Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
755
Views
3
Helpful
9
Replies

GRE and IPSEC

sharma16031981
Level 1
Level 1

‎09-29-2009 12:59 AM - edited ‎03-06-2019 07:55 AM

Hi,

please tell me the difference or similarity between GRE and IPSEC tunnel.

Can they both be used for same purpose.

Thanks,

Labels:
0 Helpful
9 Replies 9

rducombl
Cisco Employee
Cisco Employee

‎09-29-2009 05:31 AM

Well GRE is a simple tunneling mechanism but not encrypted. it is usefull when you want to carry traffic between 2 IP end point without bothering about what's in the middle.

IPSEC is IP security is an encryption technique of IP traffic. Usually you will use IPSEC on a GRE tunnel to encrypt your traffic.

sharma16031981
Level 1
Level 1
In response to rducombl

‎10-03-2009 02:16 PM

Thanks for reply !!!

I have one more query please. It is regarding access lilst.

interface vlan 20

ip address 20.1.1.1 255.255.255.0

Interface vlan 30

Ip add 30.1.1.1 255.255.255.0

Now I want that hosts from vlan 20 can only be able to access one web server in vlan 30 with ip 30.1.1.100 and nothing else

access list 1 permit tcp 20.1.1.0 0.0.0.255 30.1.1.100 0.0.0.0 eq 80

Now i have applied this to int vlan 20

ip access-group 1 in.

Is this correct to configure as my requirement???

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to sharma16031981

‎10-03-2009 05:24 PM

hemant

The biggest problem with the suggested configuration is that you are configuring access list 1 which would be a standard access list. And standard access lists can check only the source address. But you have configured the access list to check both source and destination address. This is not valid.

To check both source and destination address you would need to configure it as an extended access list. It might be something like this:

access list 101 permit tcp 20.1.1.0 0.0.0.255 host 30.1.1.100 0.0.0.0 eq 80

also note that your suggested access list does not specify a mask for the destination address. In my suggested solution I have configured it to identify a specific host address.

And the command to put the access list on interface vlan 20 would be

ip access-group 1 in

note that this will allow only http traffic to the destination. It will not allow anything like DNS and I wonder if DNS will be needed by the source host addresses to resolve the name to address of the destination.

HTH

Rick

HTH

Rick
0 Helpful

sdoremus33
Level 3
Level 3
In response to Richard Burts

‎10-03-2009 08:35 PM

Thanks for the helpful information Rick as always

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to sdoremus33

‎10-04-2009 02:56 PM

Steven

Thanks for the kind words. I am pleased that you continue to follow my responses.

In re-reading my response I see a goof on my part that I would like to correct. I suggested using an extended access list and then suggested that applying it might look something like:

ip access-group 1 in

which continues to use the standard access list. Obviously I should have suggested:

ip access-group 101 in

HTH

Rick

HTH

Rick
0 Helpful

sharma16031981
Level 1
Level 1
In response to Richard Burts

‎10-04-2009 09:35 PM

Thanks Rick for giving the response to my query.

I was just trying to know the meaning of (in) comment in the access list on the vlan interface. beside the access list number i think access list was applied correctly to stop traffic going out of that vlan.

now couple of questions I have

1. if i wanted to block the trafice coming from other vlan to this vlan I can apply access list on the out of this vlan or in of that vlan.

2. If I have two router connected directly to each other and I want to block the traffic on that is coming from other router in front then what would be the direction of access list on this router. ( in or out).

Thanks!!!

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to sharma16031981

‎10-05-2009 09:34 AM

hemant

An access list can be applied as inbound or as outbound on an interface. If the access list is applied in then it will filter traffic from the devices in the LAN of the interface as the traffic comes into the interface. If the access list is applied out then it will filter traffic to the devices in the LAN of the interface as the traffic goes out of the interface.

There is not a single rule that tells you whether it is better to apply the access list as inbound or as outbound. You need to consider each situation and determine for that unique situation whether it is better inbound or outbound. I can suggest some principles to consider in making this decision:

- generally it is better to place extended access lists as close to the source as possible and to apply standard access lists as close to the destination as possible.

- you should consider whether you can accomplish what you need with a single access list or will it need multiple access lists. Generally using a single access list if preferred to using multiple access lists to accomplish the same objective.

- if you want to limit what resources the hosts in a subnet can access then an extended access list assigned inbound is best. This will require only a single access list and you catch and deny traffic before it consumes much network bandwidth.

- if you want to limit what resources in a subnet that remote hosts can access then an extended access list assigned outbound on the interface is best. It may allow packets to consume network bandwidth before they are denied, but the advantage of configuring (and maintaining) a single access list may out weigh the need to configure multiple access lists for the multiple interfaces where the remote hosts connect to the network.

- Some times these principles may identify the optimum router on which to configure an access list but it is a router which you do not control. It is better for you to configure the access list and apply it than it is to ask someone else to configure the access list and do exactly what you want them to do.

HTH

Rick

HTH

Rick
0 Helpful

sharma16031981
Level 1
Level 1
In response to Richard Burts

‎10-05-2009 08:32 PM

Thanks Once again Rick,

So what I understand from this is that if I am assinging a access-list in on any physical point to point interface then traffic that is inside of that interface and is going out is check by the router.

Is this correct !!

Hemant

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to sharma16031981

‎10-06-2009 10:14 AM

Hemant

If an access list is assigned "in" then it is checking inbound traffic that is coming into the interface from devices connected in the subnet of the interface.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card