Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Documentation Search

    Enabling Inspection of GRE Traffic

    You can use the command-line interface (CLI) or Network and Security Manager (NSM) to enable inspection of generic routing encapsulation (GRE) encapsulated traffic. To enable inspection of encapsulated traffic, the IDP engine must first decapsulate it.

    To enable and configure decapsulation from the CLI:

    1. Log into the CLI as admin and enter su - to switch to root.
    2. Enter the following command to enable decapsulation:

      [root@defaulthost admin]# scio const -s s0 set sc_gre_decapsulation 1
      scio: setting sc_gre_decapsulation to 0x1

      By default, the IDP engine decapsulates one layer.

    3. Optional. Change the maximum decapsulation to two layers by entering the following command:

      [root@defaulthost admin]# scio const -s s0 set sc_max_decapsulation 2
      scio: setting sc_max_decapsulation to 0x2

    Changes you make to kernel constants from the CLI do not persist across restarts. To make your change persistent:

    1. Open the /usr/idp/device/bin/user_funcs file in a text editor, such as vi.
    2. Add the constant below the line user_start_end(). For example:
      user_start_end()
      {
      $SCIO const -s s0 set sc_gre_decapsulation 1
      
      }
    3. Save the file.
    4. Restart the IDP engine:

      [root@defaulthost admin]# idp.sh restart

      Restarting the IDP engine can take several moments.

    You can also use Network and Security Manager (NSM) Device Manager to turn on the GRE decapsulation feature. However, you cannot use NSM to change the decapsulation layer setting.

    Figure 1 shows the location of the GRE support setting in NSM.

    Figure 1: NSM Device Manager: GRE Support Setting

    Image s036727.gif

    To enable decapsulation with NSM:

    1. In the NSM Device Manager, double-click the IDP Series device to display the device configuration editor.
    2. Click Sensor Settings.
    3. Click the Run-Time Parameters tab.
    4. Expand the Run-Time Parameters group.
    5. Select Enable GRE decapsulation support.
    6. Click OK.
    7. Push the updated configuration from NSM to the IDP Series device.

    Published: 2011-02-08