Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
2
Replies

'show interfacer tunnel' command question

xzjleo2005
Level 1
Level 1

‎07-01-2008 03:30 PM

Tunnel1 is up, line protocol is up

Hardware is Tunnel

Description: tunnel to Lane Cove for Lane Cove Internet traffic

Internet address is 10.211.1.5/31

MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation TUNNEL, loopback not set

Keepalive set (10 sec), retries 3

Tunnel source 10.150.32.3, destination 10.150.0.2

Tunnel protocol/transport GRE/IP

Key disabled, sequencing disabled

Checksumming of packets disabled

Tunnel TTL 255

Fast tunneling enabled

Tunnel transmit bandwidth 8000 (kbps)

Tunnel receive bandwidth 8000 (kbps)

Last input 5d01h, output 00:00:02, output hang never

Last clearing of "show interface" counters never

Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0

Queueing strategy: fifo

Output queue: 0/0 (size/max)

5 minute input rate 0 bits/sec, 0 packets/sec

5 minute output rate 0 bits/sec, 0 packets/sec

1677564 packets input, 243987624 bytes, 0 no buffer

Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

99864 packets output, 4793472 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 output buffer failures, 0 output buffers swapped out

Our two routers build up a GRE tunnel over the MPLS for Internet traffic. The above is the content of 'show interface tunnel' command, my question are:

1/ what is the 'input' and 'output' direction for this tunnel. Does 'input' mean the traffic from local to remote, and 'output' mean the traffic from remote to local?

2/ From the show command, there is a line ' Last input 5d01h, output 00:00:02, output hang never', what is the meaning of 'output hang never'?

Thanks, Leo

Labels:
0 Helpful
2 Replies 2

michael.leblanc
Level 4
Level 4

‎07-01-2008 05:14 PM

Question #1 is rather interesting. The answer is less simple than one might assume. Make sure you read the last paragraph.

I previously attempted to apply ACLs inbound and outbound on a tunnel interface to implement security policy. I first constructed ACLs to determine what would be matched in the two directions.

TCP/UDP/ICMP host-to-host traffic destined to the far-side network matched the "outbound" ACL applied on the local tunnel interface.

Host-to-host traffic from the far-side network matched the "inbound" ACL, as did EIGRP traffic from the far-side tunnel interface IP (unicasts and multicasts).

However, the "inbound" ACL also matched GRE packets with a source equal to the "tunnel source" (local ext. interface IP), and a destination equal to the "tunnel destination" (far-side ext. interface IP), which I had not expected.

0 Helpful

purohit_810
Level 5
Level 5

‎07-02-2008 05:54 AM

Hi,

Here is the complete interface reading guide.

http://www.cisco.com/en/US/docs/ios/12_2/interface/command/reference/irfshoin.html#wp1022428

Thanks,

Dharmesh Purohti

0 Helpful
Customers Also Viewed These Support Documents