Filtering Unicast Packets Through Multicast Tunnel Interfaces
Configuring Unicast Tunnels
To configure a unicast tunnel, you configure a gr-
interface (to use GRE encapsulation) or an ip-
interface
(to use IP-IP encapsulation) and include the tunnel
and family
statements:
gr-fpc/pic/port or ip-fpc/pic/port { unit logical-unit-number { copy-tos-to-outer-ip-header; reassemble-packets; tunnel { allow-fragmentation; destination destination-address; do-not-fragment; key number; routing-instance { destination routing-instance-name; } source address; ttl number; } family family { address address { destination address; } } } }
You can configure these statements at the following hierarchy levels:
[edit interfaces]
[edit logical-systems logical-system-name interfaces]
You can configure multiple logical units for each GRE or IP-IP interface, and you can configure only one tunnel per unit.
On M Series and T Series routers, you can configure the interface on a service PIC or a tunnel PIC. On MX Series routers, configure the interface on a Multiservices DPC.
Each tunnel interface must be a point-to-point interface. Point
to point is the default interface connection type, so you do not need
to include the point-to-point
statement in the logical
interface configuration.
You must specify the tunnel’s destination and source addresses. The remaining statements are optional.
For transit packets exiting the tunnel, forwarding path features, such as reverse path forwarding (RPF), forwarding table filtering, source class usage, destination class usage, and stateless firewall filtering, are not supported on the interfaces you configure as tunnel sources, but are supported on tunnel-pic interfaces.
However, class-of-service (CoS) information obtained from the GRE or IP-IP header is carried over the tunnel and is used by the re-entering packets. For more information, see the Junos OS Class of Service User Guide for Routing Devices.
To prevent an invalid configuration, the Junos OS disallows
setting the address specified by the source
or destination
statement at the [edit interfaces gr-fpc/pic/port unit logical-unit-number tunnel]
hierarchy level to be
the same as the interface’s own subnet address, specified by
the address
statement at the [edit interfaces gr-fpc/pic/port unit logical-unit-number family family-name]
hierarchy level.
To set the time-to-live (TTL) field that is included in the
encapsulating header, include the ttl
statement. If you
explicitly configure a TTL value for the tunnel, you must configure
it to be one larger than the number of hops in the tunnel. For example,
if the tunnel has seven hops, you must configure a TTL value of 8.
You must configure at least one family on the logical interface.
To enable MPLS over GRE tunnel interfaces, you must include the family mpls
statement in the GRE interface configuration. In
addition, you must include the appropriate statements at the [edit protocols]
hierarchy level to enable Resource Reservation
Protocol (RSVP), MPLS, and label-switched paths (LSPs) over GRE tunnels.
Unicast tunnels are bidirectional.
A configured tunnel cannot go through Network Address Translation (NAT) at any point along the way to the destination. For more information, see Tunnel Services Overview and the MPLS Applications User Guide.
For a GRE tunnel, the default is to set the ToS bits in the
outer IP header to all zeros. To have the Routing Engine copy the
ToS bits from the inner IP header to the outer, include the copy-tos-bits-to-outer-ip-header
statement. (This inner-to-outer ToS bits copying is already the
default behavior for IP-IP tunnels.)
For GRE tunnel interfaces on Adaptive Services or Multiservices interfaces, you can configure additional tunnel attributes, as described in the following sections:
- Configuring a Key Number on GRE Tunnels
- Enabling Packet Fragmentation on GRE Tunnels Prior to GRE Encapsulation
- Specifying an MTU Setting for the Tunnel
- Configuring a GRE Tunnel to Copy ToS Bits to the Outer IP Header
- Enabling Fragmentation and Reassembly on Packets After GRE-Encapsulation
- Support for IPv6 GRE tunnels
Configuring a Key Number on GRE Tunnels
For Adaptive Services and Multiservices interfaces on M Series and T Series routers, you can assign a key value to identify an individual traffic flow within a GRE tunnel, as defined in RFC 2890, Key and Sequence Number Extensions to GRE. However, only one key is allowed for each tunnel source and destination pair.
