• cabling news
  Newsletter Industry News Our Site News
• help
  Home Cabling Guide Cabling FAQ Free Helpdesk Forums Learn Cabling
• resources
  Color Codes Pin Layouts Links E-books Bookstore Online Tools Downloads
• this site
  Home Page Contact us Advertise Here Link to us
• this page
  Bookmark It! Print
• +

Cisco Systems GRE & Policy Routing

Bookmark this page:   Yahoo!   Google   Windows Live   del.icio.us   digg   Netscape

Subject Author Date GRE & Policy Routing Zgrp 07-28-05  Re: GRE & Policy Routing rave 08-01-05

Posted by Zgrp on July 28, 2005, 8:46 am Please log in for more thread options Hi, First of all, sorry for inconvenience! I'm configuring (testing) the GRE with Cisco and Linux and I found some posts in archive/google but I failed, so I'm asking help for you, since I'm searching by a long time and no solution. :( If some of you could help me. :) For my test I'm using a cisco router with the following: eth0 - 200.210.11.130 tunnel - 1.1.1.1 --------------------------------------------------- Linux: eth0 - 200.210.12.9 tunnel - 1.1.1.2 I want to create a GRE tunnel from the Cisco router to my Linux box, that are running a NIDS (snort). The idea is: | Internet | | | | | Cisco | --GRE--> |Linux-with-Snort-to-Analyze-The-Traffic| ---| |                                                         | |                                                         | |____________________GRE_____________________________________| Well, the GRE from Cisco to Linux I think I created correct (at last, it appear to work). Cisco: conf t int tunnel 0 ip address 1.1.1.1 255.255.255.0 tunnel source eth0 tunnel dest 200.210.12.9 tunnel mode gre ip exit Linux (all rules in firewall allow CISCO): modprobe ip_gre.o iptunnel add mynet mode grc remote 200.210.11.130 local 200.210.12.9 ttl 255 ip addr add 1.1.1.2/24 dev mynet ifconfig mynet up route add -net 1.1.1.0 netmask 255.255.255.0 dev mynet >From here, I already can Ping the Router via 1.1.1.1 :) So, I created the policy: Cisco: conf t access-list 120 permit ip any any route-map teste match ip address 120 set ip next-hop 1.1.1.2 exit int eth0 ip policy route-map teste exit Linux: ip ru add from 1.1.1.1 lookup 4 ip ro add 0.0.0.0/0 via 1.1.1.2 table 4 Well, If I run a packet analyzer like Ethereal, I can see that the traffic from GRE is arriving in my Linux box: Frame 1 (84 bytes on wire, 84 bytes captured) Arrival Time: Jul 26, 2005 21:45:10.079848000 Time delta from previous packet: 0.000000000 seconds Time since reference or first frame: 0.000000000 seconds Frame Number: 1 Packet Length: 84 bytes Capture Length: 84 bytes Protocols in frame: sll:ip:udp:dns Linux cooked capture Packet type: Unicast to us (0) Link-layer address type: 778 Link-layer address length: 0 Source: <MISSING> Protocol: IP (0x0800) Internet Protocol, Src Addr: 200.210.11.130 (200.210.11.130), Dst Addr: 200.24 6.179.124 (200.246.179.124) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 68 Identification: 0x1d22 (7458) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 63 Protocol: UDP (0x11) Header checksum: 0x5b95 (correct) Source: 200.210.11.130 (200.210.11.130) Destination: 200.246.179.124 (200.246.179.124) User Datagram Protocol, Src Port: 32769 (32769), Dst Port: domain (53) Source port: 32769 (32769) Destination port: domain (53) Length: 48 Checksum: 0xc6a6 (correct) Domain Name System (query) Transaction ID: 0xe6d7 Flags: 0x0010 (Standard query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... .0.. .... = Z: reserved (0) .... .... ...1 .... = Non-authenticated data OK: Non-authenticated data is acceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries anba.com.br: type ANY, class IN Name: anba.com.br Type: ANY (Request for all records) Class: IN (0x0001) Additional records <Root>: type OPT Name: <Root> Type: OPT (EDNS0 option) UDP payload size: 2048 Higher bits in extended RCODE: 0x0 EDNS0 version: 0 Z: 0x0 Data length: 0 0000 00 00 03 0a 00 00 00 00 00 00 00 00 00 00 08 00 ................ 0010 45 00 00 44 1d 22 40 00 3f 11 5b 95 c8 fc 7d 82 E..D."@.?.[...}. 0020 c8 f6 b3 7c 80 01 00 35 00 30 c6 a6 e6 d7 00 10 ...|...5.0...... 0030 00 01 00 00 00 00 00 01 04 61 6e 62 61 03 63 6f .........anba.co 0040 6d 02 62 72 00 00 ff 00 01 00 00 29 08 00 00 00 m.br.......).... 0050 00 00 00 00 .... Well, here I have some doubts: 1 - I notted that Ethereal detected protocol as "Protocols in frame: SSL:ip:udp:dns", shouldn't be it GRE ? The source is "Source: <MISSING>", is it normal (I'm not familiar with this Linux cooked capture) ? 2 - This configuration redirect from CISCO to Linux inbound, outbound or both ? Can I make it redirect both ? :) 3 - How GRE know it should be deencapsulated and sent to internet, or simple re-encapsulated and send to other GRE point ? Only via the rules ? Or it set any special bit in the package ? That't only curious, the problem, is that the traffic ISN'T backing to Cisco. For example, this DNS query (that comming from CISCO Internal Network) arrive to my linux box, but doesn't go to Internet... :( I were reading and saw that in Cisco router has a "option" called reflect, that I THINK should do what I need (but in Linux): conf t access-list 100 permit ip any any route-map reflect match ip address 100 set ip next-hop Original-IP-To-Back exit int tunnel0 ip policy route-map reflect exit Well, I don't have other CISCO to test it, and I want to make it over Linux. How can I reflect the traffic (Send the traffic back to Cisco router) from Linux ? ps: Well, if exist some way to copy all traffic of a cisco to another machine in the Internet can solve. Something like the Traffic Mirror in the Cisco switch. Someone aware ? Thks, Regards,

Posted by rave on August 1, 2005, 4:13 pm Please log in for more thread options GRE is a routing technology. If you need only a specific traffic to go to the remote linux box then add a asprecifc route to the tunnel interface. coz of the route-map teste which has match address 120 you are sending every traffic to linux box. try adding something specific on the router

Similar Threads	Posted
intervlan routing and policy routing C3750 or C 4948	October 19, 2005, 6:38 pm
GRE & Policy Routing	July 28, 2005, 8:46 am
policy routing on PIX	October 10, 2008, 9:37 am
PIX 7.0 policy based routing?	October 24, 2005, 8:57 am
policy based routing	November 4, 2005, 5:14 am
Policy based routing on a ASA	February 2, 2007, 5:03 pm
PIX 525, I think I need Policy-based routing??	April 23, 2007, 9:45 pm
Policy based routing	April 30, 2008, 11:30 am
Policy Based Routing and/or NAT	May 7, 2008, 8:15 am
HSRP and Policy based Routing	October 26, 2005, 10:12 pm
Policy Based Routing Question	November 13, 2005, 7:38 pm
Policy Based Routing with 2 providers	April 18, 2008, 1:12 am
Policy Base Routing with 2 providers	April 18, 2008, 2:45 am
Policy Routing: Guaranteeing Bandwidth Question	March 27, 2007, 11:23 pm
Policy routing based on destination port (layer4)	January 11, 2006, 12:02 pm

Contact Us | Privacy Policy