GRE based VPN with IPSec and OSPF design questions
I'm looking for help on the following issue:
I have a need to add new WAN links onto an existing insecure network linking untrusted sites. This is based on 7206 routers with OPSF, EIGRP and IPSec running over ATM and frame links, also firewalls seperate this network from the internal trusted cusomer sites.
The new links are ATM pvc's and are to pass traffic from internal sites, and will also use OSPF. However the OSPF networks running across these new links must not appear in the existing OSPF route tables, this would probably cause routing problems and must be avoided. Harware at both ends is 7200VXR with SA-VAM for encryption.
After reaseach into this I see 3 solutions:
Policy based routing, seemes simple at first but I ruled this out because I can see that this would give me problems with the route table.
VRF instances on the 7206, I have no experience of this at all and am not sure if I could run this with the existing network, all the documentation I read refers to MPLS, and BGP. I really want to keep the existing network as it is if possible.
GRE tunnels, seem to offer the solution, but I'm not sure of the performance. There will be 2 ATM pvc's with a PCR of 20Meg, and will be carrying a lot of traffic. GRE appears to be process switched, but some recent documents refer to CEF switching of GRE multipoint. Is the Std GRE CEF switched now as well. I will apply the IPSec using the SA-VAM card fitted in the 7204VXR routers.
I'm thinking of terminating the tunnel on an ethernet port connected to the secure internal network.
Re: GRE based VPN with IPSec and OSPF design questions
GRE and IPSec used together could result in degraded performance due to a phenomenon refered to as double fragmentation (which is nothing but fragmentation happening twice, once before GRE and once again after IPsec). This increses latency and lowers throughput. You should probably have a look at http://www.cisco.com/warp/public/105/pmtud_ipfrag.html#fifth.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :