[c-nsp] Max number of IPSEC Tunnels on 7513

[Rodney Dunn]

On Mon, Apr 25, 2005 at 11:21:09AM -0600, John Neiberger wrote:
> Thanks for the tip! :)  What if needed to terminate 110+ tunnels? Would
> a 720xVXR work? 

With an NPEG1 and a VAM for encryption at the control plane
you should be fine but you need to evaluate the data
rates.

ie: Target packets/sec and target throughput per tunnel

If it's spoke routers make sure you setup a routing protocol
that would work. The best in my opinion is EIGRP stubs.

DMVPN is targeted towards spokes that have dynamic WAN
ip addresses (ie: DHCP) and it does make the configuration
simpler. We have a lot of customers moving in that direction
and things are being worked out along the way (ie. multicast,
QOS, etc..)

P2P GRE tunnels may give you a little more feature flexibility currently
if you are looking to do fancy stuff.

Rodney

> 
> On a related note, I've been hearing a little about DMVPN. Would that
> be something I should consider in order to simplify the config, or
> should I forget attempting to terminate a minimum of 110 tunnels on a
> single box?
> 
> Thanks,
> John
> 
> >>> Rodney Dunn <rodunn at cisco.com> 4/25/05 10:53:01 AM >>>
> >I don't recommend doing IPSEC on a 75xx. 
> >
> >You would be much better with a 18xx/28xx/38xx/7301/72xx
> >type box with hardware acceleration for IPSEC.
> 
> 
> 
> --
> The information contained in this electronic communication and any document attached hereto or transmitted herewith is confidential and intended for the exclusive use of the individual or entity named above.  If the reader of this message is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any examination, use, dissemination, distribution or copying of this communication or any part thereof is strictly prohibited.  If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy this communication.  Thank you.
> 
> --