'show interfacer tunnel' command question

Unanswered Question
Jul 1st, 2008
User Badges:

Tunnel1 is up, line protocol is up

Hardware is Tunnel

Description: tunnel to Lane Cove for Lane Cove Internet traffic

Internet address is

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive set (10 sec), retries 3

Tunnel source, destination

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Fast tunneling enabled

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input 5d01h, output 00:00:02, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

1677564 packets input, 243987624 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

99864 packets output, 4793472 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

Our two routers build up a GRE tunnel over the MPLS for Internet traffic. The above is the content of 'show interface tunnel' command, my question are:

1/ what is the 'input' and 'output' direction for this tunnel. Does 'input' mean the traffic from local to remote, and 'output' mean the traffic from remote to local?

2/ From the show command, there is a line ' Last input 5d01h, output 00:00:02, output hang never', what is the meaning of 'output hang never'?

Thanks, Leo

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
michael.leblanc Tue, 07/01/2008 - 17:14
User Badges:
  • Silver, 250 points or more

Question #1 is rather interesting. The answer is less simple than one might assume. Make sure you read the last paragraph.

I previously attempted to apply ACLs inbound and outbound on a tunnel interface to implement security policy. I first constructed ACLs to determine what would be matched in the two directions.

TCP/UDP/ICMP host-to-host traffic destined to the far-side network matched the "outbound" ACL applied on the local tunnel interface.

Host-to-host traffic from the far-side network matched the "inbound" ACL, as did EIGRP traffic from the far-side tunnel interface IP (unicasts and multicasts).

However, the "inbound" ACL also matched GRE packets with a source equal to the "tunnel source" (local ext. interface IP), and a destination equal to the "tunnel destination" (far-side ext. interface IP), which I had not expected.


This Discussion