03-18-2011 06:13 PM
Hi Folks,
ihave some confusions in between GRE over ipsec and Static VTI.
What is the different between these two ?
Any info is highly appreciable.
Thanks
swapneswar
03-18-2011 07:37 PM
Hi,
I think the main difference is that the IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which have a wider application for IPsec implementation.
Hope it helps.
Federico.
03-19-2011 03:34 PM
Hey,
Even we are also running routing protocols in static VTI.If this is the case, does it look any difference of unicast and multicast ?
Please explain me a bit more.I am still confused..Do u have any document or URLs to refer ?
Thanks
swapneswar
03-21-2011 11:01 AM
Hi,
Regular IPsec tunnels are only capable of transporting IP unicast traffic.
This is a problem when you want to pass routing protocols through the tunnel like OSPF or EIGRP for example.
Static VTI is a way to be able to pass multicast traffic through the tunnel using IPsec (hence use OSPF or EIGRP).
When you need to pass non-IP traffic like AppleTalk or IPX or virtually any other thing you can use GRE.
GRE encapsulates any packet in a unicast GRE packet (IP protocol 47) and therefore IPsec is able to encrypt it and pass it through the tunnel.
When using IPsec/GRE, IPsec is not aware of the protocols being transferred by GRE, as it's aware only of encrypting GRE packets.
Normally, you want to use only IPsec encryption (not encapsulation), as the encapsulation is been done by GRE and you want to avoid uneccessary overhead.
Hope it helps.
More info:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide