Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tunnelling

Hello,

I have two sites and both of them have access to internet. Now I have to

make tunel between them so that hosts with private IP addresses can

comunicate directly without NAT.

1)Which is the best solution to use (GRE, L2TP or something else)?

2)Is it feasible that I have addresses from the same network on both sides

(i.e 10.10.0.0/16) ?

3)If I use GRE do I need one more public IP address from my provider on

interface towards the Internet (for tunnel)?

4)Is it possible to use the same connection and IP address towards my ISP,

and to tunnel only specific private addresses (i.e. 10.10.0.0) towards my

remote site? of course all other IP addresses have to be routed to

Internet.

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Re: Tunnelling

Antonio

There are several approaches which you might consider. Probably the most simple is to do GRE tunnels between the sites. GRE would allow you to send traffic between the sites without needing to translate addresses. GRE would allow you to run a routing protocol between the sites. A routing protocol would allow you to have addresses in the same address range at both sites as long as they do not overlap. By overlap I mean for example to have 10.10.5.0/25 at site 1 and also have the same subnet at site 2. In this case the only solution is to translate addresses.

GRE would allow the sites to communicate but does not provide much protection for the traffic. Depending on whether you need to provide protection for the traffic between sites you might want to consider IPSec which can provide protection. Until very recent releases IPSec would transport only unicast IP traffic which meant that you could not run a dynamic routing protocol over IPSec. Very recent releases allow routing protocols over IPSec. I have not yet had experience with this new feature so can not advise how well it works.

The traditional solution if you want protection for traffic and want a routing protocol has been to run IPSec with GRE tunnels. I have done a lot of this and it works quite well.

Whether it is GRE, IPSec, or IPSec with GRE you will need public IP addresses at the edge of both sites.

And with any of these solutions you can exchange traffic between sites and route other traffic to the Internet.

HTH

Rick

Silver

Re: Tunnelling

1) Yes one public IP for tunnel source and destination

2) Yes have a default to the link to the internet and pvt IPs of remote sites to GRE> No need of access-list as GRE is a logical interface unlike IPSec which is virtual.

3) This is a gud link to get u started for GRE over IPsec

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml

Gautam

6 REPLIES
Silver

Re: Tunnelling

1) GRE is the best

2) Yes you can have same address range as long as they dont clash

3) As both sides have internet and assuming you have static public IPs , you can create GRE using those IPs. No extra IPs needed

4) Yes you can do it.

New Member

Re: Tunnelling

Thank you.

So there is no chance that two sites have layer 2 connectivity over internet whichever tunnelling technic is in use? i.e. two sites have both 10.10.10.0/24 network and on one site host has address 10.10.10.2 and on the other site host has address 10.10.10.3. And that they can communicate without using NAT?

Hall of Fame Super Silver

Re: Tunnelling

Antonio

There are several approaches which you might consider. Probably the most simple is to do GRE tunnels between the sites. GRE would allow you to send traffic between the sites without needing to translate addresses. GRE would allow you to run a routing protocol between the sites. A routing protocol would allow you to have addresses in the same address range at both sites as long as they do not overlap. By overlap I mean for example to have 10.10.5.0/25 at site 1 and also have the same subnet at site 2. In this case the only solution is to translate addresses.

GRE would allow the sites to communicate but does not provide much protection for the traffic. Depending on whether you need to provide protection for the traffic between sites you might want to consider IPSec which can provide protection. Until very recent releases IPSec would transport only unicast IP traffic which meant that you could not run a dynamic routing protocol over IPSec. Very recent releases allow routing protocols over IPSec. I have not yet had experience with this new feature so can not advise how well it works.

The traditional solution if you want protection for traffic and want a routing protocol has been to run IPSec with GRE tunnels. I have done a lot of this and it works quite well.

Whether it is GRE, IPSec, or IPSec with GRE you will need public IP addresses at the edge of both sites.

And with any of these solutions you can exchange traffic between sites and route other traffic to the Internet.

HTH

Rick

New Member

Re: Tunnelling

Thanks a lot.

I can use only one public address on each site for both internet access and GRE tunnel? And traffic is routed toward internet or to other site by static routing? (or maybe differentiation can be made with access list (I know that this can be done for IPSec))? I was trying to find some configuration guide for GRE on Cisco site but I was unable to find anything useful.

Thanks again

Antonio

Silver

Re: Tunnelling

1) Yes one public IP for tunnel source and destination

2) Yes have a default to the link to the internet and pvt IPs of remote sites to GRE> No need of access-list as GRE is a logical interface unlike IPSec which is virtual.

3) This is a gud link to get u started for GRE over IPsec

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml

Gautam

Silver

Re: Tunnelling

Yes there is a L2TP tunneling as well. This is known as L2TP client Initiated tunneling. It may help you.

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a7592.html

107
Views
0
Helpful
6
Replies
CreatePlease login to create content