From: Tim (ccie2be@nyc.rr.com)
Date: Fri Dec 09 2005 - 13:18:07 GMT-3
Hey Rik,
That's what they claimed -- if they were to run OSPF and VPN on their Lucent
routers, their routers would crash.
But, I'm with you - once it's determine that a packet should exit thru the
VPN tunnel, it shouldn't matter what the packet payload is.
So, if you're missing something than so am I.
Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Guyler, Rik
Sent: Friday, December 09, 2005 11:08 AM
To: 'ccielab@groupstudy.com'
Subject: RE: routing over vpn tunnels
I agree with not being so absolute. I'm not advocating jumping on the table
and pounding one's chest about an issue. That's why I request documentation
to support a fishy-sounding claim. I misinterpreted your description
thinking the remote sites had their own (Cisco) routers and the provider's
Lucent routers were not extended to the site. Heck, I don't know anything
about what a Lucent router can and cannot do but if there were Cisco routers
at the remotes then that's a different story. ;-)
So if the endpoints are the Lucent routers then that changes everything. Is
it possible to install a small Cisco router between the remote LAN and the
provider router? You could still tunnel through their VPN for your routing
protocol functionality and you wouldn't have to worry about crashing their
box.
I was also under the impression that you couldn't use OSPF either.
Something about not being able to do that or the router would crash? Guess
I'm missing something here. Nothing new... ;-)
Rik
-----Original Message-----
From: Tim [mailto:ccie2be@nyc.rr.com]
Sent: Friday, December 09, 2005 10:46 AM
To: 'Guyler, Rik'; ccielab@groupstudy.com
Subject: RE: routing over vpn tunnels
Hey Rik,
You got that right. It is pretty scary. But, in this business I'm always
very reluctant to say, "Nope, that's absolutely wrong" even if that's what I
believe 100%. (There was a time before having failed the lab a few times
when I was supremely confident of whatever I said regarding networking.
But, I'm much more humble now and hopefully a bit or two wiser.)
I've found too many times, something I thought to be true turned out not to
be because a) something changed I was unaware of (new feature, new s/w
release, etc) b) there's a another piece of info of which I'm unaware (Wait
a minute, that router wasn't included in the diagram....) c) I
misunderstood or forgot or overlooked something.
With respect to running Eigrp, I understand what you're saying about the
Lucent routers being none the wiser when that Eigrp traffic is encrypted and
passed though the VPN tunnels, however, the Lucent routers are located at
the remote sites, are the only routers at the those remote sites and are the
endpoints of the VPN tunnels to HQ. That's why OSPF was being considered.
This really isn't a problem since we can run OSPF on the customer routers
and mutually redist between eigrp and OSPF.
Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Guyler, Rik
Sent: Friday, December 09, 2005 9:44 AM
To: 'ccielab@groupstudy.com'
Subject: RE: routing over vpn tunnels
Yeah, they're misunderstanding the situation. Scary isn't it? I would ask
for documentation on this phenomenon if they continue to insist it won't
work.
Their network won't know if you are sending a routing protocol from web
browsing through the tunnel so we know (wink, wink) that it will work
without crashing their stuff, especially if it's encrypted. If the client
wants EIGRP then give it to them. Setup encryption and IPIP (or GRE)
tunnels using router endpoints and send EIGRP updates to your heart's
content. Be sure to specify neighbor addresses within EIGRP. Their Lucent
routers won't have a clue, just like their SE's. :-0
Been there, done that several times before for cheap (and dynamic) WAN
circuit redundancy and it works like a charm!
Rik
-----Original Message-----
From: Tim [mailto:ccie2be@nyc.rr.com]
Sent: Friday, December 09, 2005 9:34 AM
To: 'Guyler, Rik'; ccielab@groupstudy.com
Subject: RE: routing over vpn tunnels
Hey Rik,
It's always very difficult to tell exactly what anyone is thinking
especially if those MCI guys weren't that technically savvy. I was very
explicit but I don't think they were able to understand the issue and were
just repeating what they had heard elsewhere. I even told them that if
there's a problem with broadcast or multicast traffic over their VPN
tunnels, I could set it up so ONLY unicast traffic is transmitted over their
tunnel.
But, they insisted that running OSPF and VPN tunnels would make their Lucent
routers crash. The only reason we were talking about OSPF is because these
routers are Lucent and don't support Eigrp which is too bad for this client
because this client is running Eigrp everywhere else.
They also talked about replacing those Lucent routers with Cisco routers but
I don't know if that can happen soon enough to meet this client's timetable
but we'll see.
Thanks for getting back to me. I appreciate it.
Tim
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Guyler, Rik
Sent: Friday, December 09, 2005 9:21 AM
To: 'ccielab@groupstudy.com'
Subject: RE: routing over vpn tunnels
You can also setup tunnels through the VPN for this. IPIP or GRE, either
should work. I personally use IPIP with EIGRP myself but if you're an OSPF
fan by all means that should work fine. If you use EIGRP then tunnels will
be required as EIGRP will complain about non-common subnets without them.
Sounds to me like the MCI guys were thinking you wanted to swap OSPF routes
with their stuff rather than just tunnel your OSPF through their network.
Once you establish some form of tunnel then whatever goes through it will be
transparent to them, so I don't buy their stance on this. I don't care if
it's Lucent or Lucifer routers, they won't "see" what's inside the tunnel.
I would tell them to just get the VPN up and you'll take it from there. ;-)
Rik
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Godswill Oletu
Sent: Friday, December 09, 2005 8:02 AM
To: Tim; ccielab@groupstudy.com
Subject: Re: routing over vpn tunnels
Tim,
This might be a hangoff from the general idea that you cannot run a dynamic
routing protocol across a VPN tunnel (IPSec). This is true because the IPsec
VPN will not forward multicast/broadcast traffic that most of the routing
protocols use for neighbor relationship/updates.
I believe one can tweak this by making OSPF to use unicast routing, with the
neigbor command. I will also go a step further not to use a network type
that will require DR/BDR for operation, point-to-point and
point-to-multipoint network types are good candidates for this.
HTH
Godswill Oletu
----- Original Message -----
From: "Tim" <ccie2be@nyc.rr.com>
To: <ccielab@groupstudy.com>
Sent: Friday, December 09, 2005 6:49 AM
Subject: routing over vpn tunnels
> Hi guys,
>
>
>
> Yesterday I was in a meeting with a couple engineers from MCI and a
client.
>
>
>
> In this meeting the MCI engineers said that because they were using
> Lucent routers, they could not run OSPF through the VPN tunnels
> connecting the different sites.
>
>
>
> According to these MCI engineers the Lucent routers support OSPF and
> they support VPN but they don't support both running together.
>
>
>
> This didn't make any sense to me.
>
>
>
> How can that be?
>
>
>
> Once it's determined (by virtue of an acl) that a packet should be
forwarded
> through the VPN tunnel, what difference does it make if the packet is
> an OSPF packet or something else?
>
>
>
> This was the issue this meeting was about.
>
>
>
> This client has remote sites throughout North American. Each site has
> 2
VPN
> tunnels - one going to a primary HQ site and a 2nd going to a backup
> HQ site.
>
>
>
> The 2 HQ sites are connected directed to each other through some high
speed
> links.
>
>
>
> The objective is to have each remote site transmit traffic to the
> primary
HQ
> site unless the link to that site is down in which case the remote
> should use the backup HQ site.
>
>
>
> Currently, the remote sites aren't running any dynamic routing protocols.
> They're using static routes.
>
>
>
> So, here's the question. Is it possible these MCI engineers are correct?
>
>
>
> TIA, Tim
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:50 GMT-3