Can getvpn encrypt routing information in routing protocol?

Hello everyone,
We'er thinking of deploying a getvpn on a military network over a carrier vendor VPLS cloud. My concern is that can the route updates, hello packets, etc in EIGRP be encrypted so that the carrier can not see our network information? Thanks

GETVPN is a policy based VPN, it will encrypt whatever you need it to encrypt. Whether that's desirable, that's another thing.
As usual you can refer to GETVPN DIG
http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf
Section 3.5.4 should be informative.

Similar Messages

  • Can i run routing protocol with only F2 line card?

    Hello. : )
    One question.
    Can i run routing protocol such as ospf, bgp, eigrp with only F2 modules? (no M linecard)
    Thank you in advance : )

    Hi,
    Yes, you can use OSPF, EIGRP, IS-IS, etc...
    see link below for more info:
    http://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/at_a_glance_c45-689339.pdf
    HTH

  • IPSEC tunnel and Routing protocols Support

    Hi Everyone,
    I read IPSEC does not support Routing Protocols with Site to Site VPN as they both are Layer4.
    Does it mean that If Site A  has to reach Site B over WAN  link we should use Static IP on Site A and Site B  Router?
    In  my home Lab i config Site to Site IPSES  VPN  and they are working fine  using OSPF  does this mean that IPSEC supports Routing Protocol?
    IF someone can explain me this please?
    OSPF  config A side
    router ospf 1
    router-id 3.4.4.4
    log-adjacency-changes
    area 10 virtual-link 10.4.4.1
    passive-interface Vlan10
    passive-interface Vlan20
    network 3.4.4.4 0.0.0.0 area 0
    network 192.168.4.0 0.0.0.255 area 10
    network 192.168.5.0 0.0.0.255 area 0
    network 192.168.10.0 0.0.0.255 area 0
    network 192.168.20.0 0.0.0.255 area 0
    network 192.168.30.0 0.0.0.255 area 0
    network 192.168.98.0 0.0.0.255 area 0
    network 192.168.99.0 0.0.0.255 area 0
    3550SMIA#sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 192.168.5.3 to network 0.0.0.0
    O    192.168.12.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
         100.0.0.0/32 is subnetted, 1 subnets
    O       100.100.100.100 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
         3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    O       3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
    C       3.4.4.0/24 is directly connected, Loopback0
    C    192.168.30.0/24 is directly connected, Vlan30
         64.0.0.0/32 is subnetted, 1 subnets
    O E2    64.59.135.150 [110/300] via 192.168.5.3, 1d09h, FastEthernet0/11
         4.0.0.0/32 is subnetted, 1 subnets
    O       4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
    C    192.168.10.0/24 is directly connected, Vlan10
         172.31.0.0/24 is subnetted, 4 subnets
    O E2    172.31.3.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O E2    172.31.2.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O E2    172.31.1.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O E2    172.31.0.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
    O    192.168.11.0/24 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
    O    192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8
    C    192.168.99.0/24 is directly connected, FastEthernet0/8
    C    192.168.20.0/24 is directly connected, Vlan20
         192.168.5.0/31 is subnetted, 1 subnets
    C       192.168.5.2 is directly connected, FastEthernet0/11
    C    10.0.0.0/8 is directly connected, Tunnel0
         192.168.6.0/31 is subnetted, 1 subnets
    O       192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
    O    192.168.1.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
    O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11
    B Side Config
    Side A
    router ospf 1
    log-adjacency-changes
    network 192.168.97.0 0.0.0.255 area 0
    network 192.168.98.0 0.0.0.255 area 0
    network 192.168.99.0 0.0.0.255 area 0
    1811w#  sh ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is 192.168.99.2 to network 0.0.0.0
    O    192.168.12.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
         100.0.0.0/32 is subnetted, 1 subnets
    O       100.100.100.100 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
         3.0.0.0/32 is subnetted, 2 subnets
    O       3.3.3.3 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
    O       3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         64.0.0.0/32 is subnetted, 1 subnets
    O E2    64.59.135.150 [110/300] via 192.168.99.2, 1d09h, FastEthernet0
         4.0.0.0/32 is subnetted, 1 subnets
    O       4.4.4.4 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         172.31.0.0/24 is subnetted, 4 subnets
    O E2    172.31.3.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O E2    172.31.2.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O E2    172.31.1.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O E2    172.31.0.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.11.0/24 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
    C    192.168.98.0/24 is directly connected, BVI98
    C    192.168.99.0/24 is directly connected, FastEthernet0
    O    192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         192.168.5.0/31 is subnetted, 1 subnets
    O       192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
         192.168.6.0/31 is subnetted, 1 subnets
    O       192.168.6.2 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
    O    192.168.1.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
    O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0
    Thanks
    Mahesh

    Hello,
    I'm saying crypto maps have a lot of limitations. Tunnel Protection make way more sense
    U can configure in 2 ways [ and multicast WILL work over it]
    1- GRE over IPSEC
    crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
    mode transport
    crypto ipsec profile tp
    set transform-set aes
    int tu1
    ip address 255.255.255.252
    tunnel source
    tunnel destination
    tunne protection ipsec profile tp
    We have configured mode transport because we encrypt GRE + what ever we encapsule in GRE [ eg OSPF - telnet - http ]
    Pros:
    We can as well transport IPV6 or CDP
    Cons:
    4 bytes of overhead due to GRE
    2- IP over IPSEC
    crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
    mode tunnel
    crypto ipsec profile tp
    set transform-set aes
    int tu1
    ip address 255.255.255.252
    tunnel source
    tunnel destination
    tunnel mode ipsec ipv4
    tunne protection ipsec profile tp
    This config is in fact closer from a crypto map [ from encapsulation standpoint]. The transform-set then NEED to be in tunnel-mode
    Pro:
    4 bytes overhead less than GRE over IPSEC
    Cons:
    Cannot transport CDP or MPLS or IPV6. Very limiting IMHO
    Cheers
    Olivier

  • Link State Routing Protocol Question

    "In LSP, one router in each area is designated as the authoritative source of routing information (called a designated router). Each area router receives updates from the designated router" Why need designated router? How it work? Why can?t it just broadcast LSP and leant the routing information without the need of designated router? Is designate router the same as backbone or root area in OSPF? Is "area" concept only be used in Link State Routing Protocol OSPF?

    hi...
    you will find area topology in IS IS also...
    here we are using the Area as well as DR and BDR for reducing the LSA flooding in the area... each router in ospf area will send update to the DR on multicast address and then DR will send the multicast update to all other router in the area... here each and every router in the area have the full adjucancy with DR but they are not in the full adjucancy with any other router ...
    hope this will help you
    rate this post if it helps
    regards
    Devang

  • Problems with running EIGRP as PE-CE routing protocol 2

    Dear all,
    I am facing with the exact problem as a previous user of running EIGRP as the PE-CE routing protocol for a MPLS VPN customer, but in different hardware.  The PE router is a 7609-S RSP720-3CXL-GE  running IOS 12.2(33)SRC3.
    (When I have 33 prefixes or more in the VRF table on the PE, and I try to advertise this network to the CE router (by redistributing BGP into EIGRP), the EIGRP process begins to flap.
    I can't advertise prefix more that 32 subnets at a time why?????
    The very weird part here, is that when I do debug ip eigrp on the PE and the CE, I can see that the PE router is sending the routes to the CE, but on the CE I can see nothing.)
    In my case there is 16 prefixes. When redistributing BGP into EIGRP on allready adjasent EIGRP neighbors everything works perfect, until some side clears it then it begans flaping. On PE router debug is show "retry limit exceeded" ,on CE  "Interface Goodbye received"
    If solution will be same what software should I use?
    Thanks,
    George Shiukashvili

    George,
    Let me ask a few questions:
    What is the link layer technology that interconnects the PE and CE that are currently experiencing these issues?
    Are there any devices inside the PE-CE path that could at least possibly (and randomly) block multicasts and/or large packets?
    Is it possible to modify the EIGRP configuration both on PE and CE to manual neighbor definition using the neighbor commands? This would force all EIGRP comunication between the PE and CE to run as unicast, possibly avoiding some issues with multicast packet delivery.
    Is it possible for you to post some show commands from both the PE and CE? I would be interested in seeing the show ip interface, show interfaces, show running-config interface regarding the particular interfaces on PE and CE that connect to each other, and also, I would like to see the EIGRP configuration on both devices.
    I agree with the assessment of Mahesh - the preliminary information we have suggest that either the PE packets are not arriving at the CE, or the ACK packets from CE are not arriving back at the PE. Your own debug analysis furthermore revealed that there are no EIGRP Update packets arriving from the PE at the CE. Problems with MTU could indeed cause these problems but it is necessary to inspect the entire path between PE and CE.
    Best regards,
    Peter

  • What is this? - Routing Protocol is "application"

    Can anyone tell me what this is?
    Routing Protocol is "application"
    I see it when I do a show protocols.  What routing protocol is it?
    Thank you in advanced!

