Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
263
Views
0
Helpful
2
Replies

almost 3000 IPSEC Tunnel

jsyed
Level 1
Level 1

‎01-15-2003 04:24 AM - edited ‎02-21-2020 12:16 PM

Hi,

We are planning to build our secured network based on IPSEC tunnel. We have user sites located throughout the country. The country is divided into 8 zone centers.

Here is the setup based on Cisco solutions.

The tunnel will starts from our user sites 2600 routers which will be installed in respective user sites location belonging to respective zone centers which are equipped with 3662 routers and 7513 zone center wan routers. Zone center wan routers are connected to head office wan routers 7513.

We would like to have follwoing setup.

2600(user sites)----3662(Zone)---7200(zone)--7513(Zone)---cloud---7513(Headoffice)---7200( head office).

Why we have to have 7200 layer one on zone center and one on head office.

Is there any solution on which we can start from 2600 and goes directly to 7200 or may be cat6500 in head office.

we are running OSPF with full redundancy on the hardware.

My questions is this:

1. by doing this we will be adding latency and delay ?

2. how IPSEC redundacny will work ?

3. what about teh performances

4. any issue or any flaw with this design or any other soultions.

Your help will be appreciated.

js

Labels:
0 Helpful
2 Replies 2

wong34539
Level 6
Level 6

‎01-21-2003 08:48 AM

I'm not sure that I fully appreciate all the issues that you have tried to conveyed. All the same, if you have multiple tunnels to multiple destnations originating at an interface, the performance is expected to be lower as compared to having a single tunnel endpoint. Multiple destinations would mean more work for your router in terms of IKE and IPSec SA negotiations, establishing keys and so on. However, I guess use of VAC's should provide the desired levels of performance.

0 Helpful

r-ta
Level 1
Level 1

‎01-22-2003 12:09 PM

Looking at the subject, assuming there will be 3000 user sites, consuming 3000 IPSec tunnels. If you were to connect the hq site directly to all user sites, the 7513/7200 couldn't really expected to terminate them all. Using star and spoke, each zone would handle 300-400 sites, a more reasonable number (still high to me). On using 7200 in several places, I think Cisco assigns the encryption/decryption functions to these specialized devices. They would be needed at both ends. Also, putting these 7200s there, local traffics within each zone would not go through the hq, unless needed, assuming there are a lot of traffic among sites.

1. Increase number of nodes always add latency and delays. However, there is no practical way to terminate 3000 user sites to one hq site, directly.

2. From one user site, you can create several IPSec tunnels to several different sites, for redundancy.

3. If each encrypt/decrypt device at each site (user site, zone, hq) comes with hardware, real-time encrypt/decrypt, then you normally will not see performance hits.

4. Trade off between performance and price, and practicality, the limit of ports on Cisco devices.

Roderick

0 Helpful
Customers Also Viewed These Support Documents