Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Local GRE tunnels through network

We have several devices on our network that are spread out over several buildings. These devices are unmanaged as far as patch and antivirus levels. I was thinking that I'd be able to setup a second vlan on each swtich these devices are connected to, then have a GRE tunnel to pass that traffic to a pair of 6500's that are protected with an IPS.

The setup would be a 2950 with two vlans trunked to a pair of distribution layer 6500's. these 6500's would connect into the core of the network. Off the core would be this IPS protected 6500 pair.

In our lab I'be built this up, but am having problems getting the traffic i want to isolate to cross the tunnel. Is this type of configuration possible? all examples I'm seeing show remote sites connecting into the main network.

Thanks,

John

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Local GRE tunnels through network

I feel that Martin is asking a very good question about the routing logic. In the original post John did not indicate anything about how he was setting up routing.

It seems to me that if John wants traffic from a specific VLAN to go through the GRE tunnel and other traffic to not go this way, that it is a fairly obvious situation for Policy Based Routing. PBR could specify that traffic originating from the particular VLAN should have a next-hop of the other end of the tunnel. This would leave all other traffic to use the normal routing table and would relieve the necessity to run dynamic routing through the tunnel (which would eliminate the possibility of other traffic being routed through the tunnel).

HTH

Rick

3 REPLIES

Re: Local GRE tunnels through network

Hi,

are you able to ping the IPS 6500s from any device you want to monitor? Might be just a routing issue.

If the unmanaged devices are in one VLAN and the monitoring should use another VLAN ... how do they interconnect?

From an IP routing perspective: why should any traffic cross the GRE tunnels? Which routing table entry should achieve this?

Hope this helps

Hall of Fame Super Silver

Re: Local GRE tunnels through network

I feel that Martin is asking a very good question about the routing logic. In the original post John did not indicate anything about how he was setting up routing.

It seems to me that if John wants traffic from a specific VLAN to go through the GRE tunnel and other traffic to not go this way, that it is a fairly obvious situation for Policy Based Routing. PBR could specify that traffic originating from the particular VLAN should have a next-hop of the other end of the tunnel. This would leave all other traffic to use the normal routing table and would relieve the necessity to run dynamic routing through the tunnel (which would eliminate the possibility of other traffic being routed through the tunnel).

HTH

Rick

New Member

Re: Local GRE tunnels through network

Thanks for the input on PBR. somehow that slipped my mind. Putting in a route-map only allowing the isolated network segment and directing it through the tunnel worked. I am static routing the iso network subnet on the IPS 6500 back through the tunnel so both inbound and outbound traffic pass through the IPS and tunnel.

99
Views
0
Helpful
3
Replies