I have this configuration in production:
branch office lan cisco 2611 Cisco 7206 running BGP Cisco 2611 branch
office lan
I have a /24 from one of my three BGP peers which is used for most
everything in my
network and there is a sloppy deploy of RFC1918 private addresses on two
branch office
segments.
I knew I didn't want the 10.x.x.x/8 addresses leaking into my overall
routing table
and providing access from our colo sites into our corporate network. Our
network is a
star topology with the 7206 as its core so I could have done some fancy
route filtering
so only the three routers involved would see the private numbers OR used the
VPN
capability of the 2611s but I decided not to because:
1. complexity - there are two junior level people who work on our
internetwork when
I am not around - I judged the GRE tunnel to be much simpler to understand
than some
route filtering scheme
2. complexity - an IPsec VPN would have accomplished the same thing as the
simple GRE
tunnel but would have left the junior router gods scratching their heads if
it had
trouble while I was gone, to say nothing of the encryption tax on the link -
there are
some activities that light up the T1 for quite a while and a stand alone
26xx processor
can't handle a full DS1 worth of encrypted traffic.
3. ease of maintenance - the GRE tunnels are tied to the loopback address on
each
router and we're running OSPF as our IGP. I make it a habit to tie VoIP,
GRE tunnels,
etc to the logical loopback - we did have a dual T1 configuration at one
branch office
for a while and it was nice to be able to change things and not worry about
making sure
the tunnel stuff was OK - it just automagically came right back in the event
of a
topology change (yes, I did the HSRP labs on a live network. So shoot me :-))
I've found many other uses for GRE tunnels ever since I discovered
them - its so
convenient if you're off site and want to do some work - rather than jacking
up your
access lists you just 'pipe' a little bit of your private address space to
where ever
you're at and you're working like you're in the office - think telecommuting
in this
case - pretty easy to move a little bit of 10.x.x.x/8 to my house and work
from home
when I needed. Yes, its somewhat insecure in that an @home guy could see
stuff by
snooping the GRE, but it would be darned hard to exploit unless he hijacked
my public
IPs at home.
Rashid Lohiya wrote:
> Hi,
>
> Can anyone give me some reasons why anyone would want to or need to use GRE
> Tunnels
>
> Thanks
>
> Rashid Lohiya
> [EMAIL PROTECTED]
> 020 8509 2990
> 07785 362626
> www.pioneer-computers.com
> London UK
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=6178&t=6155
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
