Can getvpn encrypt routing information in routing protocol?
Hello everyone,
We'er thinking of deploying a getvpn on a military network over a carrier vendor VPLS cloud. My concern is that can the route updates, hello packets, etc in EIGRP be encrypted so that the carrier can not see our network information? Thanks
GETVPN is a policy based VPN, it will encrypt whatever you need it to encrypt. Whether that's desirable, that's another thing.
As usual you can refer to GETVPN DIG
http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf
Section 3.5.4 should be informative.
Similar Messages
-
Can i run routing protocol with only F2 line card?
Hello. : )
One question.
Can i run routing protocol such as ospf, bgp, eigrp with only F2 modules? (no M linecard)
Thank you in advance : )Hi,
Yes, you can use OSPF, EIGRP, IS-IS, etc...
see link below for more info:
http://www.cisco.com/c/dam/en/us/products/collateral/switches/nexus-7000-series-switches/at_a_glance_c45-689339.pdf
HTH -
IPSEC tunnel and Routing protocols Support
Hi Everyone,
I read IPSEC does not support Routing Protocols with Site to Site VPN as they both are Layer4.
Does it mean that If Site A has to reach Site B over WAN link we should use Static IP on Site A and Site B Router?
In my home Lab i config Site to Site IPSES VPN and they are working fine using OSPF does this mean that IPSEC supports Routing Protocol?
IF someone can explain me this please?
OSPF config A side
router ospf 1
router-id 3.4.4.4
log-adjacency-changes
area 10 virtual-link 10.4.4.1
passive-interface Vlan10
passive-interface Vlan20
network 3.4.4.4 0.0.0.0 area 0
network 192.168.4.0 0.0.0.255 area 10
network 192.168.5.0 0.0.0.255 area 0
network 192.168.10.0 0.0.0.255 area 0
network 192.168.20.0 0.0.0.255 area 0
network 192.168.30.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
3550SMIA#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.5.3 to network 0.0.0.0
O 192.168.12.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
100.0.0.0/32 is subnetted, 1 subnets
O 100.100.100.100 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
3.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
O 3.3.3.3/32 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C 3.4.4.0/24 is directly connected, Loopback0
C 192.168.30.0/24 is directly connected, Vlan30
64.0.0.0/32 is subnetted, 1 subnets
O E2 64.59.135.150 [110/300] via 192.168.5.3, 1d09h, FastEthernet0/11
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
C 192.168.10.0/24 is directly connected, Vlan10
172.31.0.0/24 is subnetted, 4 subnets
O E2 172.31.3.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.2.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.1.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O E2 172.31.0.0 [110/300] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.11.0/24 [110/3] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.98.0/24 [110/2] via 192.168.99.1, 3d17h, FastEthernet0/8
C 192.168.99.0/24 is directly connected, FastEthernet0/8
C 192.168.20.0/24 is directly connected, Vlan20
192.168.5.0/31 is subnetted, 1 subnets
C 192.168.5.2 is directly connected, FastEthernet0/11
C 10.0.0.0/8 is directly connected, Tunnel0
192.168.6.0/31 is subnetted, 1 subnets
O 192.168.6.2 [110/2] via 192.168.5.3, 3d17h, FastEthernet0/11
O 192.168.1.0/24 [110/13] via 192.168.5.3, 3d17h, FastEthernet0/11
O*E2 0.0.0.0/0 [110/1] via 192.168.5.3, 1d09h, FastEthernet0/11
B Side Config
Side A
router ospf 1
log-adjacency-changes
network 192.168.97.0 0.0.0.255 area 0
network 192.168.98.0 0.0.0.255 area 0
network 192.168.99.0 0.0.0.255 area 0
1811w# sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 192.168.99.2 to network 0.0.0.0
O 192.168.12.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
100.0.0.0/32 is subnetted, 1 subnets
O 100.100.100.100 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
3.0.0.0/32 is subnetted, 2 subnets
O 3.3.3.3 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 3.4.4.4 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.30.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
64.0.0.0/32 is subnetted, 1 subnets
O E2 64.59.135.150 [110/300] via 192.168.99.2, 1d09h, FastEthernet0
4.0.0.0/32 is subnetted, 1 subnets
O 4.4.4.4 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.10.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
172.31.0.0/24 is subnetted, 4 subnets
O E2 172.31.3.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.2.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.1.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O E2 172.31.0.0 [110/300] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.11.0/24 [110/4] via 192.168.99.2, 3d17h, FastEthernet0
C 192.168.98.0/24 is directly connected, BVI98
C 192.168.99.0/24 is directly connected, FastEthernet0
O 192.168.20.0/24 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
192.168.5.0/31 is subnetted, 1 subnets
