GO TO SLEEP NEAL!
----- Original Message -----
From: "Neal Rauhauser"
To:
Sent: Tuesday, May 29, 2001 12:36 AM
Subject: Re: Why use GRE Tunnels [7:6155]
> I have this configuration in production:
>
>
> branch office lan cisco 2611 Cisco 7206 running BGP Cisco 2611 branch
> office lan
>
>
> I have a /24 from one of my three BGP peers which is used for most
> everything in my
> network and there is a sloppy deploy of RFC1918 private addresses on two
> branch office
> segments.
>
> I knew I didn't want the 10.x.x.x/8 addresses leaking into my overall
> routing table
> and providing access from our colo sites into our corporate network. Our
> network is a
> star topology with the 7206 as its core so I could have done some fancy
> route filtering
> so only the three routers involved would see the private numbers OR used
the
> VPN
> capability of the 2611s but I decided not to because:
>
> 1. complexity - there are two junior level people who work on our
> internetwork when
> I am not around - I judged the GRE tunnel to be much simpler to understand
> than some
> route filtering scheme
>
> 2. complexity - an IPsec VPN would have accomplished the same thing as the
> simple GRE
> tunnel but would have left the junior router gods scratching their heads
if
> it had
> trouble while I was gone, to say nothing of the encryption tax on the
link -
> there are
> some activities that light up the T1 for quite a while and a stand alone
> 26xx processor
> can't handle a full DS1 worth of encrypted traffic.
>
> 3. ease of maintenance - the GRE tunnels are tied to the loopback address
on
> each
> router and we're running OSPF as our IGP. I make it a habit to tie VoIP,
> GRE tunnels,
> etc to the logical loopback - we did have a dual T1 configuration at one
> branch office
> for a while and it was nice to be able to change things and not worry
about
> making sure
> the tunnel stuff was OK - it just automagically came right back in the
event
> of a
> topology change (yes, I did the HSRP labs on a live network. So shoot me
:-))
>
> I've found many other uses for GRE tunnels ever since I discovered
> them - its so
> convenient if you're off site and want to do some work - rather than
jacking
> up your
> access lists you just 'pipe' a little bit of your private address space to
> where ever
> you're at and you're working like you're in the office - think
telecommuting
> in this
> case - pretty easy to move a little bit of 10.x.x.x/8 to my house and work
> from home
> when I needed. Yes, its somewhat insecure in that an @home guy could see
> stuff by
> snooping the GRE, but it would be darned hard to exploit unless he
hijacked
> my public
> IPs at home.
>
>
>
>
>
> Rashid Lohiya wrote:
>
> > Hi,
> >
> > Can anyone give me some reasons why anyone would want to or need to use
GRE
> > Tunnels
> >
> > Thanks
> >
> > Rashid Lohiya
> > [EMAIL PROTECTED]
> > 020 8509 2990
> > 07785 362626
> > www.pioneer-computers.com
> > London UK
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6180&t=6155
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
