Unanswered Question
Sep 29th, 2009


please tell me the difference or similarity between GRE and IPSEC tunnel.

Can they both be used for same purpose.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
rducombl Tue, 09/29/2009 - 05:31

Well GRE is a simple tunneling mechanism but not encrypted. it is usefull when you want to carry traffic between 2 IP end point without bothering about what's in the middle.

IPSEC is IP security is an encryption technique of IP traffic. Usually you will use IPSEC on a GRE tunnel to encrypt your traffic.

sharma16031981 Sat, 10/03/2009 - 14:16

Thanks for reply !!!

I have one more query please. It is regarding access lilst.

interface vlan 20

ip address

Interface vlan 30

Ip add

Now I want that hosts from vlan 20 can only be able to access one web server in vlan 30 with ip and nothing else

access list 1 permit tcp eq 80

Now i have applied this to int vlan 20

ip access-group 1 in.

Is this correct to configure as my requirement???

Richard Burts Sat, 10/03/2009 - 17:24


The biggest problem with the suggested configuration is that you are configuring access list 1 which would be a standard access list. And standard access lists can check only the source address. But you have configured the access list to check both source and destination address. This is not valid.

To check both source and destination address you would need to configure it as an extended access list. It might be something like this:

access list 101 permit tcp host eq 80

also note that your suggested access list does not specify a mask for the destination address. In my suggested solution I have configured it to identify a specific host address.

And the command to put the access list on interface vlan 20 would be

ip access-group 1 in

note that this will allow only http traffic to the destination. It will not allow anything like DNS and I wonder if DNS will be needed by the source host addresses to resolve the name to address of the destination.



Richard Burts Sun, 10/04/2009 - 14:56


Thanks for the kind words. I am pleased that you continue to follow my responses.

In re-reading my response I see a goof on my part that I would like to correct. I suggested using an extended access list and then suggested that applying it might look something like:

ip access-group 1 in

which continues to use the standard access list. Obviously I should have suggested:

ip access-group 101 in



sharma16031981 Sun, 10/04/2009 - 21:35

Thanks Rick for giving the response to my query.

I was just trying to know the meaning of (in) comment in the access list on the vlan interface. beside the access list number i think access list was applied correctly to stop traffic going out of that vlan.

now couple of questions I have

1. if i wanted to block the trafice coming from other vlan to this vlan I can apply access list on the out of this vlan or in of that vlan.

2. If I have two router connected directly to each other and I want to block the traffic on that is coming from other router in front then what would be the direction of access list on this router. ( in or out).


Richard Burts Mon, 10/05/2009 - 09:34


An access list can be applied as inbound or as outbound on an interface. If the access list is applied in then it will filter traffic from the devices in the LAN of the interface as the traffic comes into the interface. If the access list is applied out then it will filter traffic to the devices in the LAN of the interface as the traffic goes out of the interface.

There is not a single rule that tells you whether it is better to apply the access list as inbound or as outbound. You need to consider each situation and determine for that unique situation whether it is better inbound or outbound. I can suggest some principles to consider in making this decision:

- generally it is better to place extended access lists as close to the source as possible and to apply standard access lists as close to the destination as possible.

- you should consider whether you can accomplish what you need with a single access list or will it need multiple access lists. Generally using a single access list if preferred to using multiple access lists to accomplish the same objective.

- if you want to limit what resources the hosts in a subnet can access then an extended access list assigned inbound is best. This will require only a single access list and you catch and deny traffic before it consumes much network bandwidth.

- if you want to limit what resources in a subnet that remote hosts can access then an extended access list assigned outbound on the interface is best. It may allow packets to consume network bandwidth before they are denied, but the advantage of configuring (and maintaining) a single access list may out weigh the need to configure multiple access lists for the multiple interfaces where the remote hosts connect to the network.

- Some times these principles may identify the optimum router on which to configure an access list but it is a router which you do not control. It is better for you to configure the access list and apply it than it is to ask someone else to configure the access list and do exactly what you want them to do.



sharma16031981 Mon, 10/05/2009 - 20:32

Thanks Once again Rick,

So what I understand from this is that if I am assinging a access-list in on any physical point to point interface then traffic that is inside of that interface and is going out is check by the router.

Is this correct !!


Richard Burts Tue, 10/06/2009 - 10:14


If an access list is assigned "in" then it is checking inbound traffic that is coming into the interface from devices connected in the subnet of the interface.




This Discussion