using eigrp via tunnel

hi dudes
i have 30 tunnel from central office to my branches.
is it possible to us EIGRP via tunnel? if yes how?
any suggestion?

Find more posts tagged with

Comments

Hondabuff

Tunnels have to be changed to GRE with IPSec.

amir_sp

could u give me more information?

Hondabuff

Regular IPSec VPN tunnels do not support multicast. GRE VPN tunnels support multicast which is what routing protocols run on.

Dieg0M

What kind of tunnels?

@Hondabuff, you can run routing protocols like OSPF on IPSec without GRE.

amir_sp

@dieg0m no matter what protocol i can use.dynamic routing protocol is my goal.and plz give an example of how tunnels should advertise via dynamic routing protocol

Hondabuff

Dieg0M wrote: »

What kind of tunnels?

@Hondabuff, you can run routing protocols like OSPF on IPSec without GRE.

You are going to have to enlighten me now. I have only used VTI tunnels or GRE if running a routing protocol. I'm currently managing over 600 branches using just VTI with IPSec Profile. Or are you referring to the same concept. I set my tunnels to IP unnumbered and tunnel mode to IPSec IPV4 to allow OSPF.

amir_sp

do u mean gre tunnel mode ?
currently im using ipip mode
plz give me information about ur branches.i would like to know more

Dieg0M

I will give you a hint. What do the network types non-broadcast(IOS) and point-to-multipoint non-broadcast(IOS) aswell as point-to-point non-broadcast (ASA) have in common?

AwesomeGarrett

I'm picking up what you're putting down.

EDIT: Finished a quick lab for this, works as expected. Thanks for the tip!

theodoxa

You would need to use GRE over IPSec as [others have stated] IPSec doesn't support Multicast. With a large number of branch sites, there is another option known as DMVPN (Dynamic Multipoint VPN). Basically, it allows sites to dynamically establish GRE over IPsec tunnels to one another (if branch to branch connectivity is desired). Alternatively, you could use a different routing protocol. I don't see any reason BGP wouldn't work over IPSec as it uses TCP and Neighbors are statically configured.

[EDIT] GRE over IPSec simply means that you place your EIGRP traffic in a GRE Tunnel and then encapsulate the GRE tunnel with IPSec. IPSec provides Confidentiality, Integrity, and Authentication which are not provided by GRE. You would direct the traffic over the GRE tunnel and then in your crypto map specify that GRE traffic between sites should be encrypted.

http://www.cisco.com/go/dmvpn

d4nz1g

Dieg0M wrote: »

I will give you a hint. What do the network types non-broadcast(IOS) and point-to-multipoint non-broadcast(IOS) aswell as point-to-point non-broadcast (ASA) have in common?

This works, but won't scale that much.
Immagine yourself configuring n+1 neighbors on each router for a huge company (considering it is a full mesh, ofc)

Dieg0M

Indeed, this won't scale but some devices do not support GRE and only IPSEC (like ASA's).

d4nz1g

Dieg0M wrote: »

Indeed, this won't scale but some devices do not support GRE and only IPSEC (like ASA's).

10/10, nailed it