1. Home
  2. Cisco Systems
  3. GRE & Policy Routing

GRE & Policy Routing

Hi,

First of all, sorry for inconvenience! I'm configuring (testing) the GRE with Cisco and Linux and I found some posts in archive/google but I failed, so I'm asking help for you, since I'm searching by a long time and no solution. :( If some of you could help me. :)

For my test I'm using a cisco router with the following:

eth0 - 200.210.11.130 tunnel - 1.1.1.1

---------------------------------------------------

Linux:

eth0 - 200.210.12.9 tunnel - 1.1.1.2

I want to create a GRE tunnel from the Cisco router to my Linux box, that are running a NIDS (snort). The idea is:

| Internet | | | | | Cisco | --GRE--> |Linux-with-Snort-to-Analyze-The-Traffic| ---| | | | | |____________________GRE_____________________________________|

Well, the GRE from Cisco to Linux I think I created correct (at last, it appear to work).

Cisco:

conf t int tunnel 0 ip address 1.1.1.1 255.255.255.0 tunnel source eth0 tunnel dest 200.210.12.9 tunnel mode gre ip exit

Linux (all rules in firewall allow CISCO):

modprobe ip_gre.o iptunnel add mynet mode grc remote 200.210.11.130 local 200.210.12.9 ttl 255 ip addr add 1.1.1.2/24 dev mynet ifconfig mynet up route add -net 1.1.1.0 netmask 255.255.255.0 dev mynet

From here, I already can Ping the Router via 1.1.1.1

:)

So, I created the policy:

Cisco:

conf t access-list 120 permit ip any any route-map teste match ip address 120 set ip next-hop 1.1.1.2 exit int eth0 ip policy route-map teste exit

Linux:

ip ru add from 1.1.1.1 lookup 4 ip ro add 0.0.0.0/0 via 1.1.1.2 table 4

Well, If I run a packet analyzer like Ethereal, I can see that the traffic from GRE is arriving in my Linux box:

Frame 1 (84 bytes on wire, 84 bytes captured) Arrival Time: Jul 26, 2005 21:45:10.079848000 Time delta from previous packet: 0.000000000 seconds Time since reference or first frame: 0.000000000 seconds Frame Number: 1 Packet Length: 84 bytes Capture Length: 84 bytes Protocols in frame: sll:ip:udp:dns Linux cooked capture Packet type: Unicast to us (0) Link-layer address type: 778 Link-layer address length: 0 Source: Protocol: IP (0x0800) Internet Protocol, Src Addr: 200.210.11.130 (200.210.11.130), Dst Addr: 200.24

6.179.124 (200.246.179.124) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 68 Identification: 0x1d22 (7458) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 63 Protocol: UDP (0x11) Header checksum: 0x5b95 (correct) Source: 200.210.11.130 (200.210.11.130) Destination: 200.246.179.124 (200.246.179.124) User Datagram Protocol, Src Port: 32769 (32769), Dst Port: domain (53) Source port: 32769 (32769) Destination port: domain (53) Length: 48 Checksum: 0xc6a6 (correct) Domain Name System (query) Transaction ID: 0xe6d7 Flags: 0x0010 (Standard query) 0... .... .... .... = Response: Message is a query .000 0... .... .... = Opcode: Standard query (0) .... ..0. .... .... = Truncated: Message is not truncated .... ...0 .... .... = Recursion desired: Don't do query recursively .... .... .0.. .... = Z: reserved (0) .... .... ...1 .... = Non-authenticated data OK: Non-authenticated data is acceptable Questions: 1 Answer RRs: 0 Authority RRs: 0 Additional RRs: 1 Queries anba.com.br: type ANY, class IN Name: anba.com.br Type: ANY (Request for all records) Class: IN (0x0001) Additional records : type OPT Name: Type: OPT (EDNS0 option) UDP payload size: 2048 Higher bits in extended RCODE: 0x0 EDNS0 version: 0 Z: 0x0 Data length: 0

0000 00 00 03 0a 00 00 00 00 00 00 00 00 00 00 08 00 ................

0010 45 00 00 44 1d 22 40 00 3f 11 5b 95 c8 fc 7d 82 E..D."@.?.[...}. 0020 c8 f6 b3 7c 80 01 00 35 00 30 c6 a6 e6 d7 00 10 ...|...5.0...... 0030 00 01 00 00 00 00 00 01 04 61 6e 62 61 03 63 6f .........anba.co 0040 6d 02 62 72 00 00 ff 00 01 00 00 29 08 00 00 00 m.br.......).... 0050 00 00 00 00 ....

Well, here I have some doubts:

1 - I notted that Ethereal detected protocol as "Protocols in frame: SSL:ip:udp:dns", shouldn't be it GRE ? The source is "Source: ", is it normal (I'm not familiar with this Linux cooked capture) ?

2 - This configuration redirect from CISCO to Linux inbound, outbound or both ? Can I make it redirect both ? :)

3 - How GRE know it should be deencapsulated and sent to internet, or simple re-encapsulated and send to other GRE point ? Only via the rules ? Or it set any special bit in the package ?

That't only curious, the problem, is that the traffic ISN'T backing to Cisco. For example, this DNS query (that comming from CISCO Internal Network) arrive to my linux box, but doesn't go to Internet... :(

I were reading and saw that in Cisco router has a "option" called reflect, that I THINK should do what I need (but in Linux):

conf t access-list 100 permit ip any any route-map reflect match ip address 100 set ip next-hop Original-IP-To-Back exit int tunnel0 ip policy route-map reflect exit

Well, I don't have other CISCO to test it, and I want to make it over Linux. How can I reflect the traffic (Send the traffic back to Cisco router) from Linux ?

ps: Well, if exist some way to copy all traffic of a cisco to another machine in the Internet can solve. Something like the Traffic Mirror in the Cisco switch. Someone aware ?

Thks,

Regards,

Reply to
Zgrp
Loading thread data ...

GRE is a routing technology. If you need only a specific traffic to go to the remote linux box then add a asprecifc route to the tunnel interface. coz of the route-map teste which has match address 120 you are sending every traffic to linux box.

try adding something specific on the router

Reply to
rave

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.