Guidelines and limitations for encapsulated traffic handling

This topic discusses guidelines for the following types of encapsulated traffic:

• Generic Routing Encapsulation (GRE)

• Point-to-Point Protocol (PPTP). (This protocol is not handled by tunnel rules in the prefilter policy.)

• IPinIP

• IPv6inIP

• Teredo

GRE Tunnel Limitations

GRE tunnel processing is limited to IPv4 and IPv6 passenger flows. Other protocols, such as PPTP and WCCP, are not supported within the GRE tunnel.

GRE v1 and PPTP bypass outer flow processing

GRE v1 (sometimes referred to as stateful GRE) and PPTP traffic bypass outer flow processing.

Passenger flow processing is supported for IPv6inIP and Teredo but the following limitations apply:

• Sessions are over a single tunnel that is not load-balanced.

• There is no HA or clustering replication.

• Primary and secondary flow relationships are not maintained.

• Prefilter policy white and black lists are not supported.

GRE v0 sequence number field must be optional

All endpoints sending traffic on the network must send GREv0 traffic with the sequence number field as optional; otherwise, the sequence number field is removed. RFC 1701 and RFC 2784 both specify the sequence field as optional.

How tunnels work with interfaces

Prefilter and access control policy rules are applied to all tunnel types on routed, transparent, inline-set, inline-tap, and passive interfaces.

References

For more information about the GRE and PPTP protocols, see the following:

• RFC 1701, RFC 2784, and RFC 2890 (GRE protocol v0)

• RFC 2637 (PPTP and GRE protocol v1)