By encapsulating arbitrary packets inside a transport protocol, tun-neling provides a private, secure path through an otherwise public network. Tunnels connect discontinuous subnetworks and enable encryption interfaces, virtual private networks (VPNs), and Multiprotocol Label Switching (MPLS). If you have a Tunnel PIC installed in your router, you can configure unicast and multicast tunnels. The JUNOS software supports the following tunnel encapsulations :
Configuring a Unicast TunnelTo configure a bidirectional unicast tunnel, configure the gr interface (to use GRE encapsulation) or the ip interface (to use IP-IP encapsulation) and include the tunnel statement: [edit interfaces] gr-fpc/pic/port or ip-fpc/pic/port { unit logical-unit-number { tunnel { source address; destination address; routing-instance { destination routing-instance-name; } ttl number; } family family { address address { destination address; } } } } You can configure multiple logical units for each GRE or IP-IP interface, and you can configure only one tunnel per unit. Each tunnel interface must be a point-to-point interface. Point to point is the default interface connection type, so you do not need to include the point-to-point statement when configuring the logical interface. You must specify the tunnel's destination and source addresses. The remaining statements are optional. To set the TTL field that is included in the encapsulating header, include the ttl statement. If you explicitly configure a TTL value for the tunnel, you must configure it to be one larger than the number of hops in the tunnel. For example, if the tunnel has seven hops, you must configure a TTL value of 8. You must configure at least one family on the logical interface. To enable MPLS over GRE tunnel interfaces, you must include the family mpls statement in the GRE interface configuration. In addition, you must configure the protocols statements to enable RSVP, MPLS, and LSPs over GRE tunnels. Configuring a Multicast TunnelTo configure a multicast tunnel for interfaces that carry IPv4 or IPv6 traffic, include the multicasts-only statement: [edit interfaces interface-name unit logical-unit-number family inet] or [edit interfaces interface-name unit logical-unit-number family inet6] multicasts-only; Multicast tunnels filter all unicast packets; if an incoming packet is not destined for a 224/8 or greater prefix, the packet is dropped and a counter is incremented. You can configure multicast tunnels on GRE, IP-IP, PIM, and multicast tunnel is (MT) only. Configuring a VPN Tunnel for Route Table Lookup
To configure tunnel interfaces to facilitate route table lookups for VPNs, you specify a tunnel's end point IP addresses and associate them with a routing instance that belongs to a particular routing table. This enables the software to search in the appropriate routing table for the route prefix, because the same prefix can appear in multiple routing tables. To configure the destination VPN, include the routing-instance statement: [edit interfaces] gr- fpc/pic/port { unit logical-unit-number { tunnel { source address ; destination address ; routing-instance { destination routing-instance-name ; } } } } Configuring a VPN Tunnel for VRF Table LookupTo configure a VPN tunnel interface to facilitate VPN routing and forwarding (VRF) table lookup based on MPLS labels, specify a VPN tunnel interface name and associate it with a routing instance that belongs to a particular routing table. To specify a VPN tunnel interface name, configure the vt interface and include the family inet and family mpls statements: [edit interfaces] vt- fpc / pic / port { unit 0 { family inet; family mpls; } unit 1 { family inet; } } To associate the VPN tunnel with a routing instance, configure the VPN tunnel interface, vt , within the routing instance. For a VPN tunnel interface, none of the statements in the tunnel configuration block are valid. [edit routing-instances] interface vt- fpc / pic / port ; Configuring PIM TunnelsPIM tunnels are unidirectional tunnels that are enabled automatically on routers that have a tunnel PIC and on which you enable PIM sparse mode. You do not need to configure the tunnel interface. In PIM sparse mode, the first-hop router encapsulates packets destined for the rendezvous point (RP) router. The packets are encapsulated with a unicast header and are forwarded through a unicast tunnel to the RP. The RP then decapsulates the packets and transmits them through its multicast tree. To perform the encapsulation and decapsulation, the first-hop and RP routers, respectively, must contain Tunnel Services PICs. The JUNOS software creates two interfaces to handle PIM tunnels:
|