cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
550
Views
0
Helpful
6
Replies

Why DMVPN contains GRE ?

I  read that tunnel GRE,provides the possibility to use  dynamic routing protocol such as EIGRP or OSPF ,because IPsec doesn't support multicast and broadcast which are used by theses protocols,i read about the gre encapsulation,but i don't understand how these encapsulation pemit multicast,

Ipsec don't support multicast because of the fact that the protocol IKE do not expect to negotiate security associations between more than two devices.

please i need some detailed explanations about this,to know how GRE encapsulation allows the multicast

thanks in advance

Abdelilah

6 REPLIES 6
Marcin Latosiewicz
Cisco Employee

You can have multicast over IPsec directly, in several ways, one such implementation is called (s)VTI, it has it's limitations.

With GRE (over IPsec and without it) allows greater flexibility, in fact it allows IP and non-IP protocol to ride on top.

If you will...

GRE encapsulation emulates a virtual p2p circuit between end points.

mGRE emulates point to multipoint circuit(s).

M.

Thank you

why gre can support multicast and normal ipsec can't are explained on this link by Paul.

Rudy,

Actually, just to be clear, to quote the from the link.

There is really no reason that the ESP in IPSec could not transport multicast. It is just challenging because IPSec is implemented as a policy based VPN as opposed to a route based VPN

Most implmentations (including Cisco) are agnostic to what rides on top as long as it's IP.

The challange is building the right policy. IPsec "supports" multicast, or rather it's not aware whether packet forwarded is mcast or not. With notable exceptions related to some implmentations.

M.

thanks M, my understanding so far that "normal" ipsec can only transport unicast packets not multicast and broadcast(unless vti is used as you have mentioned above), that is why we need to encapsulate the multicast packet in gre first if we want to have routing protocol/multicast running on ipsec.

olpeleri
Cisco Employee

Hello,

NHRP is not an ip protocol but a layer 2 protocol. Because of that we need GRE which can encapsulate ANYTHING from IPX to MPLS or CDP ].

IPSEC ipv4 can encasulate and encrypt only ip.....

That's the only reason...

Cheers,

Olivier

Content for Community-Ad