ACL GRE Tunnel – How to Use ACL to Deny Sending Packages to the GRE Tunnel

I need to do a small lab. The topology is shown on the image below:

What I need to do, is make static routing so all routers can ping each neighbour's physical interface, configure a GRE tunnel between R0 and R2, make a static route to PC subnets via the tunnel and configure ACL, which denies sending of packages from PC0 subnet to the tunnel (on R0) and another ones, which denies sending of packages from PC1 subnet to the tunnel (on R1). Here's what I've done so far:

R0 running configuration:

interface Tunnel0
 ip address 10.0.0.17 255.255.255.252
 mtu 1476
 tunnel source GigabitEthernet0/1
 tunnel destination 192.168.1.2
!
!
interface GigabitEthernet0/0
 ip address 172.16.0.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
!
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.0.2 
ip route 172.17.0.0 255.255.255.0 10.0.0.18

R1 running configuration:

interface GigabitEthernet0/0
 ip address 192.168.0.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!

R2 running configuration:

interface Tunnel0
 ip address 10.0.0.18 255.255.255.252
 mtu 1476
 tunnel source GigabitEthernet0/0
 tunnel destination 192.168.0.1
!
!
interface GigabitEthernet0/0
 ip address 192.168.1.2 255.255.255.0
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address 172.17.0.2 255.255.255.0
 duplex auto
 speed auto
!
ip classless
ip route 192.168.0.0 255.255.255.0 192.168.1.1 
ip route 172.16.0.0 255.255.255.0 10.0.0.17

The problem is I have no idea how to configure ACL for the last task. Any help will be really appreciated.

Best Answer

On R0 you need to

deny ip 172.16.0.0/24 172.17.0.0/24

for the appropriate port/VLAN and vice versa on R1

deny ip 172.17.0.0/24 172.16.0.0/24

Make sure you put a

9999 permit ip any any

(or whatever you want to allow) at the end of a new ACL since it's an got an implicit deny ip any any at the very end.

Alternatively, you could filter on any point in between the subnets but you'll want to drop unwanted traffic as soon as possible. You could also use both deny lines on both sides to make 100% sure there's no communication even if it does enter the tunnel.

Best Answer

Related Solutions

Is GRE necessary for an IP-only tunnel

Cisco Router – Forwarding Path Information to pfSense and Vice Versa

Related Topic