Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

close
keyboard_arrow_left
list Table of Contents
file_download PDF
keyboard_arrow_right

Configuring GRE Tunnels for Layer 3 VPNs

date_range 23-Nov-23

Junos OS allows you to configure a generic routing encapsulation (GRE) tunnel between the PE and CE routers for a Layer 3 VPN. The GRE tunnel can have one or more hops. You can configure the tunnel from the PE router to a local CE router (as shown in Figure 1) or to a remote CE router (as shown in Figure 2).

Figure 1: GRE Tunnel Configured Between the Local CE Router and the PE RouterGRE Tunnel Configured Between the Local CE Router and the PE Router
Figure 2: GRE Tunnel Configured Between the Remote CE Router and the PE RouterGRE Tunnel Configured Between the Remote CE Router and the PE Router

For more information about how to configure tunnel interfaces, see the Junos OS Services Interfaces Library for Routing Devices.

You can configure the GRE tunnels manually or configure the Junos OS to instantiate GRE tunnels dynamically.

The following sections describe how to configure GRE tunnels manually and dynamically:

Configuring GRE Tunnels Manually Between PE and CE Routers

You can manually configure a GRE tunnel between a PE router and either a local CE router or a remote CE router for a Layer 3 VPN as explained in the following sections:

Configuring the GRE Tunnel Interface on the PE Router

You configure the GRE tunnel as a logical interface on the PE router. To configure the GRE tunnel interface, include the unit statement:

content_copy zoom_out_map
unit logical-unit-number {
    tunnel {
        source source-address;
        destination destination-address;
        routing-instance {
            destination routing-instance-name;
        }
    }
    family inet {
        address address;
    }
}

You can include this statement at the following hierarchy levels:

  • [edit interfaces interface-name]

  • [edit logical-systems logical-system-name interfaces interface-name]

As part of the GRE tunnel interface configuration, you need to include the following statements:

  • source source-address—Specify the source or origin of the GRE tunnel, typically the PE router.

  • destination destination-address—Specify the destination or end point of the GRE tunnel. The destination can be a Provider router, the local CE router, or the remote CE router.

By default, the tunnel destination address is assumed to be in the default Internet routing table, inet.0. If the tunnel destination address is not in inet.0, you need to specify which routing table to search for the tunnel destination address by configuring the routing-instance statement. This is the case if the tunnel encapsulating interface is also configured under the routing instance.

  • destination routing-instance-name—Specify the name of the routing instance when configuring the GRE tunnel interface on the PE router.

To complete the GRE tunnel interface configuration, include the interface statement for the GRE interface under the appropriate routing instance:

content_copy zoom_out_map
interface interface-name;

You can include this statement at the following hierarchy levels:

  • [edit routing-instances routing-instance-name]

  • [edit logical-systems logical-system-name routing-instances routing-instance-name]

Configuring the GRE Tunnel Interface on the CE Router

You can configure either the local or the remote CE router to act as the endpoint for the GRE tunnel.

To configure the GRE tunnel interface on the CE router, include the unit statement:

content_copy zoom_out_map
unit logical-unit-number {
    tunnel {
        source address;
        destination address;
    }
    family inet {
        address address;
    }
}

You can include this statement at the following hierarchy levels:

  • [edit interfaces interface-name]

  • [edit logical-systems logical-system-name interfaces interface-name]

Configuring GRE Tunnels Dynamically

When the router receives a VPN route to a BGP next hop address, but no MPLS path is available, a GRE tunnel can be dynamically generated to carry the VPN traffic across the BGP network. The GRE tunnel is generated and then its routing information is copied into the inet.3 routing table. IPv4 routes are the only type of routes supported for dynamic GRE tunnels. Also, the routing platform must have a tunnel PIC.

Note:

When configuring a dynamic GRE tunnel to a remote CE router, do not configure OSPF over the tunnel interface. It creates a routing loop forcing the router to take the GRE tunnel down. The router attempts to reestablish the GRE tunnel, but will be forced to take it down again when OSPF becomes active on the tunnel interface and discovers a route to the tunnel endpoint. This is not an issue when configuring static GRE tunnels to a remote CE router.

To generate GRE tunnels dynamically, include the dynamic-tunnels statement:

content_copy zoom_out_map
dynamic-tunnels tunnel-name {
    destination-networks prefix;
    source-address address;
}

You can include this statement at the following hierarchy levels:

  • [edit routing-options]

  • [edit routing-instances routing-instance-name routing-options]

  • [edit logical-systems logical-system-name routing-options]

  • [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options ]

Specify the IPv4 prefix range (for example, 10/8 or 11.1/16) for the destination network by including the destination-networks statement. Only tunnels within the specified IPv4 prefix range are allowed to be initiated.

content_copy zoom_out_map
destination-networks prefix;

You can include this statement at the following hierarchy levels:

  • [edit routing-options]

  • [edit routing-instances routing-instance-name routing-options]

  • [edit logical-systems logical-system-name routing-options]

  • [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options ]

Specify the source address for the GRE tunnels by including the source-address statement. The source address specifies the address used as the source for the local tunnel endpoint. This could be any local address on the router (typically the router ID or the loopback address).

content_copy zoom_out_map
source-address address;

You can include this statement at the following hierarchy levels:

  • [edit routing-options]

  • [edit routing-instances routing-instance-name routing-options]

  • [edit logical-systems logical-system-name routing-options]

  • [edit logical-systems logical-system-name routing-instances routing-instance-name routing-options ]

external-footer-nav