cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
522
Views
0
Helpful
3
Replies

Tunneling multiple site problem

phamsyhungba
Level 1
Level 1

Hello everyone,

My company has multiple sites, so they have configured GRE tunnels between each other. But, I meet a problem that when I ping from site A(an example is host A) to a host in site B, in core switch of site B I have created an extended access-list that Permit IP of host A to host B and apply it to interface VLAN that contains host B, but it does not work, host A can't ping to host B.

I have done it on the same site with host B and it works.

By contrast, when I Permit the IP of the GRE tunnel to the host B, it worked, host A can ping to host B. I have checked the packet by Wireshark in host B and I see the packet from destination IP is IP of Interface tunnel(When I execute ping in host A). And other hosts still can ping to host B(Although I didn't permit them)

What problem? We know that the routing is working great and we can ping every host if we don't apply the access list.

3 Replies 3

pman
Spotlight
Spotlight

Hi,

 

Maybe you have not configured the ACL in the right direction?

Example:

Interface vlan 100

ip address 100.100.100.1 255.255.255.0

 

if you apply an ACL on the 'in' direction, the source must be within the 100.100.100.0 subnet while the destination can be anything.

If you apply an ACL in the 'out' direction, the source can be anything while the destination can be 'any' or 100.100.100.0

 

Hi,

I have applied access-list "in" direction to interface VLAN that contains host B.

 

#interface vlan 80

     ip access-group RD in

Maybe, but I did it with a host from site B and it worked, I have tried from other sites but host B still received packed from IP tunnel when I  execute ping from any host of another site, I tried to unapplied the access list and all of them can ping each other. I think the problem is from the IP tunnel.

About the theory of GRE I knew, the tunnel header will be unpacked when the traveled to other sites, according it, the IP which sends the packet to host B must be the IP of the host which executed ping, but in my scenario, it is the IP of the tunnel.

Review Cisco Networking for a $25 gift card