Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring a Firewall Filter to De-Encapsulate GRE or IPIP Traffic

Generic routing encapsulation (GRE) and IP over IP (IPIP) both provide a private, secure path for transporting packets through a network by encapsulating (or tunneling) the packets. The tunneling is performed by tunnel endpoints that encapsulate or de-encapsulate traffic.

You can use a firewall filter to de-encapsulate tunnel traffic on the switch. This feature provides significant benefits in terms of scalability, performance, and flexibility because you don't need to create a tunnel interface to perform the de-encapsulation. For example, you can terminate many tunnels from multiple source IP addresses with one firewall term.

Note:

The EX4600, QFX5100 and OCX switches support as many as 512 GRE tunnels, including tunnels created with a firewall filter. That is, you can create a total of 512 GRE tunnels, regardless of which method you use.

Configuring a Filter to De-Encapsulate GRE Traffic

To configure a firewall filter to de-encapsulate GRE traffic:

  1. Create an IPv4 firewall filter and (optionally) specify a source address for the tunnel:

    You must create an IPv4 filter by using family inet because the outer header of a GRE packet must be IPv4. If you specify a source address, it should be an address on a device that will encapsulate traffic into GRE packets.

    Note:

    To terminate many tunnels from multiple source IP addresses with one firewall term, do not configure a source address. In this case, the filter will de-encapsulate any GRE packets received by the interface that you apply the filter to.

  2. Specify a destination address for the tunnel:

    This should be an address on an interface of the switch on which you want the tunnel or tunnels to terminate and the GRE packets to be de-encapsulated. You should also configure this address as a tunnel endpoint on all the tunnel source routers that you want to form tunnels with on the switch.

  3. Specify that the filter should match and accept GRE traffic:
  4. Specify that the filter should de-encapsulate GRE traffic:

    Based on the configuration you have performed so far, the switch forwards the de-encapsulated packets by comparing the inner header to the default routing table (inet0). If you want the switch to use a virtual routing instance to forward the de-encapsulated packets, perform the following steps:

  5. Specify the name of the virtual routing instance:
  6. Specify that the virtual routing instance is a virtual router:
  7. Specify the interfaces that belong to the virtual router:

Configuring a Filter to De-Encapsulate IPIP Traffic

To configure a firewall filter to de-encapsulate IPIP traffic::

  1. Create an IPv4 firewall filter and (optionally) specify a source address for the tunnel:

    You must create an IPv4 filter by using family inet because the outer header of an IPIP packet must be IPv4. If you specify a source address, it should be an address on a device that will encapsulate traffic into IPIP packets.

    Note:

    To terminate many tunnels from multiple source IP addresses with one firewall term, do not configure a source address. In this case, the filter will de-encapsulate any IPIP packets received by the interface that you apply the filter to.

  2. Specify a destination address for the tunnel:

    This should be an address on an interface of the switch on which you want the tunnel or tunnels to terminate and the IPIP packets to be de-encapsulated. You should also configure this address as a tunnel endpoint on all the tunnel source routers that you want to form tunnels with on the switch.

  3. Specify that the filter should match and accept IPIP traffic:
  4. Specify that the filter should de-encapsulate IPIP traffic:

    Based on the configuration you have performed so far, the switch forwards the de-encapsulated packets by comparing the inner header to the default routing table (inet0). If you want the switch to use a virtual routing instance to forward the de-encapsulated packets, perform the following steps:

  5. Specify the name of the virtual routing instance:
  6. Specify that the virtual routing instance is a virtual router:
  7. Specify the interfaces that belong to the virtual router:

Applying the Filter to an Interface

After you create the firewall filter, you must also apply it to an interface that will receive GRE or IPIP traffic. Be sure to apply it in the input direction. For example, enter

Because the outer header of a GRE or IPIP packet must be IPv4, you must apply the filter to an IPv4 interface and specify family inet.