Each IP version 4 (IPv4) packet entering the tunnel is encapsulated with the GRE tunnel key value. Each IPv4 packet exiting the tunnel is verified by the GRE tunnel key value and de-encapsulated. The Adaptive Services or Multiservices PIC drops packets that do not match the configured key value.
To assign a key value to a GRE tunnel interface, include the key
statement:
key number;
You can include this statement at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number tunnel]
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number tunnel]
The key number can be 0 through 4,294,967,295. You must configure the same GRE tunnel key value on tunnel endpoints.
The following example illustrates the use of the key statement in a GRE tunnel configuration:
interfaces { gr-1/2/0 { unit 0 { tunnel { source 10.58.255.193; destination 10.58.255.195; key 1234; } ... family inet { mtu 1500; address 10.200.0.1/30; ... } } } }
Enabling Packet Fragmentation on GRE Tunnels Prior to GRE Encapsulation
For GRE tunnel interfaces on Adaptive Services and Multiservices interfaces only, you can enable fragmentation of IPv4 packets before they are GRE-encapsulated in GRE tunnels.
By default, IPv4 traffic transmitted over GRE tunnels is not
fragmented. To enable fragmentation of IPv4 packets in GRE tunnels,
include the clear-dont-fragment-bit
statement:
clear-dont-fragment-bit;
You can include this statement at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number]
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]
When you include the clear-dont-fragment-bit
statement
in the configuration, the don’t-fragment (DF) bit is cleared
on all packets, even packets that do not exceed the tunnel maximum
transmission unit (MTU). If the packet’s size exceeds the tunnel’s
MTU value, the packet is fragmented before encapsulation. If the packet’s
size does not exceed the tunnel’s MTU value, the packet is not
fragmented.
You can also clear the DF bit in packets transmitted over IP Security (IPsec) tunnels. For more information, see Configuring IPsec Rules.
Specifying an MTU Setting for the Tunnel
To enable key numbers and fragmentation on GRE tunnels (as described in Configuring a Key Number on GRE Tunnels and Enabling Packet Fragmentation on GRE Tunnels Prior to GRE Encapsulation), you must also specify an MTU setting for the tunnel.
To specify an MTU setting for the tunnel, include the mtu
statement:
mtu bytes;
You can include this statement at the following hierarchy levels:
[edit interfaces gr-fpc/pic/port unit logical-unit-number family inet]
[edit logical-system logical-system-name interfaces gr-fpc/pic/port unit logical-unit-number family inet]
For more information about MTU settings, see the Junos OS Network Interfaces Library for Routing Devices.
Configuring a GRE Tunnel to Copy ToS Bits to the Outer IP Header
Unlike IP-IP tunnels, GRE tunnels do not copy the ToS bits to
the outer IP header by default. To have the Routing Engine copy the
inner ToS bits to the outer IP header (which is required for some
tunneled routing protocols) on packets sent by the Routing Engine,
include the copy-tos-to-outer-ip-header
statement at the
logical unit hierarchy level of a GRE interface. This example copies
the inner ToS bits to the outer IP header on a GRE tunnel:
[edit interfaces] gr-0/0/0 { unit 0 { copy-tos-to-outer-ip-header; family inet; } }
Enabling Fragmentation and Reassembly on Packets After GRE-Encapsulation
You can enable the fragmentation and reassembly of packets after they are GRE-encapsulated for a GRE tunnel. When the size of a GRE-encapsulated packet is greater than the MTU of a link that the packet passes through, the GRE-encapsulated packet is fragmented. You configure the GRE interface at the endpoint of the tunnel to reassemble the fragmented GRE-encapsulated packets before they are processed further on the network.
For each tunnel you configure on an interface, you can enable
or disable fragmentation of GRE-encapsulated packets by including
the allow-fragmentation
or do-not-fragment
statement:
allow-fragmentation; do-not-fragment;
You can configure these statements at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number tunnel]
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number tunnel]
If you configure allow-fragmentation
on a tunnel,
the DF bit is not set in the outer IP header of the GRE-encapsulated
packet, enabling fragmentation. By default, GRE-encapsulated packets
that exceed the MTU size of a link are not fragmented and are dropped.
