Using policy forwarding for tunnel decapsulation
IP tunneling can be used to transport payload packets from point A to point B. This approach adds one or more encapsulation headers at point A, and removes one or more of these encapsulation headers at point B. Between point A and point B, forwarding of the tunneled packets is based on the encapsulation headers and not the original payload headers.
On the node doing the decapsulation (point B), you can configure SR Linux policy forwarding to identify tunneled packets, decide which should be decapsulated, and which headers should be removed. After decapsulation, traffic is forwarded according its inner header destination IP address.
A forwarding policy used for tunnel decapsulation can use an IP prefix or a configured IP prefix-list as a match condition. The following table lists the supported tunnel decapsulation actions.
| Action | Description | Platform support |
|---|---|---|
decapsulate-gre |
Remove the Generic Routing Encapsulation (GRE) header from packets matching the rule. |
|
decapsulate-gue |
Remove the Generic UDP Encapsulation (GUE) IP-UDP headers from packets matching the rule |
|
A forwarding policy configured with the decapsulate-gue action must also
have the global-decap-policy option configured. This option applies the
forwarding policy to all subinterfaces within the network-instance.
Configuring tunnel decapsulation with policy forwarding
To configure a forwarding policy to decapsulate tunneled packets, specify the match conditions as a prefix or prefix-list and configure the type of tunnel traffic to decapsulate, either GRE or GUE.
Decapsulate GRE traffic
The following example configures a forwarding policy to decapsulate GRE traffic to a specific prefix. The forwarding policy removes the GRE headers of matching packets. The policy rules are evaluated for traffic on all IP interfaces in the network-instance.
--{ + candidate shared default }--[ ]--
# info with-context network-instance base policy-forwarding
network-instance base {
policy-forwarding {
global-decap-policy p1
policy p1 {
type pbr-policy
rule 1 {
action {
decapsulate-gre true
}
match {
ipv4 {
destination-ip {
prefix 172.16.1.0/24
}
}
}
}
}
}
}Decapsulate GUE traffic using a prefix list as match condition
The following example configures a prefix list and uses the prefix list as a match condition in a forwarding policy. The forwarding policy removes the GUE IP-UDP headers of matching packets.
--{ + candidate shared default }--[ ]--
# info with-context acl match-list ipv4-prefix-list p_set
acl {
match-list {
ipv4-prefix-list p_set {
prefix 10.10.10.0/24 {
}
prefix 10.10.20.0/24 {
}
}
}
}--{ + candidate shared default }--[ ]--
# info with-context network-instance base policy-forwarding
network-instance base {
policy-forwarding {
global-decap-policy p2
policy p2 {
type pbr-policy
rule 1 {
action {
decapsulate-gue true
}
match {
ipv4 {
protocol udp
destination-ip {
prefix-list p_set
}
}
transport {
destination-port 6080
}
}
}
}
}
}