RE: GRE access lists

From: Brian McGahan (bmcgahan@internetworkexpert.com)
Date: Tue Sep 23 2003 - 01:01:39 GMT-3

• Next message: Tran Kim Phong: "RE: Call Manager installation"
• Previous message: David Clarkson: "RE: GRE access lists"
• Maybe in reply to: David Clarkson: "GRE access lists"
• Next in thread: David Clarkson: "RE: GRE access lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Dave,
 
            What does your topology look like (ascii plz), where does
the tunneling occur, and where does the IDS occur?
 
 
Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com
 
Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)
 
-----Original Message-----
From: David Clarkson [mailto:DaClarkson@symantec.com]
Sent: Monday, September 22, 2003 10:44 PM
To: Brian McGahan
Cc: ccielab@groupstudy.com; 'Jonathan V Hays'
Subject: RE: GRE access lists
 

I am trying to apply security (CIDS) on the IP packets in the GRE, but
want to avoid the non-IP packets in the GRE as they seem to cause
problems.

Thx
Dave

 
"Brian McGahan" <bmcgahan@internetworkexpert.com>
09/23/2003 01:32 PM
        
        To: "'Jonathan V Hays'" <jhays@jtan.com>, "'David
Clarkson'" <DaClarkson@symantec.com>
        cc: <ccielab@groupstudy.com>
        Subject: RE: GRE access lists

David,

                What exactly are you trying to accomplish?

Brian McGahan, CCIE #8593
bmcgahan@internetworkexpert.com

Internetwork Expert, Inc.
http://www.InternetworkExpert.com
Toll Free: 877-224-8987
Direct: 708-362-1418 (Outside the US and Canada)

> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> Jonathan V Hays
> Sent: Monday, September 22, 2003 10:02 PM
> To: 'David Clarkson'
> Cc: ccielab@groupstudy.com
> Subject: RE: GRE access lists
>
> Dave,
>
> RFC 2784 (GRE) does indicate that there is a Protocol Type field in
the
> GRE packet header, which contains the payload's protocol type (using
the
> RFC 1700 ETYPE number). So filtering or classifying based on the
> encapsulated protocol is theoretically possible.
>
> But other than providing the above information, I can't help much
more.
> I don't see how a Cisco access-list can be used to access this field.
>
> See the following URL for a list of extended access-list fields:
>
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/
> fipras_r/1rfip1.htm#1017448
>
> Perhaps there is some other way the IOS can access the GRE Protocol
Type
> field?
>
> Anyone?
>
> Jonathan
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
Of
> David Clarkson
> Sent: Monday, September 22, 2003 10:38 PM
> To: Jonathan V Hays
> Cc: ccielab@groupstudy.com
> Subject: RE: GRE access lists
>
>
> I am trying to classify the encapsulated protocol so I can treat
> different
> encapsulated protocols differently within the same GRE tunnel.
>
> Regards,
> Dave
>
> ***Get your CCIE and a FREE vacation: Shop.GroupStudy.com***
>

• Next message: Tran Kim Phong: "RE: Call Manager installation"
• Previous message: David Clarkson: "RE: GRE access lists"
• Maybe in reply to: David Clarkson: "GRE access lists"
• Next in thread: David Clarkson: "RE: GRE access lists"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:34 GMT-3