Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

cryptomaps

Hi

On my router is is possible to create multiple site to site tunnels to different destinations ? i gather you jsut create multiple cryptomaps and assign them to the outside interface ?

cheers                  

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: cryptomaps

Too many tunnel interfaces? A Cisco router should be able to handle that. How many spokes are involved?

Design wise you can proceed via many ways:

A) HUB does not need to initiate connections:

==================================

1- Leverage a tunnel type mgre [ on the hub] aka DMVPN. Then we have 1 Multipoint tunnel interface.

2- Use DVTI [ spoke ] / DVTI  [ hub ] with EZVPN

3- Use VTI on spokes + DVTI on hub with a routing protocol

B) HUB need to initiate connections:

============================

use Tunnel protection, one tunnel per spoke.

5 REPLIES
New Member

Re: cryptomaps

I think crypto maps are an easy Method of configuring, if there will be no multicast traffic between the site which would require VTI.

Sent from Cisco Technical Support iPhone App

Cisco Employee

cryptomaps

Hello,

Crypto maps are the old way of configuring VPN. It's always a source of problems when ACL are not symmetrically configured.

U should use tunnel protection [ ipec ipv4 or gre ip]. It's wat simplier to configure / maintain.

Olivier.

New Member

cryptomaps

is also prefer the vti, they are easier and support multicast, routing protocols etc

New Member

Re: cryptomaps

just wondering configuring site-to-site tunnels to different destinations, won't it create many tunnels on the router?

Cisco Employee

Re: cryptomaps

Too many tunnel interfaces? A Cisco router should be able to handle that. How many spokes are involved?

Design wise you can proceed via many ways:

A) HUB does not need to initiate connections:

==================================

1- Leverage a tunnel type mgre [ on the hub] aka DMVPN. Then we have 1 Multipoint tunnel interface.

2- Use DVTI [ spoke ] / DVTI  [ hub ] with EZVPN

3- Use VTI on spokes + DVTI on hub with a routing protocol

B) HUB need to initiate connections:

============================

use Tunnel protection, one tunnel per spoke.

285
Views
5
Helpful
5
Replies