Thanks Reza

hi,

everything what reza mentioned were true except for a slight correction on part C.

you'll need GRE, or to be more specific GRE over IPsec, in order to run dynamic routing protocols (i.e. EIGRP, OSPF) and also support multicast/broadcast.

you only choose this option if your buying cheaper WAN access (such as xDSL) running over the public internet.

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

John, on later IOS images, you can run dynamic routing over VTI tunnels, which are IPSec, but not GRE.

hi joseph,

you're right. i checked again my notes and VTI indeed supports dynamic routing protocols.

i guess it's not as popular as GRE over IPsec implementation.

IPsec VTIs have many benefits:

* Simplify configuration: Configuring IPsec peering is much simpler when using virtual tunnel interfaces as compared to configuring IPsec peering with crypto maps or GRE/IPsec tunnels.

* Flexible interface feature support: An IPsec VTI is a Cisco IOS Software interface that offers the flexibility of accepting features that can be applied to physical interfaces (that operate on ciphertext traffic) or the IPsec VTI that operates on clear-text traffic.

* Support for multicast: IPsec VTI support multicast traffic such as voice and video.

* Better scalability: IPsec VTIs require fewer SAs to support all types of traffic.

* Routable interface: Like GRE/IPsec, VTIs support all types of IP routing protocols, which provides scalability and redundancy.

The IPsec VTI has the following limitations:

* The IPsec VTI is limited to only IP unicast and multicast traffic, while the GRE/IPsec tunnels support a much wider range of protocols and applications.

* Cisco IOS Software IPsec stateful failover is not supported on VTIs, although other redundancy features, such as dynamic routing protocols, can be used as alternative failover methods.

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I just wanted to say, regarding your first question, security is really relative.  Generally, a private p2p link is considered more secure than a private cloud connection (frame-relay, ATM, MPLS) which is also considered more secure than an Internet connection, but all those external connections are still visible to those inside your WAN provider.  So they are secure regarding how well you trust your provider not to "peek" into them or how likely your provider won't accidentally make your traffic visible to a 3rd party.

If your traffic content is really sensitive, it should really be encrypted end-to-end, because even your own support engineer(s) might peek at traffic they shouldn't know the content of.

Like other security issues, you need to compare risk of loss to cost to protect to make the "right" decision.

Thanks Joseph very informative