Solved: Re: Catalyst 9200L 17.3.6 GRE tunnel build issues

netgn · ‎05-01-2025

We have a remote location that has no firewall and have a need to tunnel some traffic back to our corporate firewall. Looking at the 9200L switch we have, its capable of running VRF-lite and GRE tunneling. We have successfully created the VRF and GRE tunnel with below settings. The tunnel is in fact up, we can ping between the tunnel end points ok. We can also ping the Internet sourcing from vlan 400 ip 10.10.10.254. However anything in vlan 400 behind svi 400 cannot ping out to the Internet. Devices can ping their default gateway 10.10.10.254 just fine. What am I missing here? Also, on the firewall back at corp, we see no traffic flows for any traffic except for 10.10.10.254.

ARP, DHCP Bindings, and mac addresses all show devices in the right vlan, and right VRF.

!

Interface vlan 400

vrf forwarding isolated-vlan

ip address 10.10.10.254 255.255.255.0

no ip redirects

no autostate

!

Tunnel100

vrf forwarding isolated-vlan

ip address 192.168.10.1 255.255.255.252

tunnel source loopback100

tunnel destination 100.100.100.2

!

interface loopback 100

ip address 100.100.100.1

netgn · ‎05-02-2025

Super frustrated by this one but figured it out. Turns out 'ip routing' was not enabled on the 9200 switch which is why the l2 path worked ok from svi to tunnel but anything behind svi that was routed got dropped. What really threw me off was the show ip route and show ip route vrf commands showed a routing table. So I thought ip routing was on. Turns out that was my lynchpin. Got me again Cisco!!

View solution in original post

Joseph W. Doherty · ‎05-01-2025

Insufficient information, because the whole point of a VRF is L3 isolation, much like a L2 VLAN, in concept. How is this VRF supposed to interact with L3 external to it?

netgn · ‎05-01-2025

Joseph,

Im trying to accomplish isolation of a vlan in its own VRF that will route across the GRE tunnel in the same VRF back to the corporate location. Im not sure I understand your question however. If the vlan SVI and GRE tunnel are in the same VRF wouldn't that be the L3 path? I want all source destination traffic for the vlan SVI in the isolated VRF to stay there.

User Traffic --> Vlan 400 (isolated-vrf) ---> GRE tunnel to Corporate (isolated-vrf) ---> Firewall at Corporate (not vrf aware)

Unless Im missing something here shouldn't this work? Or are you saying the firewall at corporate has to be aware of my vrf configuration for traffic to pass properly?

Im using the tunnel source and destination (loopbacks) from global routing table to get the encapsulated traffic over to corporate firewall. The tunnel is up, we can ping across the tunnel fine, its just anything behind the 9200L cant ping anything at corporate but sourcing from the SVI on the 9200L we can.

Joseph W. Doherty · ‎05-01-2025

Thank you, that does help provide clarity.

What's still unclear, what's the other side of the tunnel, i.e. corporate side. I mean, you have a VRF subnet, at both remote and corporate sides, and you route between them? On the corporate side, how do you route between corporate VRF subnet and FW?

In practice, I've seen VRFs used for security to isolate sections of a corporate subnet such that you need to transit a FW to get to another security section. What VRFs allow, much like VLANs, same devices can be hosting the different VRFs, so even though networks are physically using the same hardware, some networks cannot communicate with other unless they transit a FW.

netgn · ‎05-02-2025

The other side of the GRE tunnel is a Palo Firewall. All I want to accomplish is creating a virtual routing instance on the 9200L that takes vlan 400 traffic and tunnels it across the GRE to the Palo Firewall. It will only be default route traffic.

MHM Cisco World · ‎05-02-2025

Other side use GRE abd it is palo' and you are sure LO is ping from both side.

The last think still need is open GRE port in palo.

MHM

Joseph W. Doherty · ‎05-02-2025

ip route vrf isolated-vlan 0.0.0.0 0.0.0.0 192.168.10.2

The FW will need to know to route to 10.10.10.0/24 via the tunnel.

MHM Cisco World · ‎05-01-2025

You use LO as source and destiantion are you sure the LO is pingable

MHM

netgn · ‎05-01-2025

Yes can do that no issue. That traffic passes.

netgn · ‎05-02-2025

Super frustrated by this one but figured it out. Turns out 'ip routing' was not enabled on the 9200 switch which is why the l2 path worked ok from svi to tunnel but anything behind svi that was routed got dropped. What really threw me off was the show ip route and show ip route vrf commands showed a routing table. So I thought ip routing was on. Turns out that was my lynchpin. Got me again Cisco!!

Joseph W. Doherty · ‎05-02-2025

@netgn wrote:

Super frustrated by this one but figured it out. Turns out 'ip routing' was not enabled on the 9200 switch which is why the l2 path worked ok from svi to tunnel but anything behind svi that was routed got dropped. What really threw me off was the show ip route and show ip route vrf commands showed a routing table. So I thought ip routing was on. Turns out that was my lynchpin. Got me again Cisco!!

Ouch! Yea, that would be problematic, especially to transit the subnet.(?) (Did you have something configured to route across the tunnel subnet?)

Often low end switches, I recall, default to IP routing not being enabled. (Conversely, I recall, some large L3 switches wouldn't allow IP routing to be disabled.)

Thank you for the follow up.

netgn · ‎05-05-2025

You bet and thanks for helping.