[c-nsp] Max number of IPSEC Tunnels on 7513

John Neiberger John.Neiberger at efirstbank.com
Mon Apr 25 13:40:57 EDT 2005


>>> Rodney Dunn <rodunn at cisco.com> 4/25/05 11:32:36 AM >>>
>On Mon, Apr 25, 2005 at 11:21:09AM -0600, John Neiberger wrote:
>> Thanks for the tip! :)  What if needed to terminate 110+ tunnels?
Would
>> a 720xVXR work? 
>
>With an NPEG1 and a VAM for encryption at the control plane
>you should be fine but you need to evaluate the data
>rates.
>
>ie: Target packets/sec and target throughput per tunnel
>
>If it's spoke routers make sure you setup a routing protocol
>that would work. The best in my opinion is EIGRP stubs.
>
>DMVPN is targeted towards spokes that have dynamic WAN
>ip addresses (ie: DHCP) and it does make the configuration
>simpler. We have a lot of customers moving in that direction
>and things are being worked out along the way (ie. multicast,
>QOS, etc..)
>
>P2P GRE tunnels may give you a little more feature flexibility
currently
>if you are looking to do fancy stuff.
>
>Rodney

This would be simple TN3270 so we're looking at a pretty low data rate.
We'd have approximately 110 spoke routers and one hub. The spokes would
not need to speak to each other (at least regarding this application.)

I believe that matters are complicated by the fact that we just
migrated to an MPLS-based VPN and our routing protocol is now BGP. All
of our sites use eBGP to peer with our provider. My preference would be
to encrypt this traffic at the client and not at the network level. This
is possible but we would have to switch all of our users to a different
client and management isn't real thrilled about that idea. It is
expensive and it would cause a lot of application layer problems and
create a lot of additional work for our programmers.

So, of course, they'd rather push the encryption onto the network and
make my life miserable. :)

Ah, I just noticed that the new legal disclaimer is being added to all
of my emails. :-(  I think I'll switch over to my home address. Those
disclaimers are simply too annoying.

Thanks,
John

--
The information contained in this electronic communication and any document attached hereto or transmitted herewith is confidential and intended for the exclusive use of the individual or entity named above.  If the reader of this message is not the intended recipient or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any examination, use, dissemination, distribution or copying of this communication or any part thereof is strictly prohibited.  If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy this communication.  Thank you.

--


More information about the cisco-nsp mailing list