Filter
Top Products
26-4
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 26 GRE and DM VPNs
GRE and Dynamic GRE VPNs
–
OSPF—Open Shortest Path First is a link-state, hierarchical protocol that features least-cost
routing, multipath routing, and load balancing.
Using OSPF, a host that obtains a change to a routing table or detects a change in the network
immediately multicasts the information to all other hosts in the network, so that all will have
the same routing table information. For more information, see OSPF Routing on Cisco IOS
Routers, page 64-19.
–
RIPv2—Routing Information Protocol is a distance-vector protocol that sends routing-update
messages at regular intervals and whenever the network topology changes.
Using RIPv2, a gateway host (with a router) sends its entire routing table to its closest neighbor
host every 30 seconds, which in turn passes the information on to its next neighbor, and so on,
until all hosts within the network have the same knowledge of routing paths. RIPv2 uses a hop
count to determine network distance. Each host with a router in the network uses the routing
table information to determine the next host to route a packet to for a specified destination.
RIP is considered an effective solution for small homogeneous networks. For larger, more
complicated networks, RIP’s transmission of the entire routing table every 30 seconds may put
a heavy amount of extra traffic in the network. For more information, see RIP Routing on Cisco
IOS Routers, page 64-42.
–
Static route—Use a static routing policy to provide a robust, stable IPsec-protected GRE tunnel
if there is a fixed, unchanging route between two devices. For each device subnet, a static route
is created on the device pointing to the corresponding tunnel interface. For more information,
see Static Routing on Cisco IOS Routers, page 64-50.
• You must specify an IGP process number. The IGP process number identifies the IGP process to
which the inside interface on the device belongs. When GRE is implemented, this will be the secured
IGP. For secure communication, the inside interfaces on the devices in your VPN must use the same
IGP process. The IGP process number must be within a specified range. If you have an existing IGP
process on the device that is within this range, but is different from the IGP process number specified
in your GRE settings, Security Manager removes the existing IGP process. If the existing IGP
process matches the one specified in your GRE settings, any networks included in the existing IGP
process that do not match the specified inside interfaces are removed.
• If the inside interfaces on your devices are configured to use an IGP process other than the IGP
process specified in your GRE settings (meaning that the interfaces belong to an unsecured IGP):
–
For spokes: Manually remove the inside interfaces from the unsecured IGP through the device
CLI before configuring GRE.
–
For hubs: If the hub inside interface is used as a network access point for Security Manager, then
on deployment, the interface is advertised in both secured and unsecured IGPs. To ensure that
the spoke peers use only the secured IGP, manually add the auto-summary command for the
unsecured IGP or remove the unsecured IGP for that inside interface.
• You must provide a subnet that is unique yet it can be non-globally-routable for loopback. This
subnet must only be used to support the implementation of loopback for GRE. The loopback
interfaces are created, maintained, and used only by Security Manager. You should not use them for
any other purpose.
• If you are using static routes, not unsecured IGP, make sure you configure static routes on the spokes
through to the hub inside interfaces.
Note You can configure the above settings in the GRE Modes page when IPsec/GRE is the selected IPsec
technology.