Understanding Generic Routing EncapsulationGeneric routing encapsulation (GRE) provides a private, secure path for transporting packets through an otherwise public network by encapsulating (or tunneling) the packets. Show
This topic describes:
Overview of GREGRE encapsulates data packets and redirects them to a device that de-encapsulates them and routes them to their final destination. This allows the source and destination routers to operate as if they have a virtual point-to-point connection with each other (because the outer header applied by GRE is transparent to the encapsulated payload packet). For example, GRE tunnels allow routing protocols such as RIP and OSPF to forward data packets from one router to another router across the Internet. In addition, GRE tunnels can encapsulate multicast data streams for transmission over the Internet. GRE is described in RFC 2784 (obsoletes earlier RFCs 1701 and 1702). The routers support RFC 2784, but not completely. (For a list of limitations, see Configuration Limitations.) As a tunnel source router, the router encapsulates a payload packet for transport through the tunnel to a destination network. The payload packet is first encapsulated in a GRE packet, and then the GRE packet is encapsulated in a delivery protocol. The router performing the role of a tunnel remote router extracts the tunneled packet and forwards the packet to its destination. Note: Service chaining for GRE, NAT, and IPSec services on ACX1100-AC and ACX500 routers is not supported. Note: Layer 2 over GRE is not supported in ACX2200 router. GRE TunnelingData is routed by the system to the GRE endpoint over routes established in the route table. (These routes can be statically configured or dynamically learned by routing protocols such as RIP or OSPF.) When a data packet is received by the GRE endpoint, it is de-encapsulated and routed again to its destination address. GRE tunnels are stateless-–that is, the endpoint of the tunnel contains no information about the state or availability of the remote tunnel endpoint. Therefore, the router operating as a tunnel source router cannot change the state of the GRE tunnel interface to down if the remote endpoint is unreachable. For details about GRE tunneling, see:
Encapsulation and De-Encapsulation on the RouterEncapsulation—A router operating as a tunnel source router encapsulates and forwards GRE packets as follows:
De-encapsulation—A router operating as a tunnel remote router handles GRE packets as follows:
Number of Source and Destination Tunnels Allowed on a RouterACX routers support as many as 64 GRE tunnels between routers transmitting IPv4 or IPv6 payload packets over GRE. Configuration LimitationsSome GRE tunneling features are not currently available on ACX Series routers. Be aware of the following limitations when you are configuring GRE on an ACX router:
Configuring Generic Routing Encapsulation TunnelingTunneling provides a private, secure path for transporting packets through an otherwise public network by encapsulating packets inside a transport protocol known as an IP encapsulation protocol. Generic routing encapsulation (GRE) is an IP encapsulation protocol that is used to transport packets over a network. Information is sent from one network to the other through a GRE tunnel. GRE tunneling is accomplished through routable tunnel endpoints that operate on top of existing physical and other logical endpoints. GRE tunnels connect one endpoint to another and provide a clear data path between them. This topic describes:
Configuring a GRE Tunnel PortTo configure GRE tunnels on a router, you convert a network port or uplink port on the router to a GRE tunnel port for tunnel services. Each physical tunnel port, named gr-fpc/pic/port, can have one or more logical interfaces, each of which is a GRE tunnel. After conversion to a GRE tunnel port, the physical port cannot be used for network traffic. To configure a
GRE tunnel port on an router, you need to create logical tunnel interfaces and the bandwidth in gigabits per second to reserve for tunnel services. Include the To configure a GRE tunnel port , use any unused physical port on the router to create a logical tunnel interface as shown below: user@host# edit chassis fpc 0 { pic 0 { tunnel-services { port port-number; } } } This also creates a gr- interface. Configuring Tunnels to Use Generic Routing EncapsulationNormally, a GRE tunnel port comes up as soon as it is configured and stays up as long as a valid tunnel source address exists or an interface is operational. Each logical interface you configure on the port can be configured as the source or as the endpoint of a GRE tunnel. To configure a tunnel port to use GRE:
GRE Keepalive Time OverviewGeneric routing encapsulation (GRE) tunnel interfaces do not have a built-in mechanism for detecting when a tunnel is down. You can enable keepalive messages to serve as the detection mechanism. When you enable a GRE tunnel interface for keepalive messages, the interface sends out keepalive request packets to the remote endpoint at regular intervals. If the data path forwarding for the GRE tunnel works correctly at all points, keepalive response packets are returned to the originator. These keepalive messages are processed by the Routing Engine. You can configure keepalive messages on the physical or logical GRE tunnel interface. If configured on the physical interface, keepalive messages are sent on all logical interfaces that are part of the physical interface. If configured on an individual logical interface, keepalives are sent only on that logical interface. You configure how often keepalive messages are sent and the length of time that the interface waits for a keepalive response before marking the tunnel as operationally down. The keepalive request packet is shown in Figure 1. Figure 1: Keepalive Request Packet The keepalive payload includes information to ensure the keepalive response is correctly delivered to the application responsible for the GRE keepalive process. The outer GRE header includes:
