[nsp] policy-routing GRE tunnel packets

Luan Nguyen uulmnguyen at hotmail.com
Wed Aug 20 12:36:53 EDT 2003


Policy routing the tunnel packets should be very possible.  Do it like Steve 
suggested:  put the ip policy route-map local-policy - and use ip 
route-cache flow or ip route-cache policy for Enable fast-switching policy 
cache for outgoing packets.  cisco web does have a good article on policy 
base routing.
the place where i see policy base routing happens is when you have a VPN and 
  you need to policy route your spokes networks to the central firewall at 
the hub - while allowing spoke-hub communication just go through - then you 
need to put the policy base stuffs on the tunnel interfaces.  Since packets 
come in from outside the router and get encapsulated with GRE header - not 
really locally generated...maybe except for GRE keep alive.

-luan



>From: Alexander Bochmann <bochmann at FreiNet.de>
>To: cisco-nsp at puck.nether.net
>Subject: Re: [nsp] policy-routing GRE tunnel packets
>Date: Wed, 20 Aug 2003 15:55:26 +0200
>
>...on Tue, Aug 19, 2003 at 05:47:00PM +0200, Alexander Bochmann wrote:
>
>  > Theoretically, Tunnel1 packets should be subject to
>  > the local policy route-map and be sent out via fa0/1 -
>  > but, in policy routing debugging, nothing is showing
>  > up right now
>
>I've come to the conclusion that policy-routing the
>GRE encapsulated Tunnel packets is not possible.
>Obviously, the GRE encapsulation happens at some place
>in the system where policy-routing doesn't have any
>impact.
>Other locally generated packets are policy-routed fine,
>that that it should work in principle - but not the
>GRE packets, although they have a source address that
>should be subject to policy-routing when leaving the
>system.
>
>So, there's probably no other way than host-routing
>the Tunnel destionations via the appropriate gateway,
>as some people suggested...
>
>Alex.
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

_________________________________________________________________
<b>Get MSN 8</b> and help protect your children with advanced parental 
controls.  http://join.msn.com/?page=features/parental



More information about the cisco-nsp mailing list