Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Should I apply a single VPN Filter to multiple L2L VPNs, or should each VPN tunnel have their own VPN filter on an ASA?

I am currently trying to decide if when creating VPN filters, if I should just create a single one and apply it to the multiple VPN tunnels or if each VPN tunnel should have their own VPN filter. Creating a VPN filter for every VPN tunnel seems like added work but not sure if its the better choice. I have looked through documentation but they never mention applying VPN filters to multiple tunnels.

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions

Should I apply a single VPN Filter to multiple L2L VPNs, or shou

Hello Jork,

If you add  one VPN filter for each tunnel group it will be more work but at the same thing you will have more control over the outside users attempting to connect to your network.

I would say that you will have different tunnel-groups ( each of them will have their own funcionallity ) so that is why its depending on what you are attempting to implement.

If the people that will use X tunnel-group are the same than the ones that will use Y tunnel-group then you can use the same one.

I hope I understood your question.

Regards.

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
3 REPLIES

Should I apply a single VPN Filter to multiple L2L VPNs, or shou

Hello Jork,

If you add  one VPN filter for each tunnel group it will be more work but at the same thing you will have more control over the outside users attempting to connect to your network.

I would say that you will have different tunnel-groups ( each of them will have their own funcionallity ) so that is why its depending on what you are attempting to implement.

If the people that will use X tunnel-group are the same than the ones that will use Y tunnel-group then you can use the same one.

I hope I understood your question.

Regards.

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Should I apply a single VPN Filter to multiple L2L VPNs, or shou

Hi Julio,

I think I'm leaning towards creating a VPN filter for each IPsec L2L tunnel because I can name them to refer to what they are being used for. If I create a single VPN filter for all of the tunnels, it would be hard to keep track of of what every single ACE is for.

Thanks!

Should I apply a single VPN Filter to multiple L2L VPNs, or shou

Hello Jork,

That is correct, in fact that would be the best suggestion I could have provided you.

Is there something else I can do for you, if not please mark the question as answered.

Have a wonderful day.

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
537
Views
0
Helpful
3
Replies
CreatePlease login to create content