CH A P T E R
IP Multicast in a Site-to-Site VPN
This chapter discusses the basic layout needed to use IP multicast in a Virtual Private Network (VPN) and includes the following sections:
Site-to-Site VPN Overview VPN Deployment Model Multicast VPN Deployment Recommendations Multicast Site-to-Site VPN Deployment Summary
Site-to-Site VPN Overview
The following section is an overview of Site-to-Site VPNs. The following topics are discussed: IPSec Deployment with GRE Managing IPSec and GRE Overhead Redundant VPN Head-end Design
IPSec Deployment with GRE
Generic routing encapsulation (GRE) is often deployed with IPSec for several reasons, including:
IPSec supports unicast IP only. If network layer protocols other than IP are to be supported, an IP encapsulation method must be chosen so that those protocols can be transported in IP packets.
Multicast is not supported with IPSec. Because IPSec was created to be a security protocol between two and only two devices, a service such as multicast is problematic. An IPSec peer encrypts a packet so that only one other IPSec peer can successfully perform the de-encryption. Multicast is not compatible with this mode of operation.
IPSec tunnels are not logical tunnel interfaces for routing purposes. A GRE tunnel, on the other hand, is a logical router interface for purposes of forwarding IP (or any other network protocol) traffic. A GRE interface may appear as a next hop interface in a routing table. If a routing protocol using unicast as a peer communication method (such as BGP) were to be run over an IPSec tunnel alone, the router would learn about the available routes from the interface that the IPSec was configured over. This would be problematic if the IPSec peer is not directly connected to that physical interface.
Cisco AVVID Network Infrastructure IP Multicast Design