Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
0
Helpful
3
Replies

Local GRE tunnels through network

Go to solution
jogreco
Level 1
Level 1

‎12-22-2005 06:57 AM - edited ‎03-09-2019 01:26 PM

We have several devices on our network that are spread out over several buildings. These devices are unmanaged as far as patch and antivirus levels. I was thinking that I'd be able to setup a second vlan on each swtich these devices are connected to, then have a GRE tunnel to pass that traffic to a pair of 6500's that are protected with an IPS.

The setup would be a 2950 with two vlans trunked to a pair of distribution layer 6500's. these 6500's would connect into the core of the network. Off the core would be this IPS protected 6500 pair.

In our lab I'be built this up, but am having problems getting the traffic i want to isolate to cross the tunnel. Is this type of configuration possible? all examples I'm seeing show remote sites connecting into the main network.

Thanks,

John

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to mheusinger

‎12-23-2005 06:26 AM

I feel that Martin is asking a very good question about the routing logic. In the original post John did not indicate anything about how he was setting up routing.

It seems to me that if John wants traffic from a specific VLAN to go through the GRE tunnel and other traffic to not go this way, that it is a fairly obvious situation for Policy Based Routing. PBR could specify that traffic originating from the particular VLAN should have a next-hop of the other end of the tunnel. This would leave all other traffic to use the normal routing table and would relieve the necessity to run dynamic routing through the tunnel (which would eliminate the possibility of other traffic being routed through the tunnel).

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mheusinger
Level 10
Level 10

‎12-23-2005 02:39 AM

Hi,

are you able to ping the IPS 6500s from any device you want to monitor? Might be just a routing issue.

If the unmanaged devices are in one VLAN and the monitoring should use another VLAN ... how do they interconnect?

From an IP routing perspective: why should any traffic cross the GRE tunnels? Which routing table entry should achieve this?

Hope this helps

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to mheusinger

‎12-23-2005 06:26 AM

I feel that Martin is asking a very good question about the routing logic. In the original post John did not indicate anything about how he was setting up routing.

It seems to me that if John wants traffic from a specific VLAN to go through the GRE tunnel and other traffic to not go this way, that it is a fairly obvious situation for Policy Based Routing. PBR could specify that traffic originating from the particular VLAN should have a next-hop of the other end of the tunnel. This would leave all other traffic to use the normal routing table and would relieve the necessity to run dynamic routing through the tunnel (which would eliminate the possibility of other traffic being routed through the tunnel).

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
jogreco
Level 1
Level 1
In response to Richard Burts

‎12-23-2005 08:33 AM

Thanks for the input on PBR. somehow that slipped my mind. Putting in a route-map only allowing the isolated network segment and directing it through the tunnel worked. I am static routing the iso network subnet on the IPS 6500 back through the tunnel so both inbound and outbound traffic pass through the IPS and tunnel.

0 Helpful
Customers Also Viewed These Support Documents