Routing

last person joined: 4 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  GRE tunnel and Routing Engine Firewall Filter

    Posted 10-17-2013 04:25

    Hello Experts

     

    I have GRE tunnel on my router to remote end point. This GRE tunnel is basically IPV6 traffic over IPV4 GRE tunnel. I have routing engine protect RE filter (both IPV4/IPV6) as well on this router. 

     

    My question is that should I need to allow GRE protocol in RE protect firewall filter or not??

     

    What I tested if I allow or not GRE protocol in firewall filter it is working fine. Appreciated for any input on this

     

    Thanks 



  • 2.  RE: GRE tunnel and Routing Engine Firewall Filter

    Posted 10-18-2013 02:50

    Hello

     

    Is there any one to take this?



  • 3.  RE: GRE tunnel and Routing Engine Firewall Filter
    Best Answer

    Posted 10-18-2013 04:33

    Hello,

    Here is my answer:

    No, in order to have PFE-based GRE tunnels working You do NOT have to allow or deny GRE in Routing Engine firewall filter applied to lo0.0 or any other lo0 unit

    _UNLESS_

    You are running GMPLS/LMP which requires RE-based GRE tunnel for control channel. This tunnel is called "gre" and whereas You can configure it, it is not supported except for GMPLS/LMP control channel matters.

    http://www.juniper.net/techpubs/en_US/junos10.4/topics/task/configuration/gmpls-lmp-peers-solutions.html

    HTH

    Thanks

    Alex



  • 4.  RE: GRE tunnel and Routing Engine Firewall Filter

    Posted 10-18-2013 12:32

    Thanks. Also If I want to allow BGP V6 in RE filter then should I have to allow ICMP6  as well??



  • 5.  RE: GRE tunnel and Routing Engine Firewall Filter

    Posted 10-18-2013 13:05

    Yes.

    Neighbor Discovery (which is ARP equivalent for IPv6) runs over ICMPv6.

    HTH

    Thanks

    Alex



  • 6.  RE: GRE tunnel and Routing Engine Firewall Filter

    Posted 10-19-2013 06:39

    Hello Alex

     

    Thanks. That really hepled. Should Neighbor Discovery (icmp-type 135, 136) is enough or Should I need to allow the inverse neighbor discovery (141-142) and Router Discovery (icmp-type 133, 134).

     

    Appreciated your input



  • 7.  RE: GRE tunnel and Routing Engine Firewall Filter

    Posted 10-19-2013 07:27
    Hi,

    The equivalent to ARP is achieved with ICMP types 135 and 136. That should be enough.

    Ato


  • 8.  RE: GRE tunnel and Routing Engine Firewall Filter

    Posted 10-19-2013 22:13

    Hello

     

    Thanks for the reply. Should I allow source-prefix-list link-local-address (fe80::/64) for icmp6 (135-136)? OR have to allow source ANY.

     

    Thanks