Solved: I appreciate for your time.

sharlino · ‎12-02-2016

Hello. We have this WAN topology: HQ <-> SP's L2 VPN <-> BRANCH. We need to protect traffic between HQ and BRANCH. An IPSec is looking good for this job. For the reason of conservation space for payload (it's all about MTU) in the IP packet, GRE tunnels are less attractive than pure L3 physical interfaces. So my questions are:

1. Is it possible somehow to apply VTI profile to the physical interfaces ?
2. Am i right about MTU and payload size or GRE's overhead does have minimal impact on total throughput ?
3. Are crypto-maps is only option for protecting traffic on physical interfaces level ?

Thank you !

P.S. I'm sorry for my english and silly questions, if any.

Karsten Iwen · ‎12-02-2016

1. Is it possible somehow to apply VTI profile to the physical interfaces ?

no, it has to go to the tunnel-interface. And you need a tunneling-mechanism here unless you want to deploy GET-VPN. (And no, you don't want to!).

2. Am i right about MTU and payload size or GRE's overhead does have minimal impact on total throughput ?

As with every reduction of the possible payload-size you can reduce your throughput. But only if you transfer big packets. It's likely that you can measure the impact, but your users won't get slowed down in a way that they realize it.

3. Are crypto-maps is only option for protecting traffic on physical interfaces level ?

Also with crypto-maps you still have tunneling in most situations.

View solution in original post

Karsten Iwen · ‎12-02-2016