To enable reassembly of fragmented GRE-encapsulated packets
on the GRE interface at the endpoint of the tunnel, include the reassemble-packets
statement:
reassemble-packets;
You can configure this statement at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number]
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number]
Starting with Junos OS Release 17.3R1, you can configure fragmentation and reasssembly of GRE-encapsulated packets on GRE tunnel interfaces on MX Series routers with MPC7Es, MPC8Es, and MPC9Es.
Starting with Junos OS Release 17.1R1, you can configure fragmentation and reasssembly of GRE-encapsulated packets on GRE tunnel interfaces on MX Series routers with MPC2E-NGs, MPC3E-NGs, MPC5Es, and MPC6Es.
Starting with Junos OS Release 14.2, you can configure fragmentation and reasssembly of GRE-encapsulated packets on GRE tunnel interfaces on MX Series routers with MPC1s, MPC2s, MPC3s, MPC4s, and MPC-16X10GEs.
In Junos OS Release Release 14.1 and earlier, fragmentation and reasssembly of GRE-encapsulated packets is supported only on MX Series routers with MS-DPCs.
Support for IPv6 GRE tunnels
Starting in Junos OS Release 17.3R1, you can configure IPv6 generic routing encapsulation (GRE) tunnel interfaces on MX Series routers. This lets you run a GRE tunnel over an IPv6 network. Packet payload families that can be encapsulated within the IPv6 GRE tunnels include IPv4, IPv6, MPLS, and ISO. Fragmentation and reassembly of the IPv6 delivery packets is not supported.
To configure an IPv6 GRE tunnel interface, specify IPv6 addresses
for source
and destination
at the [interfaces
gr-0/0/0 unit 0 tunnel]
hierarchy level, specify family
inet6
at the [interfaces gr-0/0/0 unit 0]
hierarchy
level, and specify an IPv6 address for address
at the [interfaces gr-0/0/0 unit 0 family inet6]
hierarchy level.
See Also
Examples: Configuring Unicast Tunnels
Configure two unnumbered IP-IP tunnels:
[edit interfaces] ip-0/3/0 { unit 0 { tunnel { source 192.168.4.18; destination 192.168.4.253; } family inet; } unit 1 { tunnel { source 192.168.4.18; destination 192.168.4.254; } family inet; } }
Configure numbered tunnel interfaces by including an
address at the [edit interfaces ip-0/3/0 unit (0 | 1) family
inet]
hierarchy level:
[edit interfaces] ip-0/3/0 { unit 0 { tunnel { source 192.168.4.18; destination 192.168.4.253; } family inet { address 10.5.5.1/30; } } unit 1 { tunnel { source 192.168.4.18; destination 192.168.4.254; } family inet { address 10.6.6.100/30; } } }
Configure an MPLS over GRE tunnel by including the family
mpls
statement at the [edit interfaces gr-1/2/0 unit 0]
hierarchy level:
[edit interfaces] gr-1/2/0 { unit 0 { tunnel { source 192.168.1.1; destination 192.168.1.2; } family inet { address 10.1.1.1/30; } family mpls; } }
See Also
Restricting Tunnels to Multicast Traffic
For interfaces that carry IPv4 or IP version 6 (IPv6) traffic,
you can configure a tunnel interface to allow multicast traffic only.
To configure a multicast-only tunnel, include the multicast-only
statement:
multicast-only;
You can configure this statement at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number family family]
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family]
Multicast tunnels filter all unicast packets; if an incoming packet is not destined for a 224/8 or greater prefix, the packet is dropped and a counter is incremented.
You can configure this property on GRE, IP-IP, PIM, and multicast
tunnel (mt
) interfaces only.
If your router has a Tunnel Services PIC, the Junos OS
automatically configures one multicast tunnel interface (mt
) for each virtual private network (VPN) you configure. You do not
need to configure multicast tunnel interfaces.