06-11-2007 07:08 AM - edited 03-05-2019 04:37 PM
We are using the VPN Spa on our 6509 to create and terminate the IPSec/GRE tunnels and we want to direct all traffic coming out of the GRE tunnels to go to a specific ethernet port. This port on the 6509 then connects to an external Cisco AS5540 firewall where we want to analyze the traffic then send it back to the 6509 through another ethernet port, to finally reach our internal users.
I've been looking at VACL's or PBR to do this but I still can't see how to forward the packets from the tunnel interfaces to an ethernet port or VLAN.
Any suggestions?
Thanks.
06-11-2007 12:27 PM
Hi,
I believe if your FW has an IP you could use the set ip next-hop.
access-list 1 permit 209.165.200.225
access-list 2 permit any
!
interface tun 0
ip policy route-map analyze
route-map analyze permit 10
match protocol GRE
set ip next-hop 209.165.200.228
route-map analyze permit 20
match ip address 2
set ip default next-hop 209.165.200.229
When configuring PBR, follow these guidelines and restrictions:
?The PFC provides hardware support for PBR configured on a tunnel interface.
?The PFC does not provide hardware support for PBR configured with the set ip next-hop keywords if the next hop is a tunnel interface.
?If the MSFC address falls within the range of a PBR ACL, traffic addressed to the MSFC is policy routed in hardware instead of being forwarded to the MSFC. To prevent policy routing of traffic addressed to the MSFC, configure PBR ACLs to deny traffic addressed to the MSFC.
?Any options in Cisco IOS ACLs that provide filtering in a PBR route-map that would cause flows to be sent to the MSFC to be switched in software are ignored. For example, logging is not supported in ACEs in Cisco IOS ACLs that provide filtering in PBR route-maps.
See:
BR,
Bjornarsb
06-12-2007 09:38 AM
Thanks. I was undecided whether I should do PBR or VACLs but I think your suggestion makes more sense since it gives me additional choice on which packets to forward it to.
I'll try it out.
06-13-2007 11:22 AM
I don't know if I understood this correctly. It seems that this solution takes care of directing the packets to go into the firewall. How do I then direct the packets that come out of the firewall back to the 6509 to be routed to their final destination?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide