From: David Clarkson (DaClarkson@symantec.com)
Date: Tue Sep 23 2003 - 01:42:00 GMT-3
Core Dist Acc
------------/ GRE Tunnel (DECNET, IP, IPX)
/-----------/-----------/ GRE Tunnel (DECNET, IP, IPX)
IDS------| /-----------/ GRE Tunnel (DECNET, IP, IPX)
/-----------/-----------/ GRE Tunnel (DECNET, IP, IPX)
------------/ GRE Tunnel (DECNET, IP, IPX)
The tunneling is providing multi protocol access between geographically
disparate access layer networks. Tunneling is across the IP only dist and
core layers. The IDS sits in on the core because placing them at the
access layer (before GRE) is cost prohibitive.
"Brian McGahan" <bmcgahan@internetworkexpert.com>
09/23/2003 02:01 PM
To: "'David Clarkson'" <DaClarkson@symantec.com>
cc: <ccielab@groupstudy.com>
Subject: RE: GRE access lists
Dave,
What does your topology look like (ascii plz), where does the
tunneling occur, and where does the IDS occur?
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
-----Original Message-----
From: David Clarkson [mailto:DaClarkson@symantec.com]
Sent: Monday, September 22, 2003 10:44 PM
To: Brian McGahan
Cc: ccielab@groupstudy.com; 'Jonathan V Hays'
Subject: RE: GRE access lists
I am trying to apply security (CIDS) on the IP packets in the GRE, but
want to avoid the non-IP packets in the GRE as they seem to cause
problems.
Thx
Dave
"Brian McGahan" <bmcgahan@internetworkexpert.com>
09/23/2003 01:32 PM
To: "'Jonathan V Hays'" <jhays@jtan.com>, "'David
Clarkson'" <DaClarkson@symantec.com>
cc: <ccielab@groupstudy.com>
Subject: RE: GRE access lists
David,
What exactly are you trying to accomplish?
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Jonathan V Hays
> Sent: Monday, September 22, 2003 10:02 PM
> To: 'David Clarkson'
> Cc: ccielab@groupstudy.com
> Subject: RE: GRE access lists
>
> Dave,
>
> RFC 2784 (GRE) does indicate that there is a Protocol Type field in
the
> GRE packet header, which contains the payload's protocol type (using
the
> RFC 1700 ETYPE number). So filtering or classifying based on the
> encapsulated protocol is theoretically possible.
>
> But other than providing the above information, I can't help much
more.
> I don't see how a Cisco access-list can be used to access this field.
>
> See the following URL for a list of extended access-list fields:
>
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
> fipras_r/1rfip1.htm#1017448
>
> Perhaps there is some other way the IOS can access the GRE Protocol
Type
> field?
>
> Anyone?
>
> Jonathan
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> David Clarkson
> Sent: Monday, September 22, 2003 10:38 PM
> To: Jonathan V Hays
> Cc: ccielab@groupstudy.com
> Subject: RE: GRE access lists
>
>
> I am trying to classify the encapsulated protocol so I can treat
> different
> encapsulated protocols differently within the same GRE tunnel.
>
> Regards,
> Dave
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
>
This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:34 GMT-3