OSPF through GRE tunnel with FW inspection

Unanswered Question
Jul 27th, 2010


Is it possible to pass OSPF routes through a GRE tunnel and still pass data traffic to a firewall for inspection? Please see our setup below:

Physical              Logical

A----B                A----B
\  /                 |\  /|
  FW       ------>    | \/ |
/  \                 | /\ |
C----D                |/  \|

Devices A,B,C and D are Catalyst 6500 swiches. The FW is not a Cisco device. We plan to use GRE tunnel from A-C, A-D, B-C, and B-D to form a redundant setup. Only OSPF updates should pass through the GRE tunnel while actual data traffic should pass through the FW. Static routes are also used from C/D to FW and FW to A/B and vice versa. We need to pass dynamic routing updates (OSPF) from C and D so any changes made to the network below the C and D devices can be learned dynamically.

Any help will be greatly appreciated.

Thanks and Best Regards.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
Mohamed Sobair Wed, 07/28/2010 - 00:38


You can have this setup, you will need the follwoing:

1- create gre tunnels on all Cisco switches.

2- run OSPF over the GRE tunnels and once done whatever OSPF updates its passed through the GRE tunnels.

3- Have independant routing protocol (static or other) with better AD value for your Data Traffic.



kranch.net Wed, 07/28/2010 - 23:11

Hi Mohamed,

Thanks for the feedback. With regards to item 3, does this mean that we

need to add the static routes manually each time a dynamic route is

learned from OSPF? And we should filter data traffic from the tunnel?

Thanks and Best Regards

Marwan ALshawi Thu, 07/29/2010 - 03:41

The answer is No,

just think about it logically the routing is used to route traffic (data, VOIP ..etc) if the device dose not have route traffic will not be passed

now if you want to pass only ospf traffic over GRE how the switch/router will know about remote network ( how to reach it )

because if you pass OSPF over the GRE your routing table will show the other networks reachable through the GRE tunnel known by OSPF

if follow the advice of having static route them why you run OSPF then just use static route between the devices in this case you do not need osfp or gre

and all the traffic will pass through the firewall without being tunnled

good luck

if helpful Rate

Richard Burts Thu, 07/29/2010 - 05:57

I agree that this will not work. I do not understand the logic of passing OSPF through a GRE tunnel if you do not want to pass data through the tunnel. The fundamental purpose of running OSPF is to advertise routing information that will be used to forward data traffic. So if you pass OSPF updates through the tunnel then the IP forwarding table will want to pass data over the tunnels.

Perhaps if we understood what problem you are trying to solve by having the GRE tunnel but not using it for data then we might be able to suggest some way to achieve your purpose.



kranch.net Thu, 07/29/2010 - 18:13

Hi Rick,

Thanks for the insight. We want to use OSPF so that networks under the C

and D devices can be learned dynamically but still pass traffic through

the FW for security inspections. The FW is currently not capable of

OSPF. Is there a way to do this?

Best Regards

Mohamed Sobair Fri, 07/30/2010 - 04:25

I have suggested its possible if you want to spilit your traffic by having two independant routing protocols. However this will allows you to only have OSPF updates over the GRE tunnel which is not inspected and independant static routing for other traffic (Data traffic). These OSPF updates are not inspected and should not carry your data traffic which you want to pass through the FW.

If you want the same routing updates to be inspected then disable OSPF and use static routing on C and D and the FW.



Marwan ALshawi Fri, 07/30/2010 - 18:19

what the benefit of having two routing protocols in his case and not using the ospf one only send it over the GRE ?

this will be only more CPU and bandwidth utilization

that's why it is not possible

the idea of routing ( dynamic routing ) is to discover the path dynamically, if yo not going to use why would implement it)

thank you

Richard Burts Sat, 07/31/2010 - 07:08


While I certainly agree with you that it is possible to configure GRE tunnels running OSPF and then to configure something like static routes with a better administrative distance to carry the data traffic, I do not believe that this is an effective solution. My first concern is that if a static route failed and was withdrawn from the routing table that the OSPF route (with its worse administrative distance) would become the active route in the routing table and data would flow through the tunnel and not be inspected. My second concern is if you did configure OSPF through GRE simply to learn networks on the other side, then how would you recognize and take action when OSPF added a new network or withdrew a network from its tables?

To the original poster

It would be a somewhat unusual implementation but I would suggest that you think about using BGP as the routing protocol. You could set it up using private ASes since it is entirely a private network implementation. The firewall can be configured to permit the BGP sessions to pass through and since BGP is designed to establish peer realtionships with devices that are not necessarily on the local subnet, there is no need for GRE (such as is needed for OSPF to form neighbor relationships). BGP could dynamically discover (add and withdraw) networks, pass that information to its peers, and the data forwarding path would be through the firewall without needing anything like GRE tunnels.



Mohamed Sobair Sat, 07/31/2010 - 10:02


I agree with you its not a perfect solution, but some times you should go with such request if a customer cant afford any other solution Or if he just wanted to confirm that it could be a solution for him. Oftenly, we have to adapt to certain designs and setup while its not IDEAL or PERFECT because of many reasons. I also agree with you that as a solution provider you should provide the best solution but incase if its not an option, you should also provide an answer if the original inquiry could be solved using the suggested solution or not.

Coming to my previous suggestion, I have clearly stated it would work IF he had different Networks inside C and D (Network are Spilited), and I have explicitly mentioned spilited because of such requirement, My suggestion would be a solution for him if he has different Network to be learned via OSPF than the Static routing, at this stage, he can have all Networks via Static passes through the firewall and inspected while leaves the OSPF over GRE not inspected. But if he wants to have both routing protocols to be used for the same Networks, then it wouldnt be a solution for him.

Does this make sense,


jean.moncada Fri, 07/30/2010 - 20:33

I agree with Marwanshawi, on this case.

I guess you want a solution where all traffic between (A,B) <--> (C,D) is inspected by the firewall at the same time you want ospf routing updates to go through the firewall in order to reach the 6500's (A,B) or (C,D) respectively for dynamic routing between the two networks, in either case ospf updates and data traffic will need to flow through the firewall and data be inspected. is it possibly to summarize (A,B) and (C,D) networks ? e.g. you know that all subnets behind (A,B) are perhaps and (C,D) are ? if not then the only other possible solution I can think of is to acquire a firewall that supports inspection and OSPF. I'm surprised that your firewall doesn't since OSPF is an open standard. What type of firewall do you have ?

kranch.net Sun, 08/08/2010 - 19:57

Thanks for all your feedbacks. I think we need to change our approach to this. We will discuss this internally and take into consideration all the insights discussed here. Again, thank you very much for all your help. This have been very helpful.

Best Regards to all.


This Discussion