GRE tunnelling to connect isolated networks

jim.brown · ‎05-22-2005

I have a vendor who has installed an "isolated" (not connected to me) network at 2 of my sites which are connected to my WAN. He wants the application that runs on each of these networks to be accessible from each site. In most situations, I could just connected him to my network and route between these isolated networks. However, his application strictly uses broadcasts and is not routable. My question is: can I connect him to me and then use a GRE tunnel to create a "local" connection between these 2 networks and allow him to access his application at either facility from either facility? The app uses UDP. Hope this was clear enough.

thanks

thisisshanky · ‎05-22-2005

Probably it would be much better to use encryption on the GRE tunnel to prevent any access on to your network, even though the traffic rides your network.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Richard Burts · ‎05-22-2005

Jim

There are a couple of things about your question that I do not understand very well. You say that this vendor has installed several isolated networks at two of your sites. I am not clear if it really is a network (several machines and several independent IP addresses) or if they have installed a host running some application at each site.

You say that the vendor wants the application that runs on each network to be accessible from each site. I am not clear if the vendor needs to be able to access each application at either site, or if they want resources within your network to be able to access the application.

When you talk about using a GRE tunnel to create a local connection it sounds like you may be thinking a bridging solution. The last time I checked bridging was not a supported usage over GRE. (It might or might not pass the bridged data, but do not ask for help if you ever have a problem with it.)

If the thing that prevents routing the data is the fact that it uses UDP broadcasts, then I wonder if using ip helper-address and ip forward-protocol (to get the particular UDP ports that the application uses to the helper address) would be a solution that would allow you to connect them to the network and route their traffic.

HTH

Rick

HTH

Rick

jim.brown · ‎05-23-2005

Thanks for the reply. There is an isolated network at each site. It is an Ethernet network, not just a single host. They do not want resources within my network to access the application; only devices on the isolated network at each site will need to access the application at the remote site.

I am not necessarily thinking about bridging, I am just wondering if the broadcast udp packets will be able to be seen across the GRE tunnel.

Thanks

Richard Burts · ‎05-23-2005

Jim

One of the characteristics of routers and layer three switches (on their routed interfaces) is that they do not forward broadcasts. Forwarding of broadcasts is typical at layer 2 and not at layer 3. So when you talked about forwarding broadcasts from one network to another I thought that you were proposing a bridged solution.

As I said in my first post I believe that you should consider the possibility of using ip helper-address. Helper-address provides an exception to the rule that broadcasts are not forwarded from one network to another. With helper-address the router will recognize broadcasts on certain UDP ports, and will copy the broadcast and forward it to addresses on a remote network.

There is a group of UDP broadcasts that are forwarded by helper-address by default. You can add other UDP ports to the list using the ip forward-protocol command.

I believe that this approach is most likely to give you the functionality that you need.

Another suggestion I have is to ask the vendor how this has been implemented in other sites. They probably have run into this situation at other customer sites and they may be able to identify a solution that works for them at other customer sites.

HTH

Rick

HTH

Rick