Home
Certification Preparation
Cisco
CCNP
Interface Tunnel 0 changed my life. Not really but really cool
Hondabuff
So I learned something new from one of our Sr. Guys at work about building VPN's. I have always built them using a Cryptomap and ACL to define the traffic. Always a pain with CLI and I have to use a template. I soon discover CCP and was using the GUI and banging them out and if it hat NAT enabled No problem. CCP would add a route map statement and I was off and running. So I got the "here do it this way" conversation and I looked at the config and was like, huh, what, you cant, how?? Not sure what rock that I have been living under but building a Tunnel unnumbered and making a static route to define your traffic is way easier. One static route of 0.0.0.0 0.0.0.0 next hop for unprotected traffic and a static route back to the corp office peer for IPsec traffic and your good. Where is this in Cisco's curriculum? Is this a CCNP-S topic. I researched GRE tunnels and Site-to-site and finally came across a blog about Tunnel Interfaces and the new technology from IOS 15.
Find more posts tagged with
Comments
tomtom1
Tunnel0 is a GRE concept and is covered at least in the ROUTE, but I guess also in the Security track.
theodoxa
For me, its the protections (Hashing, Authentication, Diffie-Helman Groups, and Encryption) that makes IPSec on the CLI so complex. Basic GRE Tunnels are incredibly simple, because you don't have to worry about all that stuff; You simply specify the tunnel end points. You could even run EIGRP over tunnel and not have to worry about static routes at all. The downside is a lack of security.
Hondabuff
I'm amazed at the simplicity of VTI tunnels. I have found under the Interface Tunnel command the "ip unnumbered Vlan/Interface command" pretty handy. Change it over to an IP address and enable EIGRP and you have a GRE tunnel and no static routes. Remembering the word HAGLE is super handy for your crypto policies. Then you just need to memorize the Crypto IPsec commands for setting the security Profile. There are only 2 of them. Best of all, no crypto maps to apply.
Crypto isakmp policy "enter a number here"
H Hash "sha"
A Authentication "pre share"
G Group "2"
L Lifetime "86400"
E Encryption "aes"
DCD
GRE are in the CCNP Route curriculum and the CCNA Security curriculum. It a old Cisco protocol that fell out of favor a long time ago and is now making a comeback since adding IPSEC to it for security.
PS
It is very cool.
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
