Traceroute and GRE tunnel

martinkluge · ‎10-10-2005

Hi,

I have a small problem. I setup a GRE tunnel with "tunnel source dialer 1" (dynamic IP of the dialer interface). The tunnel comes up fine (I use NHRP for next-hop tracking), but the problem is the traceroute. I don't want the IP of the dialer interface shown up in the trace, but the IP of my internal ethernet device (official ip, network's routed over the tun int). Is this possible?

Thank you!

Richard Burts · ‎10-10-2005

Martin

If the router generates a response packet to traceroute it will use as the source address the address of the outbound interface. There are configuration commands to set the source address for some things (like tftp, or syslog, or TACACS, and others) but I am not aware of any way to change that behavior for traceroute.

I do not know how you have the tunnel cofigured, but if you were to configure on the tunnel interface ip unnumbered ethernet 0 (or whatever interface you want to use) instead of configuring a unique IP subnet for the tunnel, then the router would source the traceroute response with the IP of the ethernet interface.

HTH

Rick

HTH

Rick

martinkluge · ‎10-10-2005

Hi Rick,

thank you for your answer. Another possibility would be to block ICMP packets with a TTL of 1 (so the IP address of the dialer interface wouldn't show up in a traceroute), but I think cisco (extended) ACLs cannot match the ttl field.

Anyway, thank you for your answer.

Martin

Richard Burts · ‎10-10-2005

Martin

There are at least two problems with this solution. First, as you mention, there is not anything in the access list that can check for TTL values.

Second, not all traceroutes use ICMP. Traceroute from a Cisco router or from a Unix box (to name two examples) do traceroute with UDP packets not with ICMP.

So other than controlling the IP address assigned to the GRE tunnel interface, I am not sure that there is a good alternative for solving your issue.

HTH

Rick

HTH

Rick