    This is the full output I am confused about.  This is from my ASR 1004:
    #sh ip protocols 
    *** IP Routing is NSF aware ***
    Routing Protocol is "application"
      Sending updates every 0 seconds
      Invalid after 0 seconds, hold down 0, flushed after 0
      Outgoing update filter list for all interfaces is not set
      Incoming update filter list for all interfaces is not set
      Maximum path: 32
      Routing for Networks:
      Routing Information Sources:
        Gateway         Distance      Last Update
      Distance: (default is 4)

  • I am looking for an AP that can perform the routing as well which model should i go for

                       HI, while setting up the wireless network for best networking institute in bangalore, networkers Zone (http://networkerszone.com/), i found that we require a router for static routing and an AP so i was wondering if i can get one device for both purpose as i do not require to run routing protocols.

    Hi,
    the Cisco 891W or 881W  come with a build in AP module inside that would be like having a router connected with an Ethernet cable to an stand alone access point but instead of having the 2 devices the AP module is embedded inside the router.
    http://www.cisco.com/en/US/products/ps10194/index.html
    http://www.cisco.com/en/US/products/ps9556/index.html

  • Dynamic Routing Protocols - what do I really need to know?

    Ok, ridiculously broad question I know but....what I'm trying to figure out is, let's say I'm in a large coproration and I have multiple field sites in different areas of the country so the network setup may be somewhat complex but when it comes to setting up the dynamic routing...is it as simple as let's say, configuring a router to use BGP for whatever portion you designate then just letting it be? is it somewhat challenging to initally configure dynamic routing protocols (i.e. how often have you found yourselves worrying about admin distance, areas (I don't even know what an "area" is yet either so if anyone could explain that I would appreciate it), etc..
    So in short, are dynamic routing protocols "Set it and forget it" or do they require a ton of planning to setup? I'm familliar with the differences between them (i.e. OSPF, RIP, EIGRP,etc..) and the differences in link state and distance vector but I just wanted to ask about the setup of the protocols themselves.
    Thanks!!

    You can exchange routes between protocols with redistribution.
    The problem with the question is, as you say, it is too broad to really answer properly.
    All routing protocols have different considerations so what you might do for EIGRP you may not do with OSPF and BGP is different altogether.
    As a general answer if you are enabling it across a WAN all take a certain amout of planning and design and they all rely heavily on what you have done with your IP addressing in terms of summarisation etc.
    The actual configurations to get a basic setup running are relatively simple, certainly for IGPs, but as your network grows you may find the configurations becoming more complex
    BGP is a very different in that there are many different commands you can use to influence the path traffic takes but even here to setup a very basic BGP peering only requires a few commands.
    But no routing protocol in a large environment should just be configured with no thought as to how it is going to work, traffic paths, number of routes etc.
    You can do it but you may well find as your network grows you will end up having to revisit the whole thing because it is not working as you intended.
    Like I say it's too large a question to really answer because each routing protocol is different and may or may not meet the requirements of the network.
    If there are more specific questions then please feel free to ask.
    Jon

  • Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                       Dear Experts,
    Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response.  Thanks.

    Hi,
    Check out this document for the information
    http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
    Its lists the following for software level 9.0(1)
    Multiple   Context Mode Features
    Dynamic routing in Security   Contexts
    EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
    Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
    I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
    Hope this helps
    - Jouni

  • Does inverse arp forward routing protocols?

    I know by doing the, frame-relay map ip <x.x.x.x> (dlci #) broadcast routing protocols work in my lab inside of packet tracer. But when I was just doing inverse arp dynamically, "Serial0/0 (up): ip 80.53.32.1 dlci 25, dynamic, broadcast, CISCO, status defined, active" the routing protocols do not work. Is there a way to have inverse arp to work with broadcast?

