Gre Tunnels - McAfee SG310 Administration Manual

Network Setup menu options
VLAN
• To isolate a single port for individual configuration, click Untagged. Packets on this VLAN are sent and
received on this port as untagged packets, which means that the VLAN ID will only be used while
routing the packet within this unit. Devices connected to this port will not see the VLAN ID on the
packet, and do not need to support VLANs. If a port is set to untagged, then that port must be set to
disabled for all other VLANs. It is allowable for a port to be set to tagged for multiple VLANs. It is also
allowable for more than one port to be set to untagged for a given VLAN. For information on tagged
versus untagged VLAN, see
Click Update. This VLAN interface now appears as Unconfigured in the Connections page. You can
6
configure the VLAN interface as you would any other network interface.
Editing a VLAN
Use this procedure to edit a port-based or standard VLAN configuration.
From the Network Setup menu, click Network Setup. The Connections page appears.
1
Click the edit icon for the VLAN you want to edit. The edit page for the connection appears.
2
Click the VLAN Configuration tab. The Edit VLAN Configuration page appears.
3
Make your changes and click Update.
4
Deleting a VLAN
Use this procedure to delete a port-based or standard VLAN configuration.
From the Network Setup menu, click Network Setup. The Connections page appears.
1
Click the delete icon for the VLAN. You are prompted to confirm the delete. Click OK.
2

GRE tunnels

The GRE (Generic Routing Encapsulating) configuration of the UTM Firewall appliance allows you to build
GRE tunnels to other devices that support the GRE protocol. You can build GRE tunnels to other UTM
Firewall appliances that support GRE, or to other devices such as Cisco equipment. A GRE tunnel must be
created between a local IP address and a remote IP address that can already route between each other.
Typically, these addresses are LAN IP addresses accessible via a VPN tunnel. It is useful to create alias
addresses on LAN interfaces for this purpose, so that the LAN IP addresses can be routed over the GRE
tunnel as well.
Security Alert:
tunnel that runs over the Internet, it is possible for an attacker to put packets onto your network. If you want a
tunneling mechanism to securely connect to networks, then you should use IPSec, or tunnel GRE over either
IPSec or PPTP tunnels.
Packets can be sent over a GRE tunnel using either static routes or bridging. Using static routes for a GRE
tunnel over IPSec avoids having to create the many security associations that would otherwise be needed
to deal with multiple subnets at either end. A bridged GRE tunnel is useful for transmitting packets across a
VPN connection that would normally be dropped by IP routing. This includes broadcast packets, multicast
packets and any non-IP protocol such as IP v6, IPX, or Apple Talk.
The basic steps to set up GRE over IPSec are:
Create an IPSec tunnel for which the Local Network is the local LAN IP address, and the Remote network
1
is the remote LAN IP address. The prefix length for each network should be /32.
Create a GRE tunnel for which the Local Address is the local LAN IP address, and the Remote Address is
2
the remote LAN IP address.
Create static routes that use the GRE tunnel as their interface. See Routes. Do not specify a gateway
3
address.
To bridge the local and remote LAN over IPsec
104 McAfee UTM Firewall 4.0.4 Administration Guide
Tagged and untagged
GRE tunnels are not secure unless they are run over another secure protocol. When using a GRE
VLANs.