The inner GRE header includes:
Note: Starting in Junos OS Release 17.3R1, you can configure IPv6 generic routing encapsulation (GRE) tunnel interfaces on MX Series routers. This lets you run a GRE tunnel over an IPv6 network. Packet payload families that can be encapsulated within the IPv6 GRE tunnels include IPv4, IPv6, MPLS, and ISO. Fragmentation and reassembly of the IPv6 delivery packets is not supported. To configure an IPv6 GRE tunnel interface, specify IPv6 addresses for Keepalive is not supported for GRE IPv6. Configuring GRE Keepalive Time
Configuring Keepalive Time and Hold time for a GRE Tunnel Interface You can configure the keepalives on a generic routing encapsulation (GRE) tunnel interface by including both the Note: For proper operation of keepalives on a GRE interface, you must also include the To configure a GRE tunnel interface:
To configure keepalive time for a GRE tunnel interface:
Display GRE Keepalive Time Configuration
PurposeDisplay the configured keepalive time value as 10 and hold time value as 30 on a GRE tunnel interface (for example, gr-1/1/10.1). ActionTo display the configured values on the GRE tunnel interface, run the [edit protocols] user@host# show oam gre-tunnel interface gr-1/1/10.1 { keepalive-time 10; hold-time 30; } Display Keepalive Time Information on a GRE Tunnel Interface
PurposeDisplay the current status information of a GRE tunnel interface when keepalive time and hold time parameters are configured on it and when the hold time expires. ActionTo verify the current status
information on a GRE tunnel interface (for example, gr-3/3/0.3), run the show interfaces gr-3/3/0.3 terse user@host> show interfaces gr-3/3/0.3 terse Interface Admin Link Proto Local Remote gr-3/3/0.3 up up inet 192.0.2.1/24 mpls show interfaces gr-3/3/0.3 extensive user@host> show interfaces gr-3/3/0.3 extensive Logical interface gr-3/3/0.3 (Index 73) (SNMP ifIndex 594) (Generation 900) Flags: Point-To-Point SNMP-Traps 0x4000 IP-Header 10.1.19.11:10.1.19.12:47:df:64:0000000000000000 Encapsulation: GRE-NULL Gre keepalives configured: On, Gre keepalives adjacency state: down ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Traffic statistics: Input bytes : 15629992 Output bytes : 15912273 Input packets: 243813 Output packets: 179476 Local statistics: Input bytes : 15322586 Output bytes : 15621359 Input packets: 238890 Output packets: 174767 Transit statistics: Input bytes : 307406 0 bps Output bytes : 290914 0 bps Input packets: 4923 0 pps Output packets: 4709 0 pps Protocol inet, MTU: 1476, Generation: 1564, Route table: 0 Flags: Sendbcast-pkt-to-re Addresses, Flags: Dest-route-down Is-Preferred Is-Primary ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Destination: 192.0.2/24, Local: 192.0.2.1, Broadcast: 192.0.2.255, Generation: 1366 Protocol mpls, MTU: 1464, Maximum labels: 3, Generation: 1565, Route table: 0 Note: When the hold time expires:
MeaningThe current status information of a GRE tunnel interface with keepalive time and hold time parameters is displayed as expected when the hold time expires. Enabling Fragmentation on GRE TunnelsTo enable fragmentation of IPv4 packets in generic routing encapsulation (GRE) tunnels, include the [edit interfaces] gr-fpc/pic/port { unit logical-unit-number { clear-dont-fragment-bit; ... family inet { mtu 1000; ... } } } This statement clears the Don’t Fragment (DF) bit in the packet header, regardless of the packet size. If the packet size exceeds the tunnel MTU value, the packet is fragmented before encapsulation. The maximum MTU size configurable on the AS or Multiservices PIC is 9192 bytes. Note: The Note: On SRX platforms the clearing
of the DF bit on a GRE tunnel is supported only when the device is in packet or selective packet mode; This feature is not supported in flow mode. As a result, when in flow mode, a packet that exceeds the MTU of the GRE interface with the DF bit set is dropped, despite having the Fragmentation is enabled only on IPv4 packets being encapsulated in IPv4-based GRE tunnels. Note: This configuration is supported only on GRE tunnels on AS or Multiservices interfaces. If you commit gr-fpc/pic/port: does not support this encapsulation The Packet Forwarding Engine updates the IP identification field in the outer IP header of GRE-encapsulated packets, so that reassembly of the packets is possible after fragmentation. The
previous CLI constraint check that required you to configure either the When you configure the What is created when a packet is encapsulated with additional headers to allow an encrypted packet to be correctly routed by Internet devices quizlet?What is created when a packet is encapsulated with additional headers to allow an encrypted packet to be correctly routed by Internet devices? Multiprotocol Label Switching (MPLS) supports both IPv4 and IPv6, as well as other network layer protocols.
What is created when a packet is encapsulated?The result of encapsulation is that each lower-layer provides a service to the layer or layers above it, while at the same time each layer communicates with its corresponding layer on the receiving node. These are known as adjacent-layer interaction and same-layer interaction, respectively.
Which protocol works by establishing an association between two communicating devices and can use a preshared key for authentication?IKE Authentication (Preshared Key and Certificate-Based Authentication) The IKE negotiations provides the ability to establish a secure channel over which two parties can communicate. You can define how the two parties authenticate each other using a preshared key authentication or certificate based authentication.
What type of policy defines the methods involved when a user logs on the network?50 Cards in this Set. |