    Cool, i'll read it in just a big. Would you also happen to know if a cloud in Packet Tracer is able to work from point-to-point (sub interfaces) frame relay networks? I am attempting it and I can't get the cloud to except more then a few mappings of the sub interfaces dlci's so only half of it works, the rest I get an error message

  • DMVPN Routing Protocols

    Hi all, I have a couple of questions about routing protocols over  DMVPN.
    I'm a bit rusty so I'd appreciate if there's mistakes in my understanding if you could correct me.
    I understand the EIGRP doesn't ordinarily use the next hop field, receiving routers insert the source of the EIGRP update as the next hop. It uses split horizoning and feasibility tests to detect loops. Over DMVPN you can use the no ip next hop self eigrp command to force eigrp to insert the originating router as the next hop.
    OSPF you can specify different OSPF network types - I cannot remember exactly but it may be broadcast networks or multi-access that don't change the next hop?
    RIPv2 - I do not understand how RIPv2 works with DMVPN (although I know it does) as to my knowledge Ripv2 does indeed change the next hop.
    Can anyone explain how Ripv2 integrates with DMVPN and confirm or correct my understanding of EIGRP/OSPF?
    Thanks very much

    You're correct on EIGRP. OSPF preserves the next hop of the originating router in all modes except point-to-multipoint. RIPv2 always preserves the original next-hop and this can't be turned off... so it works with DMVPN with no modification except for the split-horizon considerations.
    For scaling DMVPN, your worst choice is OSPF because of the large link-state database that forms with so many routers on a single subnet. EIGRP and RIPv2 are very good for DMVPN because the updates are small and simple. These days, I'm moving to BGP for just about all of my DMVPN work... mostly because it scales better than any IGP.

  • Routing protocols over IPSEC

    why can't you run a routing protocol in IPSEC tunnel mode? why do you need GRE to run a routing protocol?

    Most of the dynamic routing protocols use multicast addressing or broadcast addressing for the destination address. IPSec processes unicast IP traffic. This is the reason that we have traditionally used GRE which can easily pass multicast and broadcast traffic within the tunnel as the way to run routing protocols over IPSec tunnels. With GRE the multicast routing protocol traffic is encapsulated in a GRE packet which has a unicast source and destination address.
    HTH
    Rick

  • If support dynamic routing protocol?

    Hi, guys
    I know RRAS can support only RIP protocol. However, I cant find any way to configure dynamic routing protocol on TMG, some people say TMG cant support that even rip. That’s right? Is it possible or is there any plug-in can help TMG to do that?
    Nice Day

    Hi,
    Thank you for your post here.
    As far as I know, it is impossible to do that. By default, TMG does not support it.
    http://technet.microsoft.com/en-us/library/ee796231.aspx#t4t4e4t
    Best Regards
    Quan Gu

  • Routing Protocol recommendation for MPLS Network

    I am in the process of building a 14 site MPLS network for voice and data traffic. The vendor installing the network has configured RIPv2 as the routing protocol. I am considering switching this over to EIGRP. Can anyone explain to me why this would be better or should I just stay with RIP.
    Thanks

    Hi Chip,
    Its not very clear whether you are implementing a MPLS network or implementing a Network over MPLS for an end user with 14 sites.
    1) If MPLS network then other IGP variants than OSPF and ISIS best avoided. Now if the choice is between ISIS and OSPF then my personal recommendation would be OSPF. And this decision is purely driven by Operational Considerations rather than any technical advantages. Since at the end of the day what matters is how easy it is to implement add delete or troubleshoot the network.
    2)If for End User then it would not be right to recommend EIGRP or RIP or OSPF without knowing the current size & topology of each of these 14 sites, as well as the desired expansion plans. But if these 14 sites are the only sites and are all standalone branch sites connecting over MPLS VPN then RIP,EIGRP or OSPF can be implemented as per your and customer comfort.
    HTH-Cheers,
    Swaroop

  • Routing protocol over mpls

    Hi  all, 
    i have to implement a network customer over a vpls provider  ( 60 site L2  any to any).
    which protocol for this design ? eigrp, ospf or bgp with advantage or inconvenient?
    thanks,

    If this is to be a layer 2 network for 60 sites with any to any connectivity then you can choose which ever routing protocol you wish since the provider will not be participating in the routing protocol. BGP would be at the bottom of my list for this for several reasons, one of which is that BGP does not do dynamic neighbor discovery and I would not want to manually configure 59 neighbors on each of 60 routers.
    Either OSPF or EIGRP could be good choices. If we knew more about this network it might be possible to favor one or the other. For OSPF it seems likely that you would have a single area and some people might be concerned about 60 peers in a single area. But I think it could be appealing that most routers would go through full adjacency with only two peers where with EIGRP each router would negotiate neighbor relationship with 59 neighbors. Another consideration might be what the topology of the sites is like. If each site has several subnets and if the subnets fall into summarizable ranges then EIGRP might be preferred since it enables summarization from each of the routers which reduces the complexity of the routing table on each neighbor.
    HTH
    Rick

Maybe you are looking for