Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos] GRE Configuration Example

0

0

Article ID: KB19371 KB Last Updated: 29 Jun 2020Version: 7.0
Summary:

This article provides a GRE tunnel configuration example between two Juniper SRX firewalls. However, the configuration applies for any other devices running Junos OS.

GRE Overview

Generic Routing Encapsulation (GRE) is a protocol for encapsulation of an arbitrary network layer protocol over another arbitrary network layer protocol.

In the most general case, a system has a packet, that needs to be encapsulated and delivered to some destination, which is called payload. The payload is first encapsulated in a GRE packet. The resulting GRE packet can then be encapsulated in some other protocol and then forwarded. This outer protocol is called the delivery protocol.

GRE tunnels are designed to be completely stateless. This means that each tunnel end-point does not keep any information about the state or availability of the remote tunnel end-point. Normally, a GRE tunnel interface comes up as soon as it is configured and it stays up as long as there is a valid tunnel source address or interface which is up.

Some of the common uses for a GRE tunnel are:

  • Tunnel non-IP traffic over an IP network.

  • IP multicast tunneling

  • IPv6 tunneling over IPv4 GRE tunnel

The following are other useful configuration examples:

 

Solution:

This section contains the following:

  • Basic GRE Configuration Example

  • Verification

BASIC STEPS NEEDED TO CONFIGURE GRE

  1. Configure a GRE (gr) interface. The gr interface contains a local address and destination address. It comes up as soon as it is configured. You can even configure an IP address on the gr interface. (It is not mandatory.)

  2. Configure a route to reach the destination subnet (End to End connectivity). You can configure either a static route through the gr interface or use a IGP (that is, OSPF can be used for this purpose).

Basic GRE Configuration Example

The following example illustrates a configuration with the following settings:

Topology

  • The local subnet interface is ge-0/0/0 with IPv4 address as 10.10.11.1/24.

  • The destination subnet is 10.10.10.0/24 with the tunnel end point IPv4 interface as 10.10.10.1/24.

  • Bind the gr-0/0/0 interface to a security zone (this step is required only on SRX platforms).

Configuration using Static route

[edit interfaces]
root@SRX-1# show 
ge-0/0/0 {
    unit 0 {
        family inet {
            address 10.10.11.1/24;
        }
    }
}

gr-0/0/0 {
    unit 0 {
        tunnel {
            source 1.1.1.1;
            destination 2.2.2.1;
        }
        family inet {
            address 192.168.1.1/24;
        }
    }
}

ge-0/0/1 {
    unit 0 {
        family inet {
            address 1.1.1.1/24;
        }
    }                                   
}

[edit security]    (Security zone configuration is only required on SRX platforms)
root@SRX-1# show 
zones {
    security-zone trust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            gr-0/0/0.0;
        }
    }
}

root@SRX-1# show routing-options 
static {
    route 10.10.10.0/24 next-hop gr-0/0/0.0;
}

In case you do not want to define a static route, OSPF can be configured between interfaces gr-0/0/0 on both sides and the internal subnet as a passive neighbor, to receive all the internal routes.

[edit protocols]
root@SRX-1# show
ospf {
    area 0.0.0.0 {
        interface gr-0/0/0.0;
        interface ge-0/0/0.0 {
            passive;
        }
    }
}

Verify your work.

  1. Verify that the GR interface is up:

root@SRX-1>show interfaces gr-0/0/0 terse

Interface Admin Link Proto Local Remote
gr-0/0/0   up up
gr-0/0/0.0 up up inet 192.168.1.1/24
  1. Verify that the route for the destination network is reachable through the GRE tunnel:

[edit]
root@SRX-1> show route 10.10.10.0/24
inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.10.10.0/24 *[Static/5] 00:22:32
> via gr-0/0/0.
  1. Ping a destination address through the tunnel:

[edit]
root@SRX-1> clear interfaces statistics all 

root@SRX-1> ping 10.10.10.2 source 10.10.11.1 rapid count 100  
PING 2.2.2.2 (2.2.2.2): 56 data bytes
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
--- 2.2.2.2 ping statistics ---
100 packets transmitted, 100 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.831/1.033/10.033/1.286 ms

[edit]
root@SRX-1> show interfaces gr-0/0/0 extensive 
Physical interface: gr-0/0/0, Enabled, Physical link is Up
Interface index: 134, SNMP ifIndex: 40, Generation: 17
Type: GRE, Link-level type: GRE, MTU: Unlimited, Speed: 800mbps
Hold-times : Up 0 ms, Down 0 ms
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps
Statistics last cleared: 2005-08-05 21:39:41 UTC (00:00:47 ago)
Traffic statistics:
Input bytes : 8400 0 bps
Output bytes : 8400 0 bps
Input packets: 100 0 pps
Output packets: 100 0 pps

Logical interface gr-0/0/0.0 (Index 72) (SNMP ifIndex 28) (Generation 17)
Flags: Point-To-Point SNMP-Traps 16384
IP-Header 10.1.1.2:10.1.1.1:47:df:64:0000000000000000
Encapsulation: GRE-NULL
Traffic statistics:
Input bytes : 8400
Output bytes : 8400
Input packets: 100
Output packets: 100
Local statistics:
Input bytes : 0
Output bytes : 0
Input packets: 0
Output packets: 0
Transit statistics:
Input bytes : 8400 0 bps
Output bytes : 8400 0 bps
Input packets: 100 0 pps
Output packets: 100 0 pps
Protocol inet, MTU: 1476, Generation: 25, Route table: 0
Flags: None
Addresses, Flags: Is-Primary
Destination: Unspecified, Local: 100.1.1.1, Broadcast: Unspecified,
Generation: 30

 

Modification History:
  • 2020-06-29: Adapted article to Junos OS instead of SRX only; also removed J-Series

  • 2020-03-26: Article reviewed for accuracy; it is valid and accurate

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search