Interface Tunnel 0 changed my life. Not really but really cool

HondabuffHondabuff Network EngineerMember Posts: 667 ■■■□□□□□□□
So I learned something new from one of our Sr. Guys at work about building VPN's. I have always built them using a Cryptomap and ACL to define the traffic. Always a pain with CLI and I have to use a template. I soon discover CCP and was using the GUI and banging them out and if it hat NAT enabled No problem. CCP would add a route map statement and I was off and running. So I got the "here do it this way" conversation and I looked at the config and was like, huh, what, you cant, how?? Not sure what rock that I have been living under but building a Tunnel unnumbered and making a static route to define your traffic is way easier. One static route of next hop for unprotected traffic and a static route back to the corp office peer for IPsec traffic and your good. Where is this in Cisco's curriculum? Is this a CCNP-S topic. I researched GRE tunnels and Site-to-site and finally came across a blog about Tunnel Interfaces and the new technology from IOS 15.
“The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln


  • tomtom1tomtom1 Senior Member Member Posts: 375
    Tunnel0 is a GRE concept and is covered at least in the ROUTE, but I guess also in the Security track.
  • theodoxatheodoxa Senior Member Member Posts: 1,340 ■■■■□□□□□□
    For me, its the protections (Hashing, Authentication, Diffie-Helman Groups, and Encryption) that makes IPSec on the CLI so complex. Basic GRE Tunnels are incredibly simple, because you don't have to worry about all that stuff; You simply specify the tunnel end points. You could even run EIGRP over tunnel and not have to worry about static routes at all. The downside is a lack of security.
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
  • HondabuffHondabuff Network Engineer Member Posts: 667 ■■■□□□□□□□
    I'm amazed at the simplicity of VTI tunnels. I have found under the Interface Tunnel command the "ip unnumbered Vlan/Interface command" pretty handy. Change it over to an IP address and enable EIGRP and you have a GRE tunnel and no static routes. Remembering the word HAGLE is super handy for your crypto policies. Then you just need to memorize the Crypto IPsec commands for setting the security Profile. There are only 2 of them. Best of all, no crypto maps to apply.

    Crypto isakmp policy "enter a number here"

    H Hash "sha"
    A Authentication "pre share"
    G Group "2"
    L Lifetime "86400"
    E Encryption "aes"
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • DCDDCD Senior Member Member Posts: 469 ■■■■□□□□□□
    GRE are in the CCNP Route curriculum and the CCNA Security curriculum. It a old Cisco protocol that fell out of favor a long time ago and is now making a comeback since adding IPSEC to it for security.

    It is very cool.
Sign In or Register to comment.