Tricky EIGRP routing quesiton

40 pts.
Tags:
Cisco 2821
Cisco ASA 5510
Cisco Routers
EIGRP
Networking
Routing protocols
Hello Sudhanshu, I have a bit of a tricky question that I've been wondering about. I'm going to be setting up over a dozen new ASA5510s in front of preexisting 2821 routers. I currently have EIGRP running in GRE tunnels between the sites. I have heard that the ASAs do not support GRE tunnels...yet you need a GRE tunnel for EIGRP to work because of the multicast hellos. What do you think is the best solution to the problem? I was thinking perhaps the EIGRP neighbor command could help me because of the fact that it sends unicast to static neighbors instead of multicast and I could get around the fact that I don't have a GRE tunnel. This has been dogging me for a while and I would really appreciate any help you could provide. Thank you,
ASKED: May 15, 2009  12:51 PM
UPDATED: October 1, 2009  4:38 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

In this scenario I typically set up a IPSec tunnel between the ASAs and then set up the GRE between the 2 routers that sit behind the ASAs.

In other words, create your 2 IP addresses that will be used as the GRE endpoints. Permit those in your IPSec tunnel between your ASAs. Make sure each ASA has a route to its respective router’s GRE endpoint. Make sure each router has a route pointing to the ASA for the opposite GRE endpoint. At this point your tunnel should come up and you should be able to add the tunnel addressing to EIGRP as normal.

I’ve done this TONS of times and never had any problem with it so I think you’ll not have any problem.

If you need any more detailed help just ask.

Discuss This Question: 5  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Richardvoyageur
    Hey, great answer Jfernatt, thanks. A few questions though: would it be ok to make a loopback on each router as the endpoint for the GRE? Would I only have to add the endpoints as interesting traffic for the ipsec tunnel on each side or all traffic? Still a little fuzzy on this stuff as I find it fairly complex. Do you have any detailed URLs with this kind of setup by any chance? I'd like to study it more in depth. Thanks alot
    40 pointsBadges:
    report
  • Jfernatt
    Hi there. Yes just the GRE endpoints will be classified as interesting traffic as all of your traffic over the GRE will be encapsulated with those endpoints as source and destination addresses. Here is an example related to OSPF but it is the same concept. http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml I could also give you some real life examples and comment them if needed. Good luck
    605 pointsBadges:
    report
  • Jfernatt
    Oh and loopbacks will work perfectly.
    605 pointsBadges:
    report
  • Richardvoyageur
    Excellent advice and I really appreciate it.
    40 pointsBadges:
    report
  • Csablock
    This seems a great solution to an annoying problem - no GRE support on the ASA. Im in a similar situation and this looks to fit the bill. Any further adjustment of MTU between GRE endpoints required to pull this off? Did you find it better to place the GRE endpoint in a DMZ vlan behind the ASA, or terminate it on the inside network. Did you make any adjustment to hello timers, or hold time on eigrp neighbors through the ASA. How did outbound inspection traffic work for GRE payloads on the ASA, or is it simply IPSEC to IPSEC with GRE being completely arbitrary to the ASA. Thanks - I'm curious to try this.
    10 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following