Configuring a Firewall Filter to De-Encapsulate GRE or IPIP Traffic
Generic routing encapsulation (GRE) and IP over IP (IPIP) both provide a private, secure path for transporting packets through a network by encapsulating (or tunneling) the packets. The tunneling is performed by tunnel endpoints that encapsulate or de-encapsulate traffic.
You can use a firewall filter to de-encapsulate tunnel traffic on the switch. This feature provides significant benefits in terms of scalability, performance, and flexibility because you don't need to create a tunnel interface to perform the de-encapsulation. For example, you can terminate many tunnels from multiple source IP addresses with one firewall term.
The EX4600, QFX5100 and OCX switches support as many as 512 GRE tunnels, including tunnels created with a firewall filter. That is, you can create a total of 512 GRE tunnels, regardless of which method you use.
Configuring a Filter to De-Encapsulate GRE Traffic
To configure a firewall filter to de-encapsulate GRE traffic:
Configuring a Filter to De-Encapsulate IPIP Traffic
To configure a firewall filter to de-encapsulate IPIP traffic::
Applying the Filter to an Interface
After you create the firewall filter, you must also apply it to an interface that will receive GRE or IPIP traffic. Be sure to apply it in the input direction. For example, enter
[edit ]
user@switch# set interfaces interface-name unit logical-unit-number family inet
filter input filter-name
Because the outer header of a GRE
or IPIP
packet must be IPv4, you must apply the filter to an IPv4
interface and specify family inet
.