Unanswered Question
Mar 6th, 2007
User Badges:

I have a set of four routers at site 1 exchanging route information using EIGRP over ethernet. There are two serial links from two of the routers to site 2 which also has four routers using the same EIGRP AS as the routers at site 1. The serial links are also included in the same EIGRP AS.

I want to set up a site to site VPN between two of the routers, one at each site, neither router directly attaches to the serial links.

My question is: How do I allow the port on the router used for the VPN to continued sending and receiving EIGRP updates? Will including in the ACL for the IPsec tunnel the rule:

deny ip 88 any any

do the trick? This will keep eigrp updates out of the vpn tunnel between the two routers but will the routing messages continue to be sent and received on the interfaces used for the VPN tunnel?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
dgahm Tue, 03/06/2007 - 21:50
User Badges:
  • Blue, 1500 points or more


Configuring the VPN will not alter the EIGRP behavior of the interface the crypto map is applied to. The VPN will encypt the traffic you define, but other traffic will still use the interface normally.

The only way to allow EIGRP to function through a VPN is to use GRE and tunnel interfaces. Standard IPSEC VPNs will not pass the multicasts required for EIGRP to establish neighbor relationships. If you are using GRE you can use the passive interface command under router eigrp to prevent the tunnel interfaces from sending hellos.

Bottom line, your VPN should work the way you want without doing any specific EIGRP configuration.

Please rate helpful posts.



This Discussion