Extended ACL to permit GRE traffic..
Hi All,
If you create a Extended ACL as;
ip access-list extended TUNNEL permit ip host 203.208.174.93 host 85.115.65.7
Would this permit GRE traffic – for example?
OR
do I need this to permit GRE;
ip access-list extended TUNNEL permit gre host 203.208.174.93 host 85.115.65.7
Thank you.
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Think back to basics;
What is IP? What is GRE?
How do they work (together?)?
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Since GRE is a subset of IP, it should allow protocol 47 with the ‘permit ip’ ACL…
Yes IP will permit it. Using GRE will make sure that you only restrict this to GRE vs other IP related protocols such as UDP or TCP ports which your first ACL allows through.
You can always test! ex: create ACL and watch your counters:
permit ip host x host y log permit gre host x host x log permit ip any any
reverse it to validate…
permit gre host x host x log permit ip host x host y log permit ip any any log
-J
href=”mailto:Jitendra.Anbu@optus.com.au”>Jitendra.Anbu@optus.com.au href=”mailto:ccielab@groupstudy.com”>ccielab@groupstudy.com
_________________________________________________________________ Hotmail: Free, trusted and rich email service. http://clk.atdmt.com/GBL/go/201469228/direct/01/
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Martin, I am not sure whether you’re trying to help or just making us guess what you know????
My understanding was that GRE would be automatically permitted if I permit IP – that’s it.
If that’s not the case I was expecting someone to tell me. ________________________________ Sent: Monday, 1 March 2010 2:06 PM Cc: CCIE R/S, Groupstudy
Think back to basics;
What is IP? What is GRE?
How do they work (together?)?
On Mon, Mar 1, 2010 at 1:49 PM, Jitendra Anbu <Jitendra.Anbu@optus.com.au> wrote: Hi All,
If you create a Extended ACL as;
ip access-list extended TUNNEL permit ip host 203.208.174.93 host 85.115.65.7
Would this permit GRE traffic – for example?
OR
do I need this to permit GRE;
ip access-list extended TUNNEL permit gre host 203.208.174.93 host 85.115.65.7
Thank you.
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Many thanks Nish
________________________________________ Sent: Monday, 1 March 2010 2:13 PM
Since GRE is a subset of IP, it should allow protocol 47 with the ‘permit ip’ ACL…
Great example – thanks.
Jit ________________________________ Sent: Monday, 1 March 2010 2:16 PM href=”mailto:ccielab@groupstudy.com”>ccielab@groupstudy.com
Yes IP will permit it. Using GRE will make sure that you only restrict this to GRE vs other IP related protocols such as UDP or TCP ports which your first ACL allows through.
You can always test! ex: create ACL and watch your counters:
permit ip host x host y log permit gre host x host x log permit ip any any
reverse it to validate…
permit gre host x host x log permit ip host x host y log permit ip any any log
-J
href=”mailto:Jitendra.Anbu@optus.com.au”>Jitendra.Anbu@optus.com.au href=”mailto:ccielab@groupstudy.com”>ccielab@groupstudy.com
________________________________ Hotmail: Free, trusted and rich email service. Get it now.
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Hi Jitendra,
The fact is that GRE is IP Protocol 47, thus by allowing IP you are allowing all the subsets one of which is GRE, another is OSPF/EIGRP…etc
Best Regards,
Best Regards, On Mon, Mar 1, 2010 at 11:15 AM, Jitendra Anbu wrote:
href=”mailto:ccielab@groupstudy.com”>ccielab@groupstudy.com href=”mailto:Jitendra.Anbu@optus.com.au”>Jitendra.Anbu@optus.com.au href=”mailto:ccielab@groupstudy.com”>ccielab@groupstudy.com
Hi Jit,
I was going for the “teach a man to fish” rather than give him a fish approach.
So yes, I was trying to help more than simply typing out an answer. I like to think that CCIE’s or people who aspire to be would or should be interested in the how and why things work as they do rather than just the answer.
Glad you got what you were after.
Martin
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Sorry Martin I think you were out of line with your approach! You & some others who subscribe in this e-mail group need to come down from your pedestal.
________________________________ Sent: Monday, 1 March 2010 7:24 PM Cc: CCIE R/S, Groupstudy
Hi Jit,
I was going for the “teach a man to fish” rather than give him a fish approach.
So yes, I was trying to help more than simply typing out an answer. I like to think that CCIE’s or people who aspire to be would or should be interested in the how and why things work as they do rather than just the answer.
Glad you got what you were after.
Martin
On Mon, Mar 1, 2010 at 7:11 PM, Jitendra Anbu <Jitendra.Anbu@optus.com.au> wrote: Martin, I am not sure whether you’re trying to help or just making us guess what you know????
My understanding was that GRE would be automatically permitted if I permit IP – that’s it.
