Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Redirecting incoming IPSec/GRE traffic to an ethernet port on Cat6K

We are using the VPN Spa on our 6509 to create and terminate the IPSec/GRE tunnels and we want to direct all traffic coming out of the GRE tunnels to go to a specific ethernet port. This port on the 6509 then connects to an external Cisco AS5540 firewall where we want to analyze the traffic then send it back to the 6509 through another ethernet port, to finally reach our internal users.

I've been looking at VACL's or PBR to do this but I still can't see how to forward the packets from the tunnel interfaces to an ethernet port or VLAN.

Any suggestions?

Thanks.

3 REPLIES
Bronze

Re: Redirecting incoming IPSec/GRE traffic to an ethernet port o

Hi,

I believe if your FW has an IP you could use the set ip next-hop.

access-list 1 permit 209.165.200.225

access-list 2 permit any

!

interface tun 0

ip policy route-map analyze

route-map analyze permit 10

match protocol GRE

set ip next-hop 209.165.200.228

route-map analyze permit 20

match ip address 2

set ip default next-hop 209.165.200.229

When configuring PBR, follow these guidelines and restrictions:

?The PFC provides hardware support for PBR configured on a tunnel interface.

?The PFC does not provide hardware support for PBR configured with the set ip next-hop keywords if the next hop is a tunnel interface.

?If the MSFC address falls within the range of a PBR ACL, traffic addressed to the MSFC is policy routed in hardware instead of being forwarded to the MSFC. To prevent policy routing of traffic addressed to the MSFC, configure PBR ACLs to deny traffic addressed to the MSFC.

?Any options in Cisco IOS ACLs that provide filtering in a PBR route-map that would cause flows to be sent to the MSFC to be switched in software are ignored. For example, logging is not supported in ACEs in Cisco IOS ACLs that provide filtering in PBR route-maps.

See:

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a008075fae6.html

BR,

Bjornarsb

New Member

Re: Redirecting incoming IPSec/GRE traffic to an ethernet port o

Thanks. I was undecided whether I should do PBR or VACLs but I think your suggestion makes more sense since it gives me additional choice on which packets to forward it to.

I'll try it out.

New Member

Re: Redirecting incoming IPSec/GRE traffic to an ethernet port o

I don't know if I understood this correctly. It seems that this solution takes care of directing the packets to go into the firewall. How do I then direct the packets that come out of the firewall back to the 6509 to be routed to their final destination?

285
Views
3
Helpful
3
Replies