Redirecting incoming IPSec/GRE traffic to an ethernet port on Cat6K

Unanswered Question
Jun 11th, 2007
User Badges:

We are using the VPN Spa on our 6509 to create and terminate the IPSec/GRE tunnels and we want to direct all traffic coming out of the GRE tunnels to go to a specific ethernet port. This port on the 6509 then connects to an external Cisco AS5540 firewall where we want to analyze the traffic then send it back to the 6509 through another ethernet port, to finally reach our internal users.

I've been looking at VACL's or PBR to do this but I still can't see how to forward the packets from the tunnel interfaces to an ethernet port or VLAN.

Any suggestions?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
bjornarsb Mon, 06/11/2007 - 12:27
User Badges:
  • Bronze, 100 points or more


I believe if your FW has an IP you could use the set ip next-hop.

access-list 1 permit

access-list 2 permit any


interface tun 0

ip policy route-map analyze

route-map analyze permit 10

match protocol GRE

set ip next-hop

route-map analyze permit 20

match ip address 2

set ip default next-hop

When configuring PBR, follow these guidelines and restrictions:

?The PFC provides hardware support for PBR configured on a tunnel interface.

?The PFC does not provide hardware support for PBR configured with the set ip next-hop keywords if the next hop is a tunnel interface.

?If the MSFC address falls within the range of a PBR ACL, traffic addressed to the MSFC is policy routed in hardware instead of being forwarded to the MSFC. To prevent policy routing of traffic addressed to the MSFC, configure PBR ACLs to deny traffic addressed to the MSFC.

?Any options in Cisco IOS ACLs that provide filtering in a PBR route-map that would cause flows to be sent to the MSFC to be switched in software are ignored. For example, logging is not supported in ACEs in Cisco IOS ACLs that provide filtering in PBR route-maps.




pabblitto1 Tue, 06/12/2007 - 09:38
User Badges:

Thanks. I was undecided whether I should do PBR or VACLs but I think your suggestion makes more sense since it gives me additional choice on which packets to forward it to.

I'll try it out.

pabblitto1 Wed, 06/13/2007 - 11:22
User Badges:

I don't know if I understood this correctly. It seems that this solution takes care of directing the packets to go into the firewall. How do I then direct the packets that come out of the firewall back to the 6509 to be routed to their final destination?


This Discussion