That's the heart of my original question, really. I'm fairly new to
IPSec and I wasn't sure how to configure that. I suppose I could set up
the same remote peer in two different maps: one for the primary route
and one for the secondary route.
In that case, would this count as two sessions since there are now two
active tunnels? I was assuming it would count as two unless the
secondary tunnel doesn't even come active until traffic is present.
Hmm...interestingly, while typing I realized that due to a quirk in our
network design, encrypting the traffic while they're on the backup link
is probably not feasible for the time being so this is almost a moot
point. It would be nice to know how to configure it when the time
comes, though.
Thanks,
John
>>> "Gareth Hinton" 6/22/01 1:50:06 PM
>>>
Hi John
Can't you keep the peers down to one per site if you use loopback
addresses
on each router as the encryption peer?
Gaz
""John Neiberger"" wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> The '150' number would only be if certain branches had to peer
twice:
> once over the primary route and once over the
secondary-but-always-up
> route. In actuality, there would still be about 90 peers on that
single
> 7513 but the volume of traffic per peer is going to be pretty low.
It's
> only tn3270 and DLSw stuff. The rest of the interbranch traffic
will
> remain in the clear.
>
> Is that still going to be too many peers? I know that the 7513 has
a
> card to do hardware encryption. It looks like we may have to check
into
> that again.
>
> Thanks,
> John
>
> >>> "Dana J. Dawson" 6/21/01 4:38:07 PM >>>
> IPSec and redundancy is hard. The usual recommendation is to use
GRE
> tunnels over IPSec, since the tunnels provide a logical interface
over
> which
> you can run a routing protocol that will provide the redundancy.
>
> With plain old IPSec, you use access-lists to specify which traffic
> goes to
> which peer, and you can't overlap any of your crypto access-lists
> (those
> referenced in a "match address" command in a crypto map). This
> precludes
> the possiblity of doing redundancy this way.
>
> That being said, you don't want to terminate 150 peers in your 7513,
> especially if you want that router to do anything else. With this
> scale of
> VPN network, you should have a dedicated VPN concentrator.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9562&t=9225
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
