Cisco Support Community
Community Member

GET VPN question

Hi, i got GET VPN deployment in progress, the problem here is that a limit exist in the configuration GET VPN group of 100 access list to define interesting traffic from the remote sites.

The best practice is summarize interesting traffic to reduce the entries and not exceed this limit.

In this case is not possible to summarize and 180 access list need to be configured.

Can i configure a second group to balance this 180 acls?

what can i do instead?




Re: GET VPN question

Unlike traditional IPsec encryption solutions, GET VPN uses the concept of group SA. All members in the GET VPN group can communicate with each other using a common encryption policy and a shared SA. With a common encryption policy and a shared SA, there is no need to negotiate IPsec between GMs; this reduces the resource load on the IPsec routers. Traditional GM scalability (number of tunnels and associated SA) does not apply to GET VPN GMs.

Note: In a GET VPN group, up to 100 ACL permit entries can be used to define interesting traffic for encryption. Each permit entry results in a pair of IPsec SAs; the maximum number of IPsec SAs in a group can not exceed 200.

It is a best practice to summarize interesting traffic to as few permit entries as possible, and to build symmetric policies. Unlike traditional IPSec policies, where source and destination address ranges must be uniquely defined, GET VPN is optimized when the source and destination address range are the same. This minimizes the number of policy permutations, making GET VPN very efficient.

CreatePlease to create content