GRE based VPN with IPSec and OSPF design questions
I'm looking for help on the following issue:
I have a need to add new WAN links onto an existing insecure network linking untrusted sites. This is based on 7206 routers with OPSF, EIGRP and IPSec running over ATM and frame links, also firewalls seperate this network from the internal trusted cusomer sites.
The new links are ATM pvc's and are to pass traffic from internal sites, and will also use OSPF. However the OSPF networks running across these new links must not appear in the existing OSPF route tables, this would probably cause routing problems and must be avoided. Harware at both ends is 7200VXR with SA-VAM for encryption.
After reaseach into this I see 3 solutions:
Policy based routing, seemes simple at first but I ruled this out because I can see that this would give me problems with the route table.
VRF instances on the 7206, I have no experience of this at all and am not sure if I could run this with the existing network, all the documentation I read refers to MPLS, and BGP. I really want to keep the existing network as it is if possible.
GRE tunnels, seem to offer the solution, but I'm not sure of the performance. There will be 2 ATM pvc's with a PCR of 20Meg, and will be carrying a lot of traffic. GRE appears to be process switched, but some recent documents refer to CEF switching of GRE multipoint. Is the Std GRE CEF switched now as well. I will apply the IPSec using the SA-VAM card fitted in the 7204VXR routers.
I'm thinking of terminating the tunnel on an ethernet port connected to the secure internal network.
GRE and IPSec used together could result in degraded performance due to a phenomenon refered to as double fragmentation (which is nothing but fragmentation happening twice, once before GRE and once again after IPsec). This increses latency and lowers throughput. You should probably have a look at http://www.cisco.com/warp/public/105/pmtud_ipfrag.html#fifth.
Which Cisco Secure products include access to SecureX?
Eventually, all will. At the current time, a license to any of the Cisco products listed here grants immediate rights to use the SecureX platform:https://www.cisco.com/c/en/us/product...
More people are working remotely, and this increases the risk of security breaches and the difficulty in defending remote workers where they work and securing the devices they use.
Learn about Cisco Remote Secure Worker solutions that verify workers, secu...
ISE Node Terminology
Policy Administration Node
Monitoring & Troubleshooting Node
Policy Services Node
Platform Exchange Grid Node
The single plane of glass for ISE administration and configuration operatio...
On December 8, FireEye reported that it had been compromised in a sophisticated supply chain attack: more specifically through the SolarWinds Orion IT monitoring and management software. The attackers leveraged business software updates in order to distr...