09-04-2012 12:40 AM
Hi All,
I ahve a requirement to configure static crypto for 1800 site and I need to configure on two sepaarte interfacs at spoke site which means I need to configure 1800*2 = 3600 peers at central site. The challenge I have is due to load balancing , the traffic dynamic crypto can not be used since traffic may be initiated from Dc on other link which may get dropped incase not encrypted.
Looking form some simplar way to configure this.
Experts need your help.
Regards,
Bhavesh
09-04-2012 05:04 AM
Hi,
Could you please be more specific on what you mean by "load-balancing"?
Which devices are you planning to use for this deployment?
Thanx.
Portu
Sent from Cisco Technical Support Android App
09-04-2012 05:31 AM
Thanks Javier for the response. Please find the clarification.
Load Balancing mean, I have 2 Service Provider(SP) at each site on which I am building the IPSec, Load distribution between 2 links is taken care by routing protocol. For each SP I am configuring a separate Crypto map with redundancy at central site.
At central site I have 2 nos of Cisco 7206 with VAM2.
Regards,
Bhavesh
09-04-2012 05:59 AM
Bhavesh,
Have you considered VTI or DMVPN instead? so you do not depend on a specific crypto map and static routing?
Configuring a Virtual Tunnel Interface with IP Security
Dynamic Multipoint VPN (DMVPN)
With this, you can have your Routing Protocol make the routing desicion / load-balancing across the tunnel interfaces, both tunnels will be active, and even passing traffic simultaneously.
Please let me know.
09-04-2012 06:04 AM
Hi Javier,
I am sorry as I forgot to mention that I am using selective encryption here. Only business critical traffic is being encrypted. Hence I used BGP for routing and Specific IP based encryption.
Regards,
Bhavesh
09-04-2012 06:49 AM
I see, is this crypto map solution already implemented? I cannot determine which network design would be the best for you, since I am not familiar with all your internal policies and requirements, but I can suggest.
Usually, I encourage people to use VTI or DMVPN since they are more scalable and easier to maintain than LAN-to-LAN tunnels with huge ACLs.
My idea is this:
Tunnel1 Tunnel1
|-------------| |-----------|
Hub | Internet | Spoke
|-------------| |-----------|
Tunnel2 Tunnel2
An IGP running across the tunnel interfaces (VTI) will make the routing decision for you, according to how you tune it up.
For instance:
You could use EIGRP to load-balance (equal cost at this point since you only have two links) the traffic:
So the Router will keep both IPsec tunnels up and traffic will flow across the Tunnel interfaces following the EIGRP routing conditions.
*******************
On the other hand, if you want to go with the crypto map condition, I would still suggest GRE/IPsec and do the same thing, but lets say that GRE will not be used.
Without any kind of Routing protocol, load-balancing will not be achieved at all, you can still have two routes pointing to two next-hops to reach the same destination network, but this is not recommended and may not behave as expected.
*****************
Summary:
In order to load balance traffic across two tunnels, I suggest:
1- DMVPN
2- VTI
3- GRE/IPsec
In conjuction with an IGP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide