The '150' number would only be if certain branches had to peer twice:
once over the primary route and once over the secondary-but-always-up
route. In actuality, there would still be about 90 peers on that single
7513 but the volume of traffic per peer is going to be pretty low. It's
only tn3270 and DLSw stuff. The rest of the interbranch traffic will
remain in the clear.
Is that still going to be too many peers? I know that the 7513 has a
card to do hardware encryption. It looks like we may have to check into
that again.
Thanks,
John
>>> "Dana J. Dawson" 6/21/01 4:38:07 PM >>>
IPSec and redundancy is hard. The usual recommendation is to use GRE
tunnels over IPSec, since the tunnels provide a logical interface over
which
you can run a routing protocol that will provide the redundancy.
With plain old IPSec, you use access-lists to specify which traffic
goes to
which peer, and you can't overlap any of your crypto access-lists
(those
referenced in a "match address" command in a crypto map). This
precludes
the possiblity of doing redundancy this way.
That being said, you don't want to terminate 150 peers in your 7513,
especially if you want that router to do anything else. With this
scale of
VPN network, you should have a dedicated VPN concentrator.
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9444&t=9225
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
