Best Practices for Encapsulated Traffic Handling

This topic discusses guidelines for the following types of encapsulated traffic:

• Generic Routing Encapsulation (GRE)

• Point-to-Point Protocol (PPTP)

• IPinIP

• IPv6inIP

• Teredo

GRE Tunnel Limitations

GRE tunnel processing is limited to IPv4 and IPv6 passenger flows. Other protocols, such as PPTP and WCCP, are not supported within the GRE tunnel.

Understand Snort version support for your managed devices

The inspection engine used by managed devices is known as Snort. Snort 3 supports more features than Snort 2. To understand how these affect managed devices on your network, you must know:

• Which versions of Snort your device supports.

  Snort version support can be found in the section on bundled components in the Cisco Firepower Compatibility Guide.

• How the management center and threat defense software support Snort 2 and Snort 3

  Limitations of Snort 2 and Snort 3 can be found in the Feature Limitations of Snort 3 for Management Center-Managed Threat Defense topic in the Cisco Secure Firewall Management Center Snort 3 Configuration Guide.

GRE v1 and PPTP bypass outer flow processing

GRE v1 (sometimes referred to as stateful GRE) and PPTP traffic bypass outer flow processing.

Passenger flow processing is supported for IPv6inIP and Teredo but the following limitations apply:

• Sessions are over a single tunnel that is not load-balanced

• There is no HA or clustering replication

• Primary and secondary flow relationships are not maintained

• Prefilter policy white and black lists are not supported

GRE v0 sequence number field must be optional

All endpoints sending traffic on the network must send GREv0 traffic with the sequence number field as optional; otherwise, the sequence number field is removed. RFC 1701 and RFC 2784 both specify the sequence field as optional.

How tunnels work with interfaces

Prefilter and access control policy rules are applied to all tunnel types on routed, transparent, inline-set, inline-tap, and passive interfaces.

References

For more information about the GRE and PPTP protocols, see the following:

• RFC 1701, RFC 2784, and RFC 2890 (GRE protocol v0)

• RFC 2637 (PPTP and GRE protocol v1)