Dynamic Routing

Unanswered Question
Sep 3rd, 2008

I have three Cisco IOS routers at three branch offices which are linked to each other through VPN tunnels. Each branch office has its own internet connection and uses this internet connection for general internet access.

The router in the first branch has an additional VPN tunnel to the corporate network. There are about a dozen static routes set up in the first router, routing various IP subnets through the VPN tunnel to the corporate network.

The second and third router use their VPN connection to the first router to access the corporate network from there. For this, the second and third router basically have the same static routes as the first router, forwarding all corporate network traffic to the first router which forwards it to the corporate network.

All this works fine but is a little cumbersome to maintain. Each time the static routes to the corporate network change it has to be done all all through routers.

I was thinking that it may be better to utilize a dynamic routing protocol instead which automatically propagates the static routes on the first router to the second and third. I have never done this before and the choice of protocols in the IOS documentation is big. From what I understand so far RIP or OSPF may be an option to achieve it. But lacking the experience with these protocols I wonder whether someone could make recommendation which protocol (if any) would be appropriate and maybe give an idea how to set it up.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Istvan_Rabai Wed, 09/03/2008 - 16:31

Hi Gerald,

Traditional IPSec VPNs do not forward multicast packets and you will not be able to set up neighbor relationships and dynamic routing on your current network.

The solution is to use GRE over IPSec.

With this, multicast packets, just like any other IP packets, are encapsulated in an additional outer IP header (called GRE header) and then IPSec encryption is applied to these packets.

This way you will be able to route multicast packets through your IPSec VPNs and you can set up dynamic routing protocols between the routers.

GRE over IPSec is a proven solution.

Here's a link for you to study about GRE over IPSec and how to configure it:

http://www.cisco.com/en/US/tech/tk827/tk369/tk287/tsd_technology_support_sub-protocol_home.html

If you need further help in configuring, please let me know.

Cheers:

Istvan

Gerald Vogt Thu, 09/04/2008 - 00:00

I already have GRE/IP tunnels everywhere. The question is which dynamic routing protocol to use in such a small setup.

Richard Burts Thu, 09/04/2008 - 07:24

Gerald

You should be able to accomplish what you need with any of the Interior Routing Protocols (RIP,OSPF, or EIGRP). RIP is the most simple of the protocols, but because of its periodic broadcast updates I am not sure that it is your best choice. I would recommand to you to use EIGRP. EIGRP is easy to set up. You would select some AS number - perhaps 100. Then your configuration would have network statements for the networks that you want EIGRP to process (probbly your LAN network at the site, the network of the GRE tunnel). On the router with static routes you need to redistribute static into EIGRP. So your config might look something like this:

router eigrp 100

redistribute static 10000 100 200 50 1500

network

network (GRE tunnel subnet>

HTH

Rick

Istvan_Rabai Thu, 09/04/2008 - 09:05

Hi Gerald,

Rick gave you a good option with EIGRP.

In future you should describe your environment a bit more specifically, and you will get more precise answers to your problems.

Thanks:

Istvan

Actions

This Discussion