Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Eigrp routing path selection.

If we have three sites connected with IPSEC over GRE tunnel and running EIGRP.  I would like to know how is the router select the path for data transfer

for example

(H) headquarter in USA

(A) site in Asia

(B) site in Asia

We connected both site A and B to headquarter H

(site A) -- eigrp 60 -- (site H) -- eigrp 60 (site B)

Now I add another IPSEC over GRE connection direct from (site A) to (site B) with eigrp 60.  It is because both site A and B are located in Asia and location close to each other.  How do I know, or how do I set control the traffic goes between A and B directly to each other instead of go to far away headquarter?  Please advise.  Thank you very much

(Site A)

interface Tunnel0
ip address 172.31.0.1 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.2
crypto map vpn

(Site B)
interface Tunnel0
ip address 172.31.0.2 255.255.255.0
tunnel source FastEthernet0/1
tunnel destination 172.16.0.1
crypto map vpn

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Eigrp routing path selection.

Hello Joseph,

If I remember correctly (?), old IOS versions did require crypto map on both the tunnel and physical interfaces.

Quite right; IOSes earlier than 12.2(13)T required the crypto map to be applied both on the physical interface and on the tunnel interface (why this was required eludes me totally - it just doesn't make sense when thinking about the procedural sequence of operations). Starting with 12.2(13)T, a crypto map is both sufficient and recommended to be configured only on physical interfaces.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080093f70.shtml

I do not suppose the original poster has such an ancient IOS.

Best regards,

Peter

Cisco Employee

Eigrp routing path selection.

Alan,

The configuration of crypto maps both on tunnel interfaces and on physical interfaces with recent IOSes is perhaps supported but it is not necessary, and in fact, it is confusing. A crypto map placed on an interface means "some of the traffic passing through this interface shall be encrypted, i.e. encrypt first, then send". On a tunnel interface, this would logically translate into IPsec first, GRE second - while in reality, the sequence is GRE first, IPsec second, and this is what makes the configuration cumbersome and unintelligible.

I am also a fan of not using commands in configuration that are unnecessary or have no use. Placing the crypto map both on physical interface and on tunnel interfaces is a nice example of a phony abuse of this command.

Correctly, in all new IOSes and IPsec implementations, crypto maps shall be used on physical interfaces and shall not be used on tunnel interfaces.

Best regards,

Peter

5 REPLIES
Cisco Employee

Eigrp routing path selection.

Alan,

The tunnel created from A and B towards H should have a high EIGRP metric to make it appear less attractive. Ideally, this is done by setting a high delay on the tunnel interfaces from A and B towards H, for example, delay 5000000.

Please note that the crypto map command is not supposed to be configured on Tunnel interfaces. If IPsec shall be used to protect tunneled traffic, you should either use IPsec profiles on the tunnels using the tunnel protection ipsec profile command, or the crypto map shall be configured on the physical egress interfaces only.

Best regards,

Peter

Super Bronze

Re: Eigrp routing path selection.

Disclaimer

The   Author of this posting offers the information contained within this   posting without consideration and with the reader's understanding that   there's no implied or expressed suitability or fitness for any purpose.   Information provided is for informational purposes only and should not   be construed as rendering professional advice of any kind. Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In   no event shall Author be liable for any damages whatsoever (including,   without limitation, damages for loss of use, data or profit) arising  out  of the use or inability to use the posting's information even if  Author  has been advised of the possibility of such damage.

Posting

Please note that the crypto map command is not supposed to be configured on Tunnel interfaces. If IPsec shall be used to protect tunneled traffic, you should either use IPsec profiles on the tunnels using the tunnel protection ipsec profile command, or the crypto map shall be configured on the physical egress interfaces only.

If I remember correctly (?), old IOS versions did require crypto map on both the tunnel and physical interfaces.  (Newer IOSs don't, VTI setups [Peter's tunnel protection ipsec] are a bit "cleaner" to configure too.)

Cisco Employee

Re: Eigrp routing path selection.

Hello Joseph,

If I remember correctly (?), old IOS versions did require crypto map on both the tunnel and physical interfaces.

Quite right; IOSes earlier than 12.2(13)T required the crypto map to be applied both on the physical interface and on the tunnel interface (why this was required eludes me totally - it just doesn't make sense when thinking about the procedural sequence of operations). Starting with 12.2(13)T, a crypto map is both sufficient and recommended to be configured only on physical interfaces.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a0080093f70.shtml

I do not suppose the original poster has such an ancient IOS.

Best regards,

Peter

New Member

Eigrp routing path selection.

yes.  i am using 12.4 verson

May i know why now it cannot apply on both physcial interface and tunnel?  Only either one?

Cisco Employee

Eigrp routing path selection.

Alan,

The configuration of crypto maps both on tunnel interfaces and on physical interfaces with recent IOSes is perhaps supported but it is not necessary, and in fact, it is confusing. A crypto map placed on an interface means "some of the traffic passing through this interface shall be encrypted, i.e. encrypt first, then send". On a tunnel interface, this would logically translate into IPsec first, GRE second - while in reality, the sequence is GRE first, IPsec second, and this is what makes the configuration cumbersome and unintelligible.

I am also a fan of not using commands in configuration that are unnecessary or have no use. Placing the crypto map both on physical interface and on tunnel interfaces is a nice example of a phony abuse of this command.

Correctly, in all new IOSes and IPsec implementations, crypto maps shall be used on physical interfaces and shall not be used on tunnel interfaces.

Best regards,

Peter

187
Views
0
Helpful
5
Replies
CreatePlease to create content