I ahve a requirement to configure static crypto for 1800 site and I need to configure on two sepaarte interfacs at spoke site which means I need to configure 1800*2 = 3600 peers at central site. The challenge I have is due to load balancing , the traffic dynamic crypto can not be used since traffic may be initiated from Dc on other link which may get dropped incase not encrypted.
Thanks Javier for the response. Please find the clarification.
Load Balancing mean, I have 2 Service Provider(SP) at each site on which I am building the IPSec, Load distribution between 2 links is taken care by routing protocol. For each SP I am configuring a separate Crypto map with redundancy at central site.
At central site I have 2 nos of Cisco 7206 with VAM2.
I see, is this crypto map solution already implemented? I cannot determine which network design would be the best for you, since I am not familiar with all your internal policies and requirements, but I can suggest.
Usually, I encourage people to use VTI or DMVPN since they are more scalable and easier to maintain than LAN-to-LAN tunnels with huge ACLs.
My idea is this:
Hub | Internet | Spoke
An IGP running across the tunnel interfaces (VTI) will make the routing decision for you, according to how you tune it up.
You could use EIGRP to load-balance (equal cost at this point since you only have two links) the traffic:
So the Router will keep both IPsec tunnels up and traffic will flow across the Tunnel interfaces following the EIGRP routing conditions.
On the other hand, if you want to go with the crypto map condition, I would still suggest GRE/IPsec and do the same thing, but lets say that GRE will not be used.
Without any kind of Routing protocol, load-balancing will not be achieved at all, you can still have two routes pointing to two next-hops to reach the same destination network, but this is not recommended and may not behave as expected.
In order to load balance traffic across two tunnels, I suggest:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :