[c-nsp] Virtual Tunnel Interface - experiences?

Christian Zeng christian at zengl.net
Thu Nov 10 08:31:20 EST 2005


at the moment, our L2L VPN cloud consists of one hub (3725) and spokes
(>100 836), running plain old certificate-based IPSec VPN. IPSec traffic
definition is done through cryptomaps. No dynamic routing, no GRE and/or
DMVPN stuff.

Now, there is a requirement to enable spokes connecting to new
networks behind the hub. This requires additional configuration in all
cryptomaps. In the future, more networks may be introduced. 

Beside this configuration task, I'm concerned that the spoke will be
oversubscribed due to increased amount of active IPSec SAs. I cannot
aggregate networks, most of them are all different /8.

Because of this, we want to implement Virtual Tunnel Interfaces and run
a routing protocol over the IPSEc protected tunnel. I do not like the
idea to run DMVPN or similar setups, mainly because of the
tunnel-in-tunnel-in-tunnel overhead and IIRC, you would need cryptomap
ACL definitions in such a setup, too. VTI has the advantage of a single
ip any any IPSec SA without additonal encapsulation through GRE etc.

After some initial setup trouble, (dynamic) VTI runs fine in the test
lab between a hub and 2 spokes.

Before migrating our complete VPN cloud: does anybody have real world
experience with VTI?

Thank you,


More information about the cisco-nsp mailing list