Re: [nsp] questions on 4006, 6509 *SFC cards

From: kevin graham (kgraham@dotnetdotcom.org)
Date: Wed Apr 17 2002 - 16:11:04 EDT


> Can a 4006 RSFC and 6509 MSFC support IPSEC and
> GRE Tunnels for VPNs?

www.cisco.com/go/fn indicates Yes for the MSFC, but no ipsec for the RSFC
(not sure what the plans are for this product anyways, given cat4/sup2).
However, this is undoubtedly going to be undesirable given your
application, as there aren't any crypto accel's supported on either, so
you'll have crap for throughput. Digging up some 2600's would probably be
preferable for this, if nothing else to keep it off the MSFC, and provide
an option for an AIM-VPN/(BP|EP) when funds permit.

> Can GRE tunnel IP's be virtual interfaces (like Loopback0)?
> and if so,

Not sure what you mean by this, as a GRE tunnel has its own interface. If
terminating lots of tunnels you could always go unnumbered to a loopback,
but I would imagine crypto-maps would get ugly using unnumbers ints (never
tried it myself).

> Reasoning behind the questions: documentation says
> having wireless traffic in their own vlan, on their own
> subnet a good thing, and also that VPN's can add
> security to a wireless network.

If you're talking about this for end users (first paragraph was assuming
you were tying together campus buildings, then it will be easiest to toss
the wireless users on their own vlan(s), and leave L3 unencrypted for
normal traffic, then simply require them to come back in through whatever
traditional off-site VPN gateway you use to access campus resources. Gives
them the service, but keeps you from having to waste resources encrypting
porn and shopping sites, and builds on (hopefully) existing resources..

..kg..



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:12 EDT