Tricky EIGRP routing quesiton
Hello Sudhanshu, I have a bit of a tricky question that I've been wondering about.
I'm going to be setting up over a dozen new ASA5510s in front of preexisting 2821 routers. I currently have EIGRP running in GRE tunnels between the sites.
I have heard that the ASAs do not support GRE tunnels...yet you need a GRE tunnel for EIGRP to work because of the multicast hellos.
What do you think is the best solution to the problem? I was thinking perhaps the EIGRP neighbor command could help me because of the fact that it sends unicast to static neighbors instead of multicast and I could get around the fact that I don't have a GRE tunnel.
This has been dogging me for a while and I would really appreciate any help you could provide. Thank you,
Software/Hardware used:
Software/Hardware used:
ASKED:
May 15, 2009 12:51 PM
UPDATED:
October 1, 2009 4:38 PM
Answer Wiki:
In this scenario I typically set up a IPSec tunnel between the ASAs and then set up the GRE between the 2 routers that sit behind the ASAs.
In other words, create your 2 IP addresses that will be used as the GRE endpoints. Permit those in your IPSec tunnel between your ASAs. Make sure each ASA has a route to its respective router's GRE endpoint. Make sure each router has a route pointing to the ASA for the opposite GRE endpoint. At this point your tunnel should come up and you should be able to add the tunnel addressing to EIGRP as normal.
I've done this TONS of times and never had any problem with it so I think you'll not have any problem.
If you need any more detailed help just ask.
To see all answers submitted to the Answer Wiki: View Answer History.
Hey, great answer Jfernatt, thanks.
A few questions though: would it be ok to make a loopback on each router as the endpoint for the GRE?
Would I only have to add the endpoints as interesting traffic for the ipsec tunnel on each side or all traffic? Still a little fuzzy on this stuff as I find it fairly complex.
Do you have any detailed URLs with this kind of setup by any chance? I’d like to study it more in depth. Thanks alot
Hi there. Yes just the GRE endpoints will be classified as interesting traffic as all of your traffic over the GRE will be encapsulated with those endpoints as source and destination addresses.
Here is an example related to OSPF but it is the same concept.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800a43f6.shtml
I could also give you some real life examples and comment them if needed.
Good luck
Oh and loopbacks will work perfectly.
Excellent advice and I really appreciate it.
This seems a great solution to an annoying problem – no GRE support on the ASA.
Im in a similar situation and this looks to fit the bill.
Any further adjustment of MTU between GRE endpoints required to pull this off?
Did you find it better to place the GRE endpoint in a DMZ vlan behind the ASA, or terminate it on the inside network.
Did you make any adjustment to hello timers, or hold time on eigrp neighbors through the ASA.
How did outbound inspection traffic work for GRE payloads on the ASA, or is it simply IPSEC to IPSEC with GRE being completely arbitrary to the ASA.
Thanks – I’m curious to try this.