Re: GRE access-list

From: Chuck Church (cchurch@optonline.net)
Date: Sun Dec 15 2002 - 12:28:29 GMT-3

• Next message: rehan u nedaria: "Mulicast Basic"
• Previous message: Doug Calton: "Re: Multicast Test software"
• Maybe in reply to: Hung, Sing-Yu: "GRE access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Bradford,

    The tunnel interfaces rely on GRE being able to flow in both
directions.Since you're blocking it, I think the tunnel interfaces might be
bouncing, so R13 might be seeing the tunnel subnet though an IGP, and
sending some packets to it unencapsulated. R3 then replies to those
unencapsulated ones with it's non-tunnel address. Debug IP or ICMP to
verify this. HTH.

Chuck Church
CCIE #8776, MCNE, MCSE

----- Original Message -----
From: "Hung, Sing-Yu" <Sing-Yu.Hung@pccw.com>
To: <ccielab@groupstudy.com>
Sent: Sunday, December 15, 2002 4:37 AM
Subject: GRE access-list

> Dear,
>
> I have a tunnal between R3 and R13, can anyone tell me how to deny
> gre protocols but ip protocols on R3 e0?
>
> r3#sh run int e0
> Building configuration...
>
> Current configuration : 157 bytes
> !
> interface Ethernet0
> ip address 172.16.135.3 255.255.255.240
> ip access-group 136 in
> ip pim sparse-dense-mode
> no ip route-cache
> no ip mroute-cache
> end
>
> r3#sh run int tu 3
> Building configuration...
>
> Current configuration : 122 bytes
> !
> interface Tunnel3
> ip address 192.16.133.3 255.255.255.0
> tunnel source 172.16.3.1
> tunnel destination 172.16.13.1
> end
>
> r3#sl 136
> Extended IP access list 136
> deny gre any any (63 matches)
> permit ip any any (172 matches)
>
> ----------------------------------------------------------------------
> r13#p 192.16.133.3
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 192.16.133.3, timeout is 2 seconds:
> !.!.! <--------------------------------" why ? "
> Success rate is 60 percent (3/5), round-trip min/avg/max = 16/16/16 ms
>
> r13#p 172.16.3.1
>
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 172.16.3.1, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/16 ms
>
> r13#sh run int e3/1
> Building configuration...
>
> Current configuration : 147 bytes
> !
> interface Ethernet3/1
> ip address 172.16.134.13 255.255.255.0
> ip pim sparse-dense-mode
> no ip route-cache
> no ip mroute-cache
> half-duplex
> end
>
> r13#sh run int tu 3
> Building configuration...
>
> Current configuration : 162 bytes
> !
> interface Tunnel3
> ip address 192.16.133.13 255.255.255.0
> no ip route-cache
> no ip mroute-cache
> tunnel source 172.16.13.1
> tunnel destination 172.16.3.1
> end
>
>
>
>
> Bradford Hung
>
> Pacific Century CyberWorks
> Tel: 288 33125
> .
.

• Next message: rehan u nedaria: "Mulicast Basic"
• Previous message: Doug Calton: "Re: Multicast Test software"
• Maybe in reply to: Hung, Sing-Yu: "GRE access-list"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Jan 17 2003 - 17:21:46 GMT-3