I'm not sure of your layout, but you would create a tunnel interface, source
as the Ethernet IP, destination of the remote Ethernet IP, with a common
subnet between the tunnel interfaces. This builds your GRE. Add your IPSEC on
top of it if security tightening is needed. Apply BGP.
Regards,
Jay McMickle- 2x CCIE #35355 (R/S,Sec)
Sent from my iPhone 5
On Jul 20, 2013, at 3:56 PM, Jitendra Anbu <jitanbu_at_gmail.com> wrote:
> Hi Jay & Nadeem, yes this is an option I am looking at & also simply running
IPSec over BGP. I suppose what keeps bugging me is the BGP peering between the
Hub and the spokes (branches). That is, do I create Dot1Q interfaces with
multiple IP addresses of /30 between the Hub and the spokes OR because all
devices are in the same VLAN do I simply peer based on their interface IP
addresses (which is a pool of /24). I also intend to provide QoS guarantees
between the Hub and the spokes, so I feel individual /30 would be the best way
to go. Like to know what you guys think.
>
> Thanks heaps.
>
> Jit
>
>
> On Fri, Jul 19, 2013 at 9:31 PM, Jay McMickle <jay.mcmickle_at_yahoo.com>
wrote:
>> I'm not sure I understand the issue fully, but can't your create a GRE
tunnel between each hub/spoke and run BGP over the tunnel? You can password
protect BGP and/or run IPSEC over GRE if you are really concerned about
Security.
>>
>> Regards,
>> Jay McMickle- 2x CCIE #35355 (R/S,Sec)
>> Sent from my iPhone 5
>>
>> On Jul 19, 2013, at 1:40 AM, Jitendra Anbu <jitanbu_at_gmail.com> wrote:
>>
>> > Thanks Nadeem, I guess you're right, this method will work fine. But, I
was
>> > wondering if there was any Cisco best practice when it comes to this
sort
>> > of implementations.
>> >
>> > Rgds,
>> > Jit
>> >
>> >
>> > On Fri, Jul 19, 2013 at 4:20 PM, Nadeem Anjum <nadeemkool_at_yahoo.com>
wrote:
>> >
>> >>
>> >>
>> >> This is already a batter way. Do you require any specific feature btw
this
>> >> connectivity.
>> >>
>> >>
>> >>
>> >> Thanks,
>> >> Nadeem Anjum
>> >>
>> >> ------------------------------
>> >> *From:* Jitendra Anbu <jitanbu_at_gmail.com>
>> >> *To:* Cisco certification <ccielab_at_groupstudy.com>
>> >> *Sent:* Friday, July 19, 2013 9:54 AM
>> >> *Subject:* Real world scenario
>> >>
>> >> Hi experts, I have a real world question & hoping someone can provide
some
>> >> advice/guidance. The diagram bellow represents network connection(s)
with a
>> >> service providers Layer 2 switched network. These connections are
Ethernet
>> >>
>> >> and all customer devices have layer 3 reachability between the Hub
router
>> >> and the Branch routers. Here are my questions and concerns;
>> >>
>> >> What is the best way to run a "secure" BGP connection(s) between the
HUB
>> >> and the branches B1 and B2? Assuming each branch and Hub will be in its
own
>> >> private AS. Also, the ISP does not take part in any routing. This might
>> >> sound simple, just running p2p BGP sessions between the Hub and the
>> >> branches and using IPSec to secure the data plane. But is there a
better
>> >> way to do this?
>> >>
>> >> HUB
>> >>
>> >> |
>> >>
>> >> ___|___
>> >>
>> >> |__ISP__|
>> >>
>> >> | |
>> >>
>> >> | |
>> >>
>> >> B1 B2
>> >>
>> >> Thanks,
>> >> J
>> >>
>> >>
>> >> Blogs and organic groups at http://www.ccie.net
>> >>
>> >> _______________________________________________________________________
>> >> Subscription information may be found at:
>> >> http://www.groupstudy.com/list/CCIELab.html
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat Jul 20 2013 - 19:40:07 ART
This archive was generated by hypermail 2.2.0 : Thu Aug 01 2013 - 08:45:50 ART