If that’s not the case I was expecting someone to tell me. ________________________________ [martin.john.hogan@gmail.com] Sent: Monday, 1 March 2010 2:06 PM Cc: CCIE R/S, Groupstudy
Think back to basics;
What is IP? What is GRE?
How do they work (together?)?
On Mon, Mar 1, 2010 at 1:49 PM, Jitendra Anbu <Jitendra.Anbu@optus.com.au> wrote: Hi All,
If you create a Extended ACL as;
ip access-list extended TUNNEL permit ip host 203.208.174.93 host 85.115.65.7
Would this permit GRE traffic – for example?
OR
do I need this to permit GRE;
ip access-list extended TUNNEL permit gre host 203.208.174.93 host 85.115.65.7
Thank you.
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
The demand for answers instead of the pursuit of understanding is what keeps companies like testking in business.
I apologise if I offended you, I certainly don’t participate in this group to be a negative influence, but I dont apologise for promoting understanding rather than the quick easy answer.
Martin.
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Martin appreciate ur thougt process which sets someone to think.
Cheers
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
+1
It may be too much in the morning for me (pre-caffeine) but I didn’t read Martin’s e-mail as anything from atop a pedestal. Most of the time, when questions come up, they can be approached from a very simple thought process.
Which, this whole thing with routers and switches… Once we start understanding HOW they think, then most things become much easier to work through. Workbooks are great, but don’t come up with every single variant! So someplace along the way, we need to learn to think like the routers and switches do.
So, the valid question is can I use “permit ip” in an ACL? Sure. But why?
What about “permit gre”? That’s more specific, but again, why? BECAUSE (as another e-mail listed) the GRE protocol is IP protocol 47. Which means GRE is a subset of IP. Permitting the larger list/set will always permit the subsets.
So, concentrating on the answer of WHY is where we get the learning from. Granted, Martin wasn’t very verbose in his note (grin), but at least in my opinion, he wasn’t trying to deride or insult anyone.
The problem with e-mail is that it doesn’t carry much of a sense of humor with it. Let’s not read more into things than was actually there though.
My two cents. (Which after taxes is only likely to be 1.1 cents these days!)
Scott Morris, CCIEx4 (R&S/ISP-Dial/Security/Service Provider) #4713,
CCDE #2009::D, JNCIE-M #153, JNCIS-ER, CISSP, et al.
JNCI-M, JNCI-ER
evil@ine.com
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Outside US: 775-826-4344
Knowledge is power.
Power corrupts.
Study hard and be Eeeeviiiil……
Jitendra Anbu wrote:
Sorry Martin I think you were out of line with your approach! You & some others who subscribe in this e-mail group need to come down from your pedestal.
________________________________ href=”mailto:martin.john.hogan@gmail.com”>martin.john.hogan@gmail.com ] Sent: Monday, 1 March 2010 7:24 PM Cc: CCIE R/S, Groupstudy
Hi Jit,
I was going for the “teach a man to fish” rather than give him a fish approach.
So yes, I was trying to help more than simply typing out an answer. I like to think that CCIE’s or people who aspire to be would or should be interested in the how and why things work as they do rather than just the answer.
Glad you got what you were after.
Martin
On Mon, Mar 1, 2010 at 7:11 PM, Jitendra Anbu < Jitendra.Anbu@optus.com.au > wrote: Martin, I am not sure whether you’re trying to help or just making us guess what you know????
My understanding was that GRE would be automatically permitted if I permit IP – that’s it.
If that’s not the case I was expecting someone to tell me. ________________________________ [ martin.john.hogan@gmail.com ] Sent: Monday, 1 March 2010 2:06 PM Cc: CCIE R/S, Groupstudy
Think back to basics;
What is IP? What is GRE?
How do they work (together?)?
On Mon, Mar 1, 2010 at 1:49 PM, Jitendra Anbu < Jitendra.Anbu@optus.com.au > wrote: Hi All,
If you create a Extended ACL as;
ip access-list extended TUNNEL permit ip host 203.208.174.93 host 85.115.65.7
Would this permit GRE traffic – for example?
OR
do I need this to permit GRE;
ip access-list extended TUNNEL permit gre host 203.208.174.93 host 85.115.65.7
Thank you.