O 192.168.5.2 [110/2] via 192.168.99.2, 3d17h, FastEthernet0
192.168.6.0/31 is subnetted, 1 subnets
O 192.168.6.2 [110/3] via 192.168.99.2, 3d17h, FastEthernet0
O 192.168.1.0/24 [110/14] via 192.168.99.2, 3d17h, FastEthernet0
O*E2 0.0.0.0/0 [110/1] via 192.168.99.2, 1d09h, FastEthernet0
Thanks
MaheshHello,
I'm saying crypto maps have a lot of limitations. Tunnel Protection make way more sense
U can configure in 2 ways [ and multicast WILL work over it]
1- GRE over IPSEC
crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile tp
set transform-set aes
int tu1
ip address 255.255.255.252
tunnel source
tunnel destination
tunne protection ipsec profile tp
We have configured mode transport because we encrypt GRE + what ever we encapsule in GRE [ eg OSPF - telnet - http ]
Pros:
We can as well transport IPV6 or CDP
Cons:
4 bytes of overhead due to GRE
2- IP over IPSEC
crypto ipsec transform-set aes esp-aes 256 esp-sha-hmac
mode tunnel
crypto ipsec profile tp
set transform-set aes
int tu1
ip address 255.255.255.252
tunnel source
tunnel destination
tunnel mode ipsec ipv4
tunne protection ipsec profile tp
This config is in fact closer from a crypto map [ from encapsulation standpoint]. The transform-set then NEED to be in tunnel-mode
Pro:
4 bytes overhead less than GRE over IPSEC
Cons:
Cannot transport CDP or MPLS or IPV6. Very limiting IMHO
Cheers
Olivier -
Link State Routing Protocol Question
"In LSP, one router in each area is designated as the authoritative source of routing information (called a designated router). Each area router receives updates from the designated router" Why need designated router? How it work? Why can?t it just broadcast LSP and leant the routing information without the need of designated router? Is designate router the same as backbone or root area in OSPF? Is "area" concept only be used in Link State Routing Protocol OSPF?
hi...
you will find area topology in IS IS also...
here we are using the Area as well as DR and BDR for reducing the LSA flooding in the area... each router in ospf area will send update to the DR on multicast address and then DR will send the multicast update to all other router in the area... here each and every router in the area have the full adjucancy with DR but they are not in the full adjucancy with any other router ...
hope this will help you
rate this post if it helps
regards
Devang -
Problems with running EIGRP as PE-CE routing protocol 2
Dear all,
I am facing with the exact problem as a previous user of running EIGRP as the PE-CE routing protocol for a MPLS VPN customer, but in different hardware. The PE router is a 7609-S RSP720-3CXL-GE running IOS 12.2(33)SRC3.
(When I have 33 prefixes or more in the VRF table on the PE, and I try to advertise this network to the CE router (by redistributing BGP into EIGRP), the EIGRP process begins to flap.
I can't advertise prefix more that 32 subnets at a time why?????
The very weird part here, is that when I do debug ip eigrp on the PE and the CE, I can see that the PE router is sending the routes to the CE, but on the CE I can see nothing.)
In my case there is 16 prefixes. When redistributing BGP into EIGRP on allready adjasent EIGRP neighbors everything works perfect, until some side clears it then it begans flaping. On PE router debug is show "retry limit exceeded" ,on CE "Interface Goodbye received"
If solution will be same what software should I use?
Thanks,
George ShiukashviliGeorge,
Let me ask a few questions:
What is the link layer technology that interconnects the PE and CE that are currently experiencing these issues?
Are there any devices inside the PE-CE path that could at least possibly (and randomly) block multicasts and/or large packets?
Is it possible to modify the EIGRP configuration both on PE and CE to manual neighbor definition using the neighbor commands? This would force all EIGRP comunication between the PE and CE to run as unicast, possibly avoiding some issues with multicast packet delivery.
Is it possible for you to post some show commands from both the PE and CE? I would be interested in seeing the show ip interface, show interfaces, show running-config interface regarding the particular interfaces on PE and CE that connect to each other, and also, I would like to see the EIGRP configuration on both devices.
I agree with the assessment of Mahesh - the preliminary information we have suggest that either the PE packets are not arriving at the CE, or the ACK packets from CE are not arriving back at the PE. Your own debug analysis furthermore revealed that there are no EIGRP Update packets arriving from the PE at the CE. Problems with MTU could indeed cause these problems but it is necessary to inspect the entire path between PE and CE.
Best regards,
Peter -
What is this? - Routing Protocol is "application"
Can anyone tell me what this is?
Routing Protocol is "application"
I see it when I do a show protocols. What routing protocol is it?
