Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
9
Helpful
6
Replies

GRE with Static Routes

visitor68
Level 4
Level 4

‎04-21-2010 05:50 AM - edited ‎03-06-2019 10:43 AM

The purpose of using GRE encapsiulation over IPSec is to allow multicast routing updates to flow between the hub and spoke routers.

Is there another purpose for running GRE with IPSec?

If only static routing is used, is there a need for GRE?

In a second set of questions...

If GRE is used, one can leverage DMVPN to facilitate configuration and adding spokes.

If GRE is not used, is there a mechanism native to IPSec to make the adding of spokes streamlined in the same way GRE streamlines the process?

Thanks

Labels:
0 Helpful
6 Replies 6

Lei Tian
Cisco Employee
Cisco Employee

‎04-21-2010 06:43 AM

Hi,

GRE can be used to support some legacy layer 3  protocols as well.

GETVPN doesnt require GRE, but it  will automatically create tunnel using the original IP header.

HTH,

Lei  Tian

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Lei Tian

‎04-21-2010 07:12 AM

GRE is encapsulation and IPsec is encryption (IPsec can also do encapsulation, but it is avoided when using GRE)
DMVPN facilitates the GRE tunnels in that it make it dynamic (you no longer need to define statically all the endpoint IP of the GRE devices)
GETVPN is a relative new technology which does not use GRE
VTI is another way to send multicast between routers.

Federico.

visitor68
Level 4
Level 4
In response to Federico Coto Fajardo

‎04-21-2010 08:29 AM

I am looking for more specific and informative answers that address my questions. I already know what GRE and IPSec are.

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to visitor68

‎04-21-2010 10:01 AM

I thought we pretty much gave you the answer, if you're looking for more detailed information shoot the question again with exactly what you want to know.

Federico.

0 Helpful

Laurent Aubert
Cisco Employee
Cisco Employee

‎04-21-2010 10:30 AM

Hi,

The first implementation of IPSec within IOS (crypto-map based) doesn't support multicast traffic encapsulation so adding the GRE layer was the workaround so GRE encapsulate multicast and IPSec encrypt GRE packets which are unicast.

So yes this was the main purpose of having GRE on top of IPSec. The other advantage is you can encapsulate other protocol like IPX and transport it over an IP backbone.

With static routing, GRE layer is not mandatory but it will make your backup routing policy more complex (need to rely on IKE DPD and RRI) and globaly slower than having a dynamic routing protocol.

For Hub&Spoke topology, DVTI is a good alternative to mGRE. Configuration is similar to Dial-In based on virtual-template (each tunnel is associated to a virtual-access interface). Please refer to the following link for more information:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html

HTH

Laurent.

visitor68
Level 4
Level 4
In response to Laurent Aubert

‎04-21-2010 07:35 PM

Thanks, Laurent

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card