX10003 and an MX Series 5G Universal Routing Platform.

  • Junos OS Release 18.3 or later.

Overview

In this example, flexible tunnel interfaces are used to create a Layer 3 VPN overlay network between two routers. In the actual deployment, one of the endpoints can be the server in a data center or a data center gateway.

Consider a sample topology in which a gateway device, PE1, functions as a link between the enterprise customers to represent the customer side for an FTI tunnel. eBGP is used to distribute routes between customer edge (CE1) and provider edge (PE1) devices. IPv4 is used for transmission of test frames over the Layer 3 network. This test is used to transfer the traffic between CE1 and CE2. Logical interfaces on both the routers are configured with IPv4 addresses to create an FTI to transfer the traffic of network devices for the IPv4 service.

Figure 2 shows the sample topology of how an FTI performs for a Layer 3 IPv4 service.

Figure 2: Flexible Tunnel Interfaces Topology Flexible Tunnel Interfaces Topology

Configuration

In this example, you configure FTI for a Layer 3 IPv4 service that is between interface fti0 on PE1 and interface fti0 on PE2 to form a tunnel interface of the interconnecting routers.

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them in a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level:

To Configure Parameters on PE1

To Configure Parameters on PE2

Configuring on PE1

Step-by-Step Procedure

The following steps require you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure the parameters on PE1:

  1. In configuration mode, go to the [edit interfaces] hierarchy level:

  2. Configure the FTI and a logical unit and specify the protocol family.

  3. Specify the source address for the logical interface.

  4. Specify the destination address for the logical interface.

  5. Set tunnel-endpoint with the encapsulation vxlan.

  6. Specify the UDP port value of the destination to be used in the UDP header for the generated frames.

  7. Specify the vni value to be used to identify the encapsulation vxlan-gpe on the interface.

  8. Specify the address type family for the interface.

Configuring on PE2

Step-by-Step Procedure

The following steps require you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure the parameters on PE2:

  1. In configuration mode, go to the [edit interfaces] hierarchy level:

  2. Configure the FTI and a logical unit and specify the protocol family.

  3. Specify the source address for the logical interface.

  4. Specify the destination address for the logical interface.

  5. Set tunnel-endpoint with the encapsulation vxlan.

  6. Specify the UDP port value of the destination to be used in the UDP header for the generated frames.

  7. Specify the vni value to be used to identify the encapsulation vxlan-gpe on the interface.

  8. Specify the address type family for the interface.

    After the configuration is successfully completed, you can view the parameters by entering the show fti0 command.

Results

In configuration mode, confirm your configuration on PE1 and PE2 by entering the show command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Parameters on PE1:

Parameters on PE2:

After you have configured the interface, enter the commit command in configuration mode.

Verification

Verifying the Results

Purpose

Verify that the necessary and desired tunnel displays the values configured for the FTI test that is run on the flexible tunnel between PE1 and PE2.

Action

In operational mode, enter the show interfaces fti0 command to display status of the FTIs that have been configured with the new encapsulation vxlan-gpe. The output verifies that the FTI is configured and the physical link is up.

See Also

Configuring IP-IP Decapsulation by Tunnel Termination on FTI

In filter based decapsulation, the decapsulated packets are re-circulated for inner header lookup and forwarded accordingly. However, tunnel termination is completed in a single pass of packet processing, thus providing performance improvement over filter based process. Starting in Junos OS Evolved Release 20.1R2, you can configure IP-IP decapsulation on a flexible tunnel interface on PTX series routers by configuring tunnel termination. You can configure IP-IP decapsulation on a flexible tunnel interface by configuring tunnel termination at the [edit interfaces fti0 unit number tunnel encapsulation IPIP] hierarchy level.

Note:

For the Junos OS Evolved Release 20.1R2, FTI does not support encapsulation.

To configure IP-IP decapsulation by tunnel termination:

  1. On PTX Series routers, configure the FTI, logical unit for the interface, and the encapsulation IPIP. The unit is a logical interface configured on the physical device. Specify the value of the unit from 0 through 4096.
  2. For IP-IP decapsulation, configure the tunnel termination and specify the address family. For IPv6 address configuration, use the inet6 family.
    Note:

    For the Junos OS Evolved Release 20.1R2, this step is mandatory.

  3. Configure the source address and destination address for the interface.
  4. Configure the routing instance for the FTI to facilitate routing table lookups. Create a virtual-router instance and associate the interface.
  5. Verify the tunnel termination.
Release History Table
Release
Description
20.1R2 Evo
Starting in Junos OS Evolved Release 20.1R2, you can configure IP-IP decapsulation on a flexible tunnel interface on PTX series routers by configuring tunnel termination.
19.3R1
FTI is supported in releases starting Junos OS Release 19.3R1.
19.3R1
Starting in Junos OS Release 19.3R1, you can configure flexible tunnel interfaces (FTIs) with UDP encapsulation on the PTX Series routers and the QFX Series switches, which provide support for static UDP tunnels only.