Blogs and organic groups at http://www.ccie.net http://www.ccie.net/ _______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net _______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
1.1c after taxes!? Where is your health care cut ?
more like -1.1c, then again – if you live in canada -1.2c!
href=”mailto:smorris@ine.com”>smorris@ine.com href=”mailto:Jitendra.Anbu@optus.com.au”>Jitendra.Anbu@optus.com.au href=”mailto:martin.john.hogan@gmail.com”>martin.john.hogan@gmail.com; ccielab@groupstudy.com href=”mailto:evil@ine.com”>evil@ine.com href=”mailto:martin.john.hogan@gmail.com”>martin.john.hogan@gmail.com ] to in href=”mailto:Jitendra.Anbu@optus.com.au”>Jitendra.Anbu@optus.com.au > wrote: guess IP href=”mailto:martin.john.hogan@gmail.com”>martin.john.hogan@gmail.com ] href=”mailto:Jitendra.Anbu@optus.com.au”>Jitendra.Anbu@optus.com.au > wrote: http://www.groupstudy.com/list/CCIELab.html http://www.groupstudy.com/list/CCIELab.html
_________________________________________________________________ Hotmail: Free, trusted and rich email service. http://clk.atdmt.com/GBL/go/201469228/direct/01/
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Good point… Someone has to work to pay for all the “improvements”, right?
ccie study wrote:
1.1c after taxes!? Where is your health care cut ?
more like -1.1c, then again – if you live in canada -1.2c!
href=”mailto:smorris@ine.com”>smorris@ine.com To: Jitendra.Anbu@optus.com.au CC: martin.john.hogan@gmail.com ; ccielab@groupstudy.com Subject: Re: Extended ACL to permit GRE traffic..
It may be too much in the morning for me (pre-caffeine) but I didn’t read Martin’s e-mail as anything from atop a pedestal. Most of the time, when questions come up, they can be approached from a very simple thought process.
Which, this whole thing with routers and switches… Once we start understanding HOW they think, then most things become much easier to work through. Workbooks are great, but don’t come up with every single variant! So someplace along the way, we need to learn to think like the routers and switches do.
So, the valid question is can I use “permit ip” in an ACL? Sure. But why?
What about “permit gre”? That’s more specific, but again, why? BECAUSE (as another e-mail listed) the GRE protocol is IP protocol 47. Which means GRE is a subset of IP. Permitting the larger list/set will always permit the subsets.
So, concentrating on the answer of WHY is where we get the learning from. Granted, Martin wasn’t very verbose in his note (grin), but at least in my opinion, he wasn’t trying to deride or insult anyone.
The problem with e-mail is that it doesn’t carry much of a sense of humor with it. Let’s not read more into things than was actually there though.
My two cents. (Which after taxes is only likely to be 1.1 cents these days!)
Scott Morris, CCIEx4 (R&S/ISP-Dial/Security/Service Provider) #4713,
CCDE #2009::D, JNCIE-M #153, JNCIS-ER, CISSP, et al.
JNCI-M, JNCI-ER evil@ine.com Internetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987
Outside US: 775-826-4344
Knowledge is power.
Power corrupts.
Study hard and be Eeeeviiiil……
Jitendra Anbu wrote:
Sorry Martin I think you were out of line with your approach! You & some others who subscribe in this e-mail group need to come down from your pedestal.
________________________________ href=”mailto:martin.john.hogan@gmail.com”>martin.john.hogan@gmail.com ] Sent: Monday, 1 March 2010 7:24 PM Cc: CCIE R/S, Groupstudy
Hi Jit,
I was going for the “teach a man to fish” rather than give him a fish approach.
So yes, I was trying to help more than simply typing out an answer. I like
to
think that CCIE’s or people who aspire to be would or should be interested
in
the how and why things work as they do rather than just the answer.
Glad you got what you were after.
Martin
On Mon, Mar 1, 2010 at 7:11 PM, Jitendra Anbu < Jitendra.Anbu@optus.com.au >
wrote:
Martin, I am not sure whether you’re trying to help or just making us
guess
what you know????
My understanding was that GRE would be automatically permitted if I permit
IP
- that’s it.
If that’s not the case I was expecting someone to tell me. ________________________________ [ martin.john.hogan@gmail.com ] Sent: Monday, 1 March 2010 2:06 PM Cc: CCIE R/S, Groupstudy
Think back to basics;
What is IP? What is GRE?
How do they work (together?)?
On Mon, Mar 1, 2010 at 1:49 PM, Jitendra Anbu < Jitendra.Anbu@optus.com.au >
wrote:
Hi All,
If you create a Extended ACL as;
ip access-list extended TUNNEL permit ip host 203.208.174.93 host 85.115.65.7
Would this permit GRE traffic – for example?
OR
do I need this to permit GRE;
ip access-list extended TUNNEL permit gre host 203.208.174.93 host 85.115.65.7
Thank you.
Blogs and organic groups at http://www.ccie.net http://www.ccie.net/ _______________________________________________________________________ Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net _______________________________________________________________________ Subscription information may be found at:
http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net _______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
_________________________________________________________________ Hotmail: Free, trusted and rich email service. http://clk.atdmt.com/GBL/go/201469228/direct/01/
Blogs and organic groups at http://www.ccie.net _______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
_______________________________________________________________________ Subscription information may be found at: http://www.groupstudy.com/list/CCIELab.html
Why you guys are at it, use permit ip on pemu to see it works for the asa in place of permit gre. Has anyone actually check to see that work on the router?
-Luan