tunnel-end-point

Syntax

Hierarchy Level

Description

The tunnel-end-point command enables line-rate, filter-based, GRE tunneling of IPv4 and IPv6 payloads across IPv4 networks for MX Series routers running Trio-based FPCs (including MX80, MX104 and MX204). Filter-based tunneling encapsulates the original passenger protocol packet in an outer packet header. For example, for filter-based tunneling across IPv4 networks, the header adds 24 bytes or 28 bytes of overhead, including 20 bytes of IPv4 header. Either IPv4 or IPv6 traffic can be the transport protocol. For outgoing packets that match the configured filter term, the original packet are encapsulated inside an IP+GRE header as specified by the tunnel definition. IP lookup is performed on the outer header, and the packets are forwarded accordingly.

The route lookup for GRE encapsulated traffic is supported on the default routing instance only. GRE encapsulation is not supported for logical systems, or for MPLS traffic.

When an subnet range is configured for either the IPv4 or IPv6 option, traffic between hosts in the range is load balanced.

Note that the device must be enabled for enhanced-mode to support the use of GRE tunnel templates, which allows you to define tunnel attributes.

To use the feature with PTX Series routers, install a PTX Series router as an encapsulator, that is, an ingress PE router where you can reference a tunnel template name in an type inet or inet6 ingress firewall filter by configuring the encapsulate terminating action.

Configure the tunnel end points as shown here (for IPv4):

set firewall tunnel-end-point tunnel-name ipv4 source-address source-host-address
set firewall tunnel-end-point tunnel-name ipv4 destination-address destination-host-address
set firewall tunnel-end-point tunnel-name ipv4 destination-address destination-host-address

Note that the maximum number of /25 IPv4 or /123 IPv6 subnets allowed for a tunnel-endpoint destination addresses is 64.

An interface-specific encapsulating output filter action is also required. It triggers the Packet Forwarding Engine to use information in the specified tunnel template to encapsulate matching packets and forward the resulting GRE packets. GRE encapsulation is supported only for outgoing IPv4 unicast and IPv6 unicast traffic.

Configure the tunnel end points as shown here (for IPv4):

set firewall family inet filter filter-name term term-name then encapsulate tunnel-name

For the GRE decapsulation with PTX Series routers, use a PTX3000 or PTX5000 router with third generation FPCs that is running Junos OS Release 16.1R2 or later and configure the firewall filter at the hierarchy level shown here:

set firewall family inet filter filter-name term term-name then decapsulate gre

Egress sampling is supported on GRE encapsulated packets, but note that output filter match conditions only work on the contents of ingress packets.

The route lookup for GRE encapsulated traffic is supported on the default routing instance only. GRE encapsulation is supported for ingress IPv4 unicast and IPv6 unicast traffic. It is not supported for logical systems, or for MPLS traffic.

When defining the tunnel end point, or the prefix list, be sure to specify the /32 route. Multiple tunnel end point source-address are not supported.

A maximum of 1024 tunnel templates is supported. You can configure or change up to 512 tunnel templates at a time
A maximum of 64 tunnel end point destination addresses are supported in a given tunnel template. When more than one destination IP address exists, the one used for the outer header is based on a hash that is computed on the input packet from the input interface.

Options

`gre`	Encapsulation protocol. Options include `gre` and `gre-in-udp`. You must also specify whether the tunnel is IPv4 or IPv6. A IPv4 example using GRE follows. `key number`—An integer value that uniquely identifies a GRE IPv4 tunnel if multiple traffic flows share the same `source-address` and `destination-address` pair. Range: 1 through 0xFFFFFFFF (4,294,967,295 decimal). If a tunnel definition specifies GRE IPv4 tunneling using a key, the system includes the key in the GRE header whenever a Packet Forwarding Engine is instructed to use that tunnel definition to encapsulate a packet.
`gre-in-udp`	For MX Series routers; specify if the tunnel is `gre-in-udp`. `destination-port number`—An integer value that uniquely identifies the UDP destination port. Range: 1 through 65535. `key number`—An integer value that uniquely identifies the `gre-in-udp` tunnel if multiple traffic flows share the same `destination-port` and `source-port`. Range: 1 through 0xFFFFFFFF (4,294,967,295 decimal). If you include a key in the tunnel definition to encapsulate packets, the key used is the one in the GRE header. `source-port number`—An integer value that uniquely identifies the UDP source port. Range: 1 through 65535.
`ipv4`	The IP network protocol used to transport encapsulated passenger protocol packets; IPv4 transports IPv4 packets encapsulated using filter-based GRE. The default prefix length is 32; the supported range is from 25 to 32. When specified, traffic is load-balanced to the hosts on this subnet.
`ipv6`	The IP network protocol used to transport encapsulated passenger protocol packets; IPv6 transports IPv6 packets encapsulated using filter-based GRE. The default prefix length is 128; the supported range is from 121 to 128. When specified, traffic is load-balanced to the hosts on this subnet.
`source-address`	IP address of the encapsulator (the local ingress PE router). Multiple tunnel end point source-address are not supported.
`destination-address`	IP address or address range of the decapsulator (the remote egress PE router). For both IPv4 and IPv6, a maximum of 64 /25 IPv4 or /123 IPv6 subnets can be configured for the end point destination address.

Required Privilege Level

firewall—To view this statement in the configuration.

firewall-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 18.1R1.

ON THIS PAGE