Configuration Guide User guide
1048 FastIron Configuration Guide
53-1002494-02
IPv4 point-to-point GRE tunnels
For FastIron SX devices only, traffic coming from a tunnel can be filtered by an ACL both before and
after the tunnel is terminated and also redirected by PBR after tunnel is terminated. An ACL
classifies and sets QoS for GRE traffic. If the ACL or PBR is applied to the tunnel loopback port, it
would apply to the inner IP packet header (the payload packet) after the tunnel is terminated. If the
ACL is applied to the tunnel ingress port, then the delivery header (outer header) would be
classified or filtered before the tunnel is terminated.
NOTE
Restrictions for using ACLs in conjunction with GRE are noted in the section “Configuration
considerations for GRE IP tunnels” on page 1048. PBR can be configured on tunnel loopback ports
for tunnel interfaces with no restrictions. PBR with GRE tunnel is not supported on FSX 800 and FSX
1600 with the SX-FI48GPP module.
Syslog messages related to GRE IP tunnels
Syslog messages provide management applications with information related to GRE IP tunnels. The
following Syslog message is supported.
Tunnel: TUN-RECURSIVE-DOWN tnnl 1, Tnl disabled due to recursive routing
Configuration considerations for GRE IP tunnels
Before configuring GRE tunnels and tunnel options, consider the configuration notes in this
section.
• GRE tunnels are not supported in a mixed hardware configuration with 48-port 10/100/1000
Mbps Ethernet POE (SX-FI48GPP) interface modules, together with IPv6-capable interface
modules, or management modules with user ports.
• The mix and match mode for GRE and IPv6 tunnels are not supported.
• Hitless management is supported for GRE tunnels on any FastIron devices. Hitless
management is not supported for IPv6-over-IPv4 tunnels on all FastIron devices. When IPv6
tunnels are configured, the CLI commands that execute a hitless switchover
(switch-over-active-role command and the hitless reload command) are disabled.
• When GRE is enabled on a Layer 3 switch, the following features are not supported on Virtual
Ethernet (VE) ports, VE member ports (ports that have IP addresses), and GRE tunnel loopback
ports:
- ACL logging
- ACL statistics (also called ACL counting)
- MAC address filters
- IPv6 filters
NOTE
The above features are supported on VLANs that do not have VE ports.
• Whenever multiple IP addresses are configured on a tunnel source, the primary address of the
tunnel is always used for forming the tunnel connections. Therefore, carefully check the
configurations when configuring the tunnel destination.