Thank you in advanced!This is the full output I am confused about. This is from my ASR 1004:
#sh ip protocols
*** IP Routing is NSF aware ***
Routing Protocol is "application"
Sending updates every 0 seconds
Invalid after 0 seconds, hold down 0, flushed after 0
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Maximum path: 32
Routing for Networks:
Routing Information Sources:
Gateway Distance Last Update
Distance: (default is 4) -
I am looking for an AP that can perform the routing as well which model should i go for
HI, while setting up the wireless network for best networking institute in bangalore, networkers Zone (http://networkerszone.com/), i found that we require a router for static routing and an AP so i was wondering if i can get one device for both purpose as i do not require to run routing protocols.
Hi,
the Cisco 891W or 881W come with a build in AP module inside that would be like having a router connected with an Ethernet cable to an stand alone access point but instead of having the 2 devices the AP module is embedded inside the router.
http://www.cisco.com/en/US/products/ps10194/index.html
http://www.cisco.com/en/US/products/ps9556/index.html -
Dynamic Routing Protocols - what do I really need to know?
Ok, ridiculously broad question I know but....what I'm trying to figure out is, let's say I'm in a large coproration and I have multiple field sites in different areas of the country so the network setup may be somewhat complex but when it comes to setting up the dynamic routing...is it as simple as let's say, configuring a router to use BGP for whatever portion you designate then just letting it be? is it somewhat challenging to initally configure dynamic routing protocols (i.e. how often have you found yourselves worrying about admin distance, areas (I don't even know what an "area" is yet either so if anyone could explain that I would appreciate it), etc..
So in short, are dynamic routing protocols "Set it and forget it" or do they require a ton of planning to setup? I'm familliar with the differences between them (i.e. OSPF, RIP, EIGRP,etc..) and the differences in link state and distance vector but I just wanted to ask about the setup of the protocols themselves.
Thanks!!You can exchange routes between protocols with redistribution.
The problem with the question is, as you say, it is too broad to really answer properly.
All routing protocols have different considerations so what you might do for EIGRP you may not do with OSPF and BGP is different altogether.
As a general answer if you are enabling it across a WAN all take a certain amout of planning and design and they all rely heavily on what you have done with your IP addressing in terms of summarisation etc.
The actual configurations to get a basic setup running are relatively simple, certainly for IGPs, but as your network grows you may find the configurations becoming more complex
BGP is a very different in that there are many different commands you can use to influence the path traffic takes but even here to setup a very basic BGP peering only requires a few commands.
But no routing protocol in a large environment should just be configured with no thought as to how it is going to work, traffic paths, number of routes etc.
You can do it but you may well find as your network grows you will end up having to revisit the whole thing because it is not working as you intended.
Like I say it's too large a question to really answer because each routing protocol is different and may or may not meet the requirements of the network.
If there are more specific questions then please feel free to ask.
Jon -
Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode
Dear Experts,
Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response. Thanks.Hi,
Check out this document for the information
http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
Its lists the following for software level 9.0(1)
Multiple Context Mode Features
Dynamic routing in Security Contexts
EIGRP and OSPFv2 dynamic routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing are not supported.
Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
Hope this helps
- Jouni -
Does inverse arp forward routing protocols?
I know by doing the, frame-relay map ip <x.x.x.x> (dlci #) broadcast routing protocols work in my lab inside of packet tracer. But when I was just doing inverse arp dynamically, "Serial0/0 (up): ip 80.53.32.1 dlci 25, dynamic, broadcast, CISCO, status defined, active" the routing protocols do not work. Is there a way to have inverse arp to work with broadcast?
Cool, i'll read it in just a big. Would you also happen to know if a cloud in Packet Tracer is able to work from point-to-point (sub interfaces) frame relay networks? I am attempting it and I can't get the cloud to except more then a few mappings of the sub interfaces dlci's so only half of it works, the rest I get an error message
-
Hi all, I have a couple of questions about routing protocols over DMVPN.
I'm a bit rusty so I'd appreciate if there's mistakes in my understanding if you could correct me.
I understand the EIGRP doesn't ordinarily use the next hop field, receiving routers insert the source of the EIGRP update as the next hop. It uses split horizoning and feasibility tests to detect loops. Over DMVPN you can use the no ip next hop self eigrp command to force eigrp to insert the originating router as the next hop.
OSPF you can specify different OSPF network types - I cannot remember exactly but it may be broadcast networks or multi-access that don't change the next hop?
RIPv2 - I do not understand how RIPv2 works with DMVPN (although I know it does) as to my knowledge Ripv2 does indeed change the next hop.
Can anyone explain how Ripv2 integrates with DMVPN and confirm or correct my understanding of EIGRP/OSPF?
