Configuring Tunnel Interfaces | Juniper Networks Field Guide and Reference

By encapsulating arbitrary packets inside a transport protocol, tun-neling provides a private, secure path through an otherwise public network. Tunnels connect discontinuous subnetworks and enable encryption interfaces, virtual private networks (VPNs), and Multiprotocol Label Switching (MPLS). If you have a Tunnel PIC installed in your router, you can configure unicast and multicast tunnels.

The JUNOS software supports the following tunnel encapsulations :

Generic route encapsulation (GRE)
IP over IP (IP-IP)
Virtual Private Network (VPN)
PIM encapsulation

Configuring a Unicast Tunnel

To configure a bidirectional unicast tunnel, configure the gr interface (to use GRE encapsulation) or the ip interface (to use IP-IP encapsulation) and include the tunnel statement:

 [edit interfaces]  gr-fpc/pic/port or ip-fpc/pic/port {   unit logical-unit-number {     tunnel {       source address;       destination address;       routing-instance {         destination routing-instance-name;       }       ttl number;     }     family family {       address address {         destination address;       }     }   } }

You can configure multiple logical units for each GRE or IP-IP interface, and you can configure only one tunnel per unit.

Each tunnel interface must be a point-to-point interface. Point to point is the default interface connection type, so you do not need to include the point-to-point statement when configuring the logical interface.

You must specify the tunnel's destination and source addresses. The remaining statements are optional.

To set the TTL field that is included in the encapsulating header, include the ttl statement. If you explicitly configure a TTL value for the tunnel, you must configure it to be one larger than the number of hops in the tunnel. For example, if the tunnel has seven hops, you must configure a TTL value of 8.

You must configure at least one family on the logical interface. To enable MPLS over GRE tunnel interfaces, you must include the family mpls statement in the GRE interface configuration. In addition, you must configure the protocols statements to enable RSVP, MPLS, and LSPs over GRE tunnels.

Configuring a Multicast Tunnel

To configure a multicast tunnel for interfaces that carry IPv4 or IPv6 traffic, include the multicasts-only statement:

 [edit interfaces  interface-name  unit  logical-unit-number  family inet] or  [edit interfaces  interface-name  unit  logical-unit-number  family inet6] multicasts-only;

Multicast tunnels filter all unicast packets; if an incoming packet is not destined for a 224/8 or greater prefix, the packet is dropped and a counter is incremented. You can configure multicast tunnels on GRE, IP-IP, PIM, and multicast tunnel is (MT) only.

Configuring a VPN Tunnel for Route Table Lookup

For more information, see Chapter 12, "Layer 2 and Layer 3 VPNs," on page 613.

To configure tunnel interfaces to facilitate route table lookups for VPNs, you specify a tunnel's end point IP addresses and associate them with a routing instance that belongs to a particular routing table. This enables the software to search in the appropriate routing table for the route prefix, because the same prefix can appear in multiple routing tables. To configure the destination VPN, include the routing-instance statement:

 [edit interfaces]  gr-  fpc/pic/port  {   unit  logical-unit-number  {     tunnel {       source  address  ;       destination  address  ;       routing-instance {         destination  routing-instance-name  ;       }     }   } }

Configuring a VPN Tunnel for VRF Table Lookup

To configure a VPN tunnel interface to facilitate VPN routing and forwarding (VRF) table lookup based on MPLS labels, specify a VPN tunnel interface name and associate it with a routing instance that belongs to a particular routing table. To specify a VPN tunnel interface name, configure the vt interface and include the family inet and family mpls statements:

 [edit interfaces]  vt-  fpc  /  pic  /  port  {   unit 0 {     family inet;     family mpls;   }   unit 1 {     family inet;   } }

To associate the VPN tunnel with a routing instance, configure the VPN tunnel interface, vt , within the routing instance. For a VPN tunnel interface, none of the statements in the tunnel configuration block are valid.

 [edit routing-instances]  interface vt-  fpc  /  pic  /  port  ;

Configuring PIM Tunnels

PIM tunnels are unidirectional tunnels that are enabled automatically on routers that have a tunnel PIC and on which you enable PIM sparse mode. You do not need to configure the tunnel interface. In PIM sparse mode, the first-hop router encapsulates packets destined for the rendezvous point (RP) router. The packets are encapsulated with a unicast header and are forwarded through a unicast tunnel to the RP. The RP then decapsulates the packets and transmits them through its multicast tree. To perform the encapsulation and decapsulation, the first-hop and RP routers, respectively, must contain Tunnel Services PICs.

The JUNOS software creates two interfaces to handle PIM tunnels:

pe ” Encapsulates packets destined for the RP. This interface is present on the first-hop router.
pd ” Deencapsulates packets at the RP. This interface is present on the RP.