Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
3
Helpful
3
Replies

Redirecting incoming IPSec/GRE traffic to an ethernet port on Cat6K

pabblitto1
Level 1
Level 1

‎06-11-2007 07:08 AM - edited ‎03-05-2019 04:37 PM

We are using the VPN Spa on our 6509 to create and terminate the IPSec/GRE tunnels and we want to direct all traffic coming out of the GRE tunnels to go to a specific ethernet port. This port on the 6509 then connects to an external Cisco AS5540 firewall where we want to analyze the traffic then send it back to the 6509 through another ethernet port, to finally reach our internal users.

I've been looking at VACL's or PBR to do this but I still can't see how to forward the packets from the tunnel interfaces to an ethernet port or VLAN.

Any suggestions?

Thanks.

Labels:
0 Helpful
3 Replies 3

bjornarsb
Level 4
Level 4

‎06-11-2007 12:27 PM

Hi,

I believe if your FW has an IP you could use the set ip next-hop.

access-list 1 permit 209.165.200.225

access-list 2 permit any

!

interface tun 0

ip policy route-map analyze

route-map analyze permit 10

match protocol GRE

set ip next-hop 209.165.200.228

route-map analyze permit 20

match ip address 2

set ip default next-hop 209.165.200.229

When configuring PBR, follow these guidelines and restrictions:

?The PFC provides hardware support for PBR configured on a tunnel interface.

?The PFC does not provide hardware support for PBR configured with the set ip next-hop keywords if the next hop is a tunnel interface.

?If the MSFC address falls within the range of a PBR ACL, traffic addressed to the MSFC is policy routed in hardware instead of being forwarded to the MSFC. To prevent policy routing of traffic addressed to the MSFC, configure PBR ACLs to deny traffic addressed to the MSFC.

?Any options in Cisco IOS ACLs that provide filtering in a PBR route-map that would cause flows to be sent to the MSFC to be switched in software are ignored. For example, logging is not supported in ACEs in Cisco IOS ACLs that provide filtering in PBR route-maps.

See:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a008075fae6.html

BR,

Bjornarsb

pabblitto1
Level 1
Level 1
In response to bjornarsb

‎06-12-2007 09:38 AM

Thanks. I was undecided whether I should do PBR or VACLs but I think your suggestion makes more sense since it gives me additional choice on which packets to forward it to.

I'll try it out.

0 Helpful

pabblitto1
Level 1
Level 1
In response to bjornarsb

‎06-13-2007 11:22 AM

I don't know if I understood this correctly. It seems that this solution takes care of directing the packets to go into the firewall. How do I then direct the packets that come out of the firewall back to the 6509 to be routed to their final destination?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card