Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
437
Views
0
Helpful
2
Replies

VTI, physical interface

Go to solution
sharlino
Level 1
Level 1

‎12-02-2016 02:27 AM

Hello. We have this WAN topology: HQ <-> SP's L2 VPN <-> BRANCH. We need to protect traffic between HQ and BRANCH. An IPSec is looking good for this job. For the reason of conservation space for payload (it's all about MTU) in the IP packet, GRE tunnels are less attractive than pure L3 physical interfaces. So my questions are:

1. Is it possible somehow to apply VTI profile to the physical interfaces ?
2. Am i right about MTU and payload size or GRE's overhead does have minimal impact on total throughput ?
3. Are crypto-maps is only option for protecting traffic on physical interfaces level ?


Thank you !

P.S. I'm sorry for my english and silly questions, if any.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎12-02-2016 03:13 AM

1. Is it possible somehow to apply VTI profile to the physical interfaces ?

no, it has to go to the tunnel-interface. And you need a tunneling-mechanism here unless you want to deploy GET-VPN. (And no, you don't want to!).

2. Am i right about MTU and payload size or GRE's overhead does have minimal impact on total throughput ?

As with every reduction of the possible payload-size you can reduce your throughput. But only if you transfer big packets. It's likely that you can measure the impact, but your users won't get slowed down in a way that they realize it.

3. Are crypto-maps is only option for protecting traffic on physical interfaces level ?

Also with crypto-maps you still have tunneling in most situations.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Karsten Iwen
VIP
VIP

‎12-02-2016 03:13 AM

1. Is it possible somehow to apply VTI profile to the physical interfaces ?

no, it has to go to the tunnel-interface. And you need a tunneling-mechanism here unless you want to deploy GET-VPN. (And no, you don't want to!).

2. Am i right about MTU and payload size or GRE's overhead does have minimal impact on total throughput ?

As with every reduction of the possible payload-size you can reduce your throughput. But only if you transfer big packets. It's likely that you can measure the impact, but your users won't get slowed down in a way that they realize it.

3. Are crypto-maps is only option for protecting traffic on physical interfaces level ?

Also with crypto-maps you still have tunneling in most situations.

0 Helpful

Go to solution
sharlino
Level 1
Level 1
In response to Karsten Iwen

‎12-02-2016 03:20 AM

I appreciate for your time.

0 Helpful
Customers Also Viewed These Support Documents