Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
913
Views
5
Helpful
7
Replies

Exempt src and/or dst thru GRE tunnel

lhalca
Level 1
Level 1

‎04-23-2019 04:35 PM

Hello,

This is my first time posting in this forum, so i hope im in the correct discussion area.

I am looking for guidance on how to -

#1. Exempt host(s) from filtering thru the GRE tunnel?

#2. Only exempt hosts(s) from filtering thru the GRE tunnel when its destination is a specific website only? If possible?

 

I have the GRE tunnel up and running and in order to exempt specific IPs, i saw examples online to do it within the ACL, but its not working for me.

 

Below, im trying to exempt the host 10.1.1.2

 

Here's the ACL i have:

deny tcp host 10.1.1.2 any eq www
deny tcp host 10.1.1.2 any eq 443
permit tcp 10.1.1.0 0.0.0.255 any eq www
permit tcp 10.1.1.0 0.0.0.255 any eq 443

 

Then i tried doing it this way, but still didnt work:

deny ip any host 10.1.1.2

permit tcp 10.1.1.0 0.0.0.255 any eq www
permit tcp 10.1.1.0 0.0.0.255 any eq 443

 

I'm trying different ways, but can't get pass question#1, so i can proceed to #2.

Is doing this in the ACL correct in the first place? or is there another way within the GRE Tunnel?

 

Any help would be appreciated!

 

Thank you,

lha

 

 

0 Helpful
7 Replies 7

luis_cordova
VIP Alumni
VIP Alumni

‎04-23-2019 05:01 PM

Hi @lhalca ,

 

Your ACLs look correct
Maybe your problem lies in where you are applying the ACL and in what direction (in/out).

If it is a PacketTracer exercise, i suggest you compress it to be able to attach it.
So, we could review and test with your current settings.

 

Regards

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎04-24-2019 11:18 AM

I am not clear about what is the real objective in the original post. The post has its first point as "Exempt host(s) from filtering thru the GRE tunnel"

What does filtering mean? Does it mean simply not go through the GRE tunnel? Or does it mean something else?

And what does "exempt" mean? Does it mean that traffic matching the criteria should be dropped? Or does it mean that it should not go through GRE tunnel but should be able to go some other way?

 

If exempt means dropping the traffic then the approach suggested in the original post of implementing access lists is appropriate. If exempt means that it should not go through GRE but could go a different way then something like Policy Based Routing would be the appropriate solution.

 

HTH

 

Rick

 

 

HTH

Rick
0 Helpful

lhalca
Level 1
Level 1
In response to Richard Burts

‎04-24-2019 01:16 PM

Hello,

Thank you for your replies. I apologize for not being clear. Just to give a little background and to answer your questions -

We have a web filtering service hosted in the cloud, so we established a GRE tunnel from our HQ to this Web filtering service.

 

So to clarify more, I want the (#1)specified host(s) to NOT go thru the GRE tunnel, but should be able to go thru another way instead. then for (#2) same ideal but only if its hitting a specific website, is when to NOT go thru the GRE tunnel, but another way.

 

Also, when i mention another way, meaning still go thru the same interface that the GRE tunnel is configured (if possible), because that is the main way out to the internet.

 

Hopefully this makes more sense! If not, i can provide the configs for the GRE if it helps!

 

Thanks in advance.

-LHA

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lhalca

‎04-25-2019 08:18 AM

LHA

 

Thank you for the clarification. It is important that we understand that traffic that is not selected to go through the GRE tunnel should be able to go out that physical interface and reach the destination. In that case the examples of configuring access lists is not the correct solution. That solution would drop the traffic and not allow it to go out the physical interface. I believe that the solution that you need will use Policy Based Routing. The function of PBR is to provide alternate paths to the normal routing table for certain destinations or for certain sources.

 

Am I correct in assuming that to reach the web filtering service that you have configured the GRE tunnel and that you have configured a static route that sends traffic to the web filtering service using the GRE tunnel? In that case the normal routing table says use GRE to reach the web filtering service and you want to use PBR to send certain traffic a different way. To implement PBR you first configure an access list that will identify traffic that should not use the GRE tunnel to reach the web filtering service. The ACL could match certain source addresses, could match certain destination addresses, or could match some combination of source addresses and destination addresses. Once the ACL is configured then you configure a route map. The route map will use a match statement to use the ACL to identify traffic and then the route map will use a set statement to set ip next-hop as the next hop out the physical interface rather than as the tunnel remote peer. Once the route map is configured then you assign the route map to the interface where that traffic enters the router using the ip policy command. The traffic that enters the router with a destination of the web filtering service that matches the ACL will be forwarded out the physical interface (not the tunnel) and other traffic to the web filtering service will use the normal route through the GRE tunnel.

 

HTH

 

Rick

HTH

Rick

lhalca
Level 1
Level 1
In response to Richard Burts

‎04-25-2019 04:27 PM

Thanks Richard for the recommendation. It makes sense now.

So instead of routing traffic to the tunnel that's configured for the GRE, just create another route policy for the new ACL statements to forward out to the physical interface instead.

 

I'll try this and reply back if it works for me.

 

Thanks again.

-LHA

0 Helpful

Sebastian Fernandez
Level 1
Level 1
In response to lhalca

‎04-25-2019 04:37 PM

Hi LHA,

If the traffic redirection to the cloud based web filtering is happening through browser based proxy services, then using PBR matched on the basis of the site destination may not work as the destination then seen is the proxy server. If this is the case, your PBR rule then has to match against NBAR classification. But keep in mind that NBAR can eat lot of resources depending upon the total traffic being inspected.

Just my 2c.

-
Sebastian
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to lhalca

‎04-26-2019 06:07 AM

LHA

 

I think there is a slight misunderstanding of my suggestion. It is possible to do as you mention and not have a route using the GRE tunnel as its next hop and handle all of  the traffic for that service using PBR. But that is a bit more complicated than what I suggested which was to have a route in the routing table that would send traffic to the service for normal traffic and to handle the traffic for the service which should use the physical interface using PBR.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card