Intranet tunneling

Using tunnels to segment private networks on your intranet.

This Content Component encountered an error

Administrators working on mid- to large-sized networks often have to deal with the dilemma of private networks. Often, these are small software-development labs, or some researcher's private network, or a manufacturing network, or something similar. Just as often, these labs need to talk to other labs, usually in other geographic locations. But, as a network administrator, this poses a problem because you don't control the devices in...

these labs, and they don't comply with your standards or schemes. So, you don't really want to let these people control their own routers in your network, because any mistake they make could take down the rest of your network. Usually, they also want to separate traffic and routing so that average office user traffic doesn't affect them. For example, you wouldn't want worm traffic to be able to reach critical manufacturing devices.

The easy solution to this is to create tunnels. These are essentially VPNs you construct inside your intranet, which connect these private networks together, but you don't have to configure the encryption or other overhead. The advantage is that the routing in the tunnel and routing outside the tunnel never touch, so there's no IP connectivity. Further, the user packets are also separated when they cross the WAN or intranet, and because all the private traffic is encapsulated inside the tunnel, it's easy to get statistics on all the private traffic just by looking at the tunnel.

To implement a tunnel using Cisco's IOS, you use the "tunnel interface" just like a normal interface, but first, you usually want to create a loopback interface on the router at each end of the tunnel. In the tunnel interfaces, you'll assign an IP address, just like a regular WAN circuit, and also tunnel source and destination IP addresses. The source will be the loopback address of the same router, while the destination, obviously, will be the loopback address of the router at the far side of the tunnel.

An example would be:

interface Loopback0
  ip address

interface Tunnel0
  ip address
  tunnel source
  tunnel destination

interface Loopback0
  ip address

interface Tunnel0
  ip address
  tunnel source
  tunnel destination

Finally, configure your routing protocols as necessary. But the one thing you absolutely have to watch out for is to never let the path to the tunnel destination go THROUGH the tunnel. In this example, if the two routers were 5 hops away, and you configured RIP on all interfaces, then RIP on router A might suddenly realize that it could reach router B's loopback through the tunnel with only 1 hop instead of 5. When router A tries to send the tunnel through the tunnel, connectivity will be lost.

Tom Lancaster, CCIE# 8829 CNX# 1105, is a consultant with 15 years experience in the networking industry, and co-author of several books on networking, most recently, CCSPTM: Secure PIX and Secure VPN Study Guide published by Sybex.

This was first published in December 2004

Dig deeper on Remote access



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: