Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
5
Replies

Eigrp routing path selection.

Go to solution
alan-wong
Level 1
Level 1

‎09-23-2013 10:48 PM - edited ‎03-07-2019 03:38 PM

If we have three sites connected with IPSEC over GRE tunnel and running EIGRP.  I would like to know how is the router select the path for data transfer

for example

(H) headquarter in USA

(A) site in Asia

(B) site in Asia

We connected both site A and B to headquarter H

(site A) -- eigrp 60 -- (site H) -- eigrp 60 (site B)

Now I add another IPSEC over GRE connection direct from (site A) to (site B) with eigrp 60.  It is because both site A and B are located in Asia and location close to each other.  How do I know, or how do I set control the traffic goes between A and B directly to each other instead of go to far away headquarter?  Please advise.  Thank you very much

(Site A)

interface Tunnel0
ip address 172.31.0.1 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2
crypto map vpn

(Site B)
interface Tunnel0
ip address 172.31.0.2 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1
crypto map vpn

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Joseph W. Doherty

‎09-24-2013 08:28 AM

Hello Joseph,

If I remember correctly (?), old IOS versions did require crypto map on both the tunnel and physical interfaces.

Quite right; IOSes earlier than 12.2(13)T required the crypto map to be applied both on the physical interface and on the tunnel interface (why this was required eludes me totally - it just doesn't make sense when thinking about the procedural sequence of operations). Starting with 12.2(13)T, a crypto map is both sufficient and recommended to be configured only on physical interfaces.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080093f70.shtml

I do not suppose the original poster has such an ancient IOS.

Best regards,

Peter

View solution in original post

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to alan-wong

‎09-25-2013 01:55 AM

Alan,

The configuration of crypto maps both on tunnel interfaces and on physical interfaces with recent IOSes is perhaps supported but it is not necessary, and in fact, it is confusing. A crypto map placed on an interface means "some of the traffic passing through this interface shall be encrypted, i.e. encrypt first, then send". On a tunnel interface, this would logically translate into IPsec first, GRE second - while in reality, the sequence is GRE first, IPsec second, and this is what makes the configuration cumbersome and unintelligible.

I am also a fan of not using commands in configuration that are unnecessary or have no use. Placing the crypto map both on physical interface and on tunnel interfaces is a nice example of a phony abuse of this command.

Correctly, in all new IOSes and IPsec implementations, crypto maps shall be used on physical interfaces and shall not be used on tunnel interfaces.

Best regards,

Peter

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-24-2013 05:45 AM

Alan,

The tunnel created from A and B towards H should have a high EIGRP metric to make it appear less attractive. Ideally, this is done by setting a high delay on the tunnel interfaces from A and B towards H, for example, delay 5000000.

Please note that the crypto map command is not supposed to be configured on Tunnel interfaces. If IPsec shall be used to protect tunneled traffic, you should either use IPsec profiles on the tunnels using the tunnel protection ipsec profile command, or the crypto map shall be configured on the physical egress interfaces only.

Best regards,

Peter

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to Peter Paluch

‎09-24-2013 07:05 AM

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Please note that the crypto map command is not supposed to be configured on Tunnel interfaces. If IPsec shall be used to protect tunneled traffic, you should either use IPsec profiles on the tunnels using the tunnel protection ipsec profile command, or the crypto map shall be configured on the physical egress interfaces only.

If I remember correctly (?), old IOS versions did require crypto map on both the tunnel and physical interfaces.  (Newer IOSs don't, VTI setups [Peter's tunnel protection ipsec] are a bit "cleaner" to configure too.)

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Joseph W. Doherty

‎09-24-2013 08:28 AM

Hello Joseph,

If I remember correctly (?), old IOS versions did require crypto map on both the tunnel and physical interfaces.

Quite right; IOSes earlier than 12.2(13)T required the crypto map to be applied both on the physical interface and on the tunnel interface (why this was required eludes me totally - it just doesn't make sense when thinking about the procedural sequence of operations). Starting with 12.2(13)T, a crypto map is both sufficient and recommended to be configured only on physical interfaces.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080093f70.shtml

I do not suppose the original poster has such an ancient IOS.

Best regards,

Peter

0 Helpful

Go to solution
alan-wong
Level 1
Level 1
In response to Peter Paluch

‎09-24-2013 11:18 PM

yes.  i am using 12.4 verson

May i know why now it cannot apply on both physcial interface and tunnel?  Only either one?

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to alan-wong

‎09-25-2013 01:55 AM

Alan,

The configuration of crypto maps both on tunnel interfaces and on physical interfaces with recent IOSes is perhaps supported but it is not necessary, and in fact, it is confusing. A crypto map placed on an interface means "some of the traffic passing through this interface shall be encrypted, i.e. encrypt first, then send". On a tunnel interface, this would logically translate into IPsec first, GRE second - while in reality, the sequence is GRE first, IPsec second, and this is what makes the configuration cumbersome and unintelligible.

I am also a fan of not using commands in configuration that are unnecessary or have no use. Placing the crypto map both on physical interface and on tunnel interfaces is a nice example of a phony abuse of this command.

Correctly, in all new IOSes and IPsec implementations, crypto maps shall be used on physical interfaces and shall not be used on tunnel interfaces.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card