Back to studying ISCW

gojericho0

After about a month off i'm finally back full swing in studying for the ISCW. Had a quick question regarding IPsec vs. GRE. I know GRE allows for the transport of routing protocols where IPsec cannot.

Why is this? Is it the way the encapsulation is done?

scheistermeister

Because IPSec and the routing protocols reside on the same layer where as GRE is above the routing protocols in the OSI model.

_maurice

Could you please clarify? I too am having trouble understanding this concept.

For example, GRE encapsulates the IP header and the payload. Tunnel mode IPSec encapsulates the IP header and the payload.


Thank you in advance.

kryolla

Can you can't transport multicast in ipsec only in gre

_maurice

Not even if he crypto map's interesting traffic contains the multicast subnet?

kryolla

no, ipsec direct encapsulation only allows unicast traffic. For multicast you need a GRE tunnel or IPsec VTI.

dtlokee

You can't encapsulate multicast traffic in IPSec but you can do interesting things with the neighbor statement

scheistermeister

kryolla wrote:

Can you can't transport multicast in ipsec only in gre

Yeah you can, as long as you have a new IOS... Staight from the NetAcad...

Cisco IOS Release 12.4(4)T and newer can now encrypt multicast using a crypto map and an access list. Older software releases required GRE tunneling to provide support for multicast.

And that is a good bit of info to remember... *hint* *hint* *wink* *wink*[/code]

_maurice

Seems like conflicting information. So to summarize, you can send multicast traffic through an IPSec tunnel if you are using the latest IOS?

scheistermeister

_maurice wrote:

Seems like conflicting information. So to summarize, you can send multicast traffic through an IPSec tunnel if you are using the latest IOS?

Correct,

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6552/prod_white_paper0900aecd8047191e_ps6635_Products_White_Paper.html

Cisco IOS® Secure Multicast is the first native IP Multicast encryption that does not rely on a tunnel-based architecture, lowering administrative overhead and helping ensure optimum WAN flexibility.

SUMMARY
Cisco IOS Secure Multicast is a set of hardware and software features necessary to secure IP Multicast group traffic originating on or flowing through a Cisco IOS device. It combines the keying protocol Group Domain of Interpretation (GDOI) with hardware-based IP Security (IPsec) encryption to provide users an efficient method to secure IP Multicast group traffic. With Cisco IOS Secure Multicast, a router can apply encryption to IP Multicast traffic without having to configure tunnels.
Cisco IOS Secure Multicast provides the following benefits:

• Multicast traffic protection-It provides the ability to protect multicast traffic without any form of additional encapsulation.

• Scalability-It allows for one-to-many and many-to-many relationships.

• Manageability-It allows for easier configuration and enhanced manageability.

• Native IPsec encapsulation-It provides native IPsec encapsulation for IP Multicast traffic.

• Key and policies distribution-It offers a centralized key and policies distribution mechanism through the GDOI key server.

• Simplified troubleshooting-It simplifies troubleshooting by lowering overall complexity.

• Extensible standards-based framework-It uses an extensible, standards-based framework.