Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
465
Views
0
Helpful
4
Replies

Load Balancing VPN Servers

todd.williams
Level 1
Level 1

‎03-12-2004 09:11 AM

I am looking for a product that can load balance point-to-point or branch office IPSEC tunnels. The topology would be small IPSEC boxes at remote sites building tunnels to a central site with 5 or 6 larger IPSEC boxes. The tunnels from the remote sites should be dynamically set up to any one of the central site VPN servers as directed by a load balancing appliance. Can the 11500 series or any other product provide this functionality?

Labels:
0 Helpful
4 Replies 4

Gilles Dufour
Cisco Employee
Cisco Employee

‎03-12-2004 11:51 PM

the 11500 is not a good product for this.

CSS is good for TCP and UDP but not IPSEC or any other ip protocols.

I would suggest IOS SLB on a 7200 or cat6k.

IOS SLB is perfect for loadbalancing with no nating involved.

If you need nating, a CSM is the best choice but you need the cat6k because the CSM is a module of that you insert in the catalyst 6x00.

Regards,

Gilles.

0 Helpful

jfoerster
Level 4
Level 4
In response to Gilles Dufour

‎03-17-2004 12:49 AM

Hi Gilles,

I read your reply and think this is quite intresting for a lot of customers. By thinking about this solution I stumbled over several IPSec and routing issues which I would like to discuss.

First of all the IPSec issues I see:

In doing ISO SLB you need to have the destination VPN-peer Configured on every router used as endpoint (e.g. as loopback) to avoid problems with AH right? The other possibility I could think of is to implement this via Server-NAT so that you have a virtual IP-Sec EndPoint and multiple real endings (each the physicalinterface IP of the real VPN-Router) with the problem that you are not allowed to use AH but this isn't used very often.

Now my routing issue:

How do you ensure that packets destined to a certain location are routed to the correct VPN-Endpoint if you are having a corporate network behind the Serverfarm of VPN-Routers?

I hope I explained my questions clearly enough.

Regards,

Joerg

0 Helpful

Gilles Dufour
Cisco Employee
Cisco Employee
In response to jfoerster

‎03-17-2004 09:46 AM

We have a specialist of this topic internally and I will forward him your questions.

My personal opinion is that if you don't do server nat, then the devices need to be adjacent to the router so we can access distinguish them basec on the mac address.

If you do nating, first be aware you kill the performance of IOS SLB. Nating means all traffic that needs to be loadbalanced will be software switched.

Then nating with IPSEC won't work with AH as you said. I'll double check if there is no other restriction - what about IKE/ISAKMP ?

I'll get back to you asap.

Gilles.

0 Helpful

aobszynski
Level 1
Level 1
In response to Gilles Dufour

‎11-28-2005 04:18 AM

Gilles, have you found any interesting checks about that topic?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents