Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

BGP routing via VPN (Hub'n Spoke topologie)

Hi all,

have here a Hub 'n Spoke VPN topology between three Rtrs (where RtrB is the hub site), VPN tunnels are build up between RtrB-RtrA and RtrB-RtrC, EBGP peering is the same as the VPN topology(RtrB 2 RtrA and RtrB 2 RtrC). Now my problem: BGP comes up the peers are send/receiving the routes, but a connection between RtrA-RtrC is not possible, although the routes from the private LAN A is in RtrC routing table. Is there an issue like Spilt-Horizon in VPN, may be its not possible to route traffic on the Hub site from on tunnel to the next tunnel. Many thanks in advance...

2 REPLIES
New Member

Re: BGP routing via VPN (Hub'n Spoke topologie)

IPSEC will not transfer routing protocols if that is how your tunnels are setup, you will have to create GRE tunnels to transfer BGP, the following doc has a sample config using OSPF

www.cisco.com/warp/customer/707/gre_ipsec_ospf.html

hope this helps!

New Member

Re: BGP routing via VPN (Hub'n Spoke topologie)

Actually, IPSec can be used to encrypt routing packets, and BGP is a protocol commonly used because it is unicast in nature and can work over multiple hops. There is some opinion that it is better to use BGP over IPSec than using BGP md5 authentication, although I don't know if it is being used much at the provider level (suspect not given performance overheads)

The reason that IPSec is incompatible with most interior protocols is that they are unicast/multicast (not supported by IPSec) and rely on the neighbor being directly attached. This is why GRE tunnels are commonly suggested as the solution. This also avoids the confusion that arises between the routing policy and crypto policy.

In a lot of different IOS versions, there were issues with same-interface switching and IPSec. It varies from IOS to IOS and model to model. One of the first things to try if this is happening to you is to turn off fast-switching on the relevant interfaces. Bear in mind that the more advanced features you try and combine on one router, the more likely you will find some issue. So if you're going to try to combine MPLS/CEF/IPSec/NAT/RPF/same interface routing be prepared to spend a lot of time talking to the TAC

265
Views
0
Helpful
2
Replies
CreatePlease to create content