Thanks very muchYou're correct on EIGRP. OSPF preserves the next hop of the originating router in all modes except point-to-multipoint. RIPv2 always preserves the original next-hop and this can't be turned off... so it works with DMVPN with no modification except for the split-horizon considerations.
For scaling DMVPN, your worst choice is OSPF because of the large link-state database that forms with so many routers on a single subnet. EIGRP and RIPv2 are very good for DMVPN because the updates are small and simple. These days, I'm moving to BGP for just about all of my DMVPN work... mostly because it scales better than any IGP. -
why can't you run a routing protocol in IPSEC tunnel mode? why do you need GRE to run a routing protocol?
Most of the dynamic routing protocols use multicast addressing or broadcast addressing for the destination address. IPSec processes unicast IP traffic. This is the reason that we have traditionally used GRE which can easily pass multicast and broadcast traffic within the tunnel as the way to run routing protocols over IPSec tunnels. With GRE the multicast routing protocol traffic is encapsulated in a GRE packet which has a unicast source and destination address.
HTH
Rick -
If support dynamic routing protocol?
Hi, guys
I know RRAS can support only RIP protocol. However, I cant find any way to configure dynamic routing protocol on TMG, some people say TMG cant support that even rip. That’s right? Is it possible or is there any plug-in can help TMG to do that?
Nice DayHi,
Thank you for your post here.
As far as I know, it is impossible to do that. By default, TMG does not support it.
http://technet.microsoft.com/en-us/library/ee796231.aspx#t4t4e4t
Best Regards
Quan Gu -
Routing Protocol recommendation for MPLS Network
I am in the process of building a 14 site MPLS network for voice and data traffic. The vendor installing the network has configured RIPv2 as the routing protocol. I am considering switching this over to EIGRP. Can anyone explain to me why this would be better or should I just stay with RIP.
ThanksHi Chip,
Its not very clear whether you are implementing a MPLS network or implementing a Network over MPLS for an end user with 14 sites.
1) If MPLS network then other IGP variants than OSPF and ISIS best avoided. Now if the choice is between ISIS and OSPF then my personal recommendation would be OSPF. And this decision is purely driven by Operational Considerations rather than any technical advantages. Since at the end of the day what matters is how easy it is to implement add delete or troubleshoot the network.
2)If for End User then it would not be right to recommend EIGRP or RIP or OSPF without knowing the current size & topology of each of these 14 sites, as well as the desired expansion plans. But if these 14 sites are the only sites and are all standalone branch sites connecting over MPLS VPN then RIP,EIGRP or OSPF can be implemented as per your and customer comfort.
HTH-Cheers,
Swaroop -
Hi all,
i have to implement a network customer over a vpls provider ( 60 site L2 any to any).
which protocol for this design ? eigrp, ospf or bgp with advantage or inconvenient?
thanks,If this is to be a layer 2 network for 60 sites with any to any connectivity then you can choose which ever routing protocol you wish since the provider will not be participating in the routing protocol. BGP would be at the bottom of my list for this for several reasons, one of which is that BGP does not do dynamic neighbor discovery and I would not want to manually configure 59 neighbors on each of 60 routers.
Either OSPF or EIGRP could be good choices. If we knew more about this network it might be possible to favor one or the other. For OSPF it seems likely that you would have a single area and some people might be concerned about 60 peers in a single area. But I think it could be appealing that most routers would go through full adjacency with only two peers where with EIGRP each router would negotiate neighbor relationship with 59 neighbors. Another consideration might be what the topology of the sites is like. If each site has several subnets and if the subnets fall into summarizable ranges then EIGRP might be preferred since it enables summarization from each of the routers which reduces the complexity of the routing table on each neighbor.
HTH
Rick
Maybe you are looking for
-
Crazy Software issues seem to point to Adobe Creative Suite 5
Using Windows Vista Home Premium. INtel Core i7 CPU. 6 G RAM, 64 Bit operating system, Creative Suite 5 I started having trouble...weird things happening on my computer a year ago. Silverlight plug in crashes. Adobe Acrobat crashes. Firefox crashes.
-
Mini + Sony w3000 bravia or Samsung LE40F86 at 1080p
I have searched and searched for info on this and not been able to find a definitive answer. I am wanting to buy a mac mini and a 40" LCD TV. I have narrowed my options to the Sony Bravia KDL40W3000 in first choice or the Samsung LE40F86 in second pl
-
Iphoto won't share photos by email, share file won't open.
iphoto won't share photos by email, share file won't open. what do I do?
-
Iphoto 6 - photos in my various film rolls are mixed up.
I take a lot shots for my residential home insurance business. My work flow is as follows. Take many shots of many home during the day. up to 100 for each home Then at my computer - create a separate new film roll for each home. - drag each new film
-
Where can I get DX cards for my Fujifilm S5000 camera? No body seems to have them in the sore.