Follow

GRE Tunnel Set-up Guide

Page Contents

 

------------------------------------------------------ 

 Note: A GRE Tunnel is IPv4 over IPv6. To setup a Native IPv6 tunnel, see GRE Tunnel Management: IPv6 (IP-IP) Tunnel Set-up Guide.

Overview: What are GRE Tunnels? 

GRE stands for Generic Routing Encapsulation. A GRE Tunnel establishes a route between F5 and your Data Center. Once your traffic has been cleansed of malicious attack traffic, it is routed into the GRE Tunnel and back to the customer over the Internet. The advantage is that attackers can not attack your network, since all traffic must come through F5 for inspection.

Simple Diagram: Standard Setup with GRE Tunnels

Slide14.jpeg

 

Advanced Diagram: Standard Setup with GRE Tunnels

  • The F5 Silverline Scrubbing Centers advertise route to upstream Silverline Carrier Group and thus attract inbound traffic (both clean traffic and attack traffic).
  • Redundant GRE Tunnels connect the Scrubbing Centers with the Customer Data Centers (in this diagram, ACME Corp AS12345 has a data center in San Jose and one in Virginia). Traffic still travels over the Internet via the customers' upstream carriers.

Click diagram to full-screen.

Routed_v3-03212019_techwriter.jpg

Summary: Standard Setup Process

Here is the standard process that we will follow to set up your GRE Tunnels and start routing your traffic through the F5 Silverline scrubbing center as soon as possible.

  1. Establish the GRE tunnels. -- See below sections on Requirements for GRE Tunnel Setup & How to Provision GRE Tunnels.
  2. Test BGP/subnet is routed through F5 Silverline to your endpoints. -- See BGP Configuration - Guidelines & Tips & Traffic Routing Preferences
  3. Legitimate traffic requests begin. 
  4. Customer (that's you!) verifies they are receiving traffic via the tunnel and routing out via their carrier.
  5. Customer verifies they see traffic in the Portal graphs.

Important Note

For some Silverline DDoS Routed Customers, MTU issues can occur. For more details, please also review this article -- Common Issue: GRE and Path MTU Discovery

 

Procedure

Requirements for GRE Tunnel Setup

Important: MUST meet these requirements to use Routed DDoS Protection.

  • ASN: It is mandatory to obtain a Public ASN provided by a Regional Internet registry and maintained by your organization.
  • Route Object(s): The longest prefix accepted by Silverline and its carriers is a /24. Anything more specific than /24 will be rejected by policy without exception.
    • The route object MUST be non-RFC1918
    • The route object MUST be maintained by your organization on any IRR, or
    • The route object MUST be included as part of the organization maintained AS-Set (if applicable)
  • Customer Endpoint: IP Address on your router where F5 will terminate tunnel.
    • Must be non-RFC1918 (publicly routable).
    • Important: Cannot be included in prefixes that will be diverted to Silverline for protection
  • Location:  A basic notation used as a tunnel identifier. Generally, companies will use the three-letter code for the airport nearest their data center.
  • Redundant Tunnels: For each of your locations, you will create at least 2 tunnels to F5 Silverline (e.g. 1 to US West and 1 to US East). See Q&A: Why Do I Need Redundant GRE Tunnels?

 

How to Provision GRE Tunnels (Portal UI)

If you prefer a Video tutorial, see Video: Configuring Routed Solution.

1. In the Silverline Portal, navigate to Config > Routed Configuration > GRE Tunnel Management 

2. Click the + Add button to add a New GRE Tunnel.

GRE_Tunnels_-_Add_Button.png

 

3. Choose GRE Tunnel from the drop-down. Note: GRE Tunnels are IPv4 over IPv6.

4. On the "New GRE Tunnel" page, fill in all of the required information in the form, then click "Submit for Provisioning."

5. Next Step: Configure BGP -- See BGP Configuration - Guidelines & Tips

 

Sample Configs

As soon as GRE tunnels are provisioned, use the following configurations as guidelines.

Cisco

interface Tunnel0
 description Defense.net-DFNDCA1000001
 ip address 203.0.113.2 255.255.255.252
 load-interval 30
 keepalive 30 3
 tunnel source 192.0.2.2
 tunnel destination 198.51.100.1

router bgp 64501
  network 1.0.0.0 mask 255.255.255.0
  no synchronization
  bgp log-neighbor-changes
  no auto-summary
  neighbor dfn peer-group
  neighbor dfn remote-as 55002
  neighbor dfn description Defense.net-peer-group
  neighbor dfn password md5BGPpassword
  neighbor dfn version 4
  neighbor dfn send-community
  neighbor dfn prefix-list deny-all in
  neighbor dfn prefix-list route-to-dfn out
  neighbor ispA peer-group
  neighbor ispA remote-as 64500
  neighbor ispA description upstream-ISP-peer-group
  neighbor ispA version 4
  neighbor ispA send-community
  neighbor ispA prefix-list suppress-to-ispA out
  neighbor 203.0.113.1 peer-group dfn
  neighbor 203.0.113.1 description dfn-neighbor-1
  neighbor 192.0.2.1 peer-group ispA
  neighbor 192.0.2.1 description ispA-neighbor-1

ip route 0.0.0.0 0.0.0.0 192.0.2.1 name ispA-uplink
ip route 1.0.0.0 255.255.255.0 Null0 201 name dfn-routed-prefix

ip prefix-list deny-all deny 0.0.0.0/0 le 32

ip prefix-list route-to-dfn permit 1.0.0.0/24

ip prefix-list suppress-to-ispA deny 1.0.0.0/24
ip prefix-list suppress-to-ispA permit 0.0.0.0/0 le 24

 

Juniper

interfaces {                            
    gr-0/0/0 {
        unit 1 {
            description Defense.net-DFNDCA1000001;
            tunnel {
                source 192.0.2.2;
                destination 198.51.100.1;
            }
            family inet {
                address 203.0.113.2/30;
            }
       }
   }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 192.0.2.1;
        route 1.0.0.0/24 discard;
    }
    autonomous-system 64501;
}
protocols {
    bgp {
        log-updown;
        local-as 64501;
        group dfn {
            type external;
            advertise-inactive;
            import reject-all;
            authentication-key md5BGPpassword;
            export route-to-dfn;
            peer-as 55002;
            neighbor 203.0.113.1;
        }
        group ispA {
            type external;
            advertise-inactive;
            export suppress-to-ispA;
            peer-as 64500;
            neighbor 192.0.2.1;
        }
    }
    oam {
        gre-tunnel {
            interface gr-0/0/0.1 {
                keepalive-time 30;
                hold-time 120;
            }
       }
    }
}
policy-options {
    prefix-list route-to-dfn {
        1.0.0.0/24;
    }
    policy-statement reject-all {
        then reject;
    }
    policy-statement route-to-dfn {
        term route-to-dfn {
            from {
                prefix-list-filter route-to-dfn;
            }
            then accept;
        }
        then reject;
    }
    policy-statement suppress-to-ispA {
        term suppress-to-ispA {
            from {
                prefix-list-filter route-to-dfn;
            }
            then reject;
        }
        then accept;
    }
}

 

Related Articles

 

Was this article helpful?
4 out of 4 found this helpful
Have more questions? Submit a request