using eigrp via tunnel

amir_spamir_sp Member Posts: 9 ■□□□□□□□□□
hi dudes
i have 30 tunnel from central office to my branches.
is it possible to us EIGRP via tunnel? if yes how?
any suggestion?

Comments

  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    Tunnels have to be changed to GRE with IPSec.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • amir_spamir_sp Member Posts: 9 ■□□□□□□□□□
    could u give me more information?
  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    Regular IPSec VPN tunnels do not support multicast. GRE VPN tunnels support multicast which is what routing protocols run on.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • Dieg0MDieg0M Member Posts: 861
    What kind of tunnels?

    @Hondabuff, you can run routing protocols like OSPF on IPSec without GRE.
    Follow my CCDE journey at www.routingnull0.com
  • amir_spamir_sp Member Posts: 9 ■□□□□□□□□□
    @dieg0m no matter what protocol i can use.dynamic routing protocol is my goal.and plz give an example of how tunnels should advertise via dynamic routing protocol
  • HondabuffHondabuff Member Posts: 667 ■■■□□□□□□□
    Dieg0M wrote: »
    What kind of tunnels?

    @Hondabuff, you can run routing protocols like OSPF on IPSec without GRE.

    You are going to have to enlighten me now. I have only used VTI tunnels or GRE if running a routing protocol. I'm currently managing over 600 branches using just VTI with IPSec Profile. Or are you referring to the same concept. I set my tunnels to IP unnumbered and tunnel mode to IPSec IPV4 to allow OSPF.
    “The problem with quotes on the Internet is that you can’t always be sure of their authenticity.” ~Abraham Lincoln
  • amir_spamir_sp Member Posts: 9 ■□□□□□□□□□
    do u mean gre tunnel mode ?
    currently im using ipip mode
    plz give me information about ur branches.i would like to know more
  • Dieg0MDieg0M Member Posts: 861
    I will give you a hint. What do the network types non-broadcast(IOS) and point-to-multipoint non-broadcast(IOS) aswell as point-to-point non-broadcast (ASA) have in common?
    Follow my CCDE journey at www.routingnull0.com
  • AwesomeGarrettAwesomeGarrett Member Posts: 257
    I'm picking up what you're putting down.

    EDIT: Finished a quick lab for this, works as expected. Thanks for the tip!
  • theodoxatheodoxa Member Posts: 1,340 ■■■■□□□□□□
    You would need to use GRE over IPSec as [others have stated] IPSec doesn't support Multicast. With a large number of branch sites, there is another option known as DMVPN (Dynamic Multipoint VPN). Basically, it allows sites to dynamically establish GRE over IPsec tunnels to one another (if branch to branch connectivity is desired). Alternatively, you could use a different routing protocol. I don't see any reason BGP wouldn't work over IPSec as it uses TCP and Neighbors are statically configured.

    [EDIT] GRE over IPSec simply means that you place your EIGRP traffic in a GRE Tunnel and then encapsulate the GRE tunnel with IPSec. IPSec provides Confidentiality, Integrity, and Authentication which are not provided by GRE. You would direct the traffic over the GRE tunnel and then in your crypto map specify that GRE traffic between sites should be encrypted.

    http://www.cisco.com/go/dmvpn
    R&S: CCENT CCNA CCNP CCIE [ ]
    Security: CCNA [ ]
    Virtualization: VCA-DCV [ ]
  • d4nz1gd4nz1g Member Posts: 464
    Dieg0M wrote: »
    I will give you a hint. What do the network types non-broadcast(IOS) and point-to-multipoint non-broadcast(IOS) aswell as point-to-point non-broadcast (ASA) have in common?


    This works, but won't scale that much.
    Immagine yourself configuring n+1 neighbors on each router for a huge company (considering it is a full mesh, ofc)
  • Dieg0MDieg0M Member Posts: 861
    Indeed, this won't scale but some devices do not support GRE and only IPSEC (like ASA's).
    Follow my CCDE journey at www.routingnull0.com
  • d4nz1gd4nz1g Member Posts: 464
    Dieg0M wrote: »
    Indeed, this won't scale but some devices do not support GRE and only IPSEC (like ASA's).


    10/10, nailed it :)
Sign In or Register to comment.