Summary

Previous page
Table of content
Next page

Geographic HA design considerations must be addressed to fully extend the Local HA concepts discussed in Chapter 6 to present a full IPsec HA solution. Regardless of how highly available an IPsec VPN's tunnel termination point is designed to be, the availability of the IPsec VPN can still be dramatically affected if the appropriate Geographic HA design considerations are not accounted for. In this chapter, we've reviewed several sound design alternatives for providing Geographic HA, including:

  • Reverse Route Injection with Multiple IPsec Peers

  • IPsec+GRE Tunnels with Multiple Crypto Map Process IDs

  • Dynamic Multipoint Virtual Private Networks

Although all of these Geographic HA options are sound in certain design scenarios, the most paramount design driver that a network architect should address in the context of Geographic HA is the need to include IP multicast traffic in the crypto switching path. If it is deemed necessary that IP multicast forwarding must be enabled in the crypto switching path, the design alternatives available for geographic HA are quickly focused on IPsec+GRE alternatives. While RRI is still usable with GRE, it becomes substantially less desirable as dynamic multicast RP updates (e.g., RIP, EIGRP, OSPF, and so on) can be exchanged across the GRE tunnel, effectively precluding the need for RRI.

Network architects should be wary that GRE encapsulation required in IPsec+GRE tunnels does affect the forwarding path on the IPsec VPN gateway. If the GRE encap/decap operation is not done in the fast path on the VPN platforms in your design, the GRE encap/decap could introduce a bottleneck in the IPsec+GRE switching path, potentially diminishing the value of hardware crypto accelerators that might be available on the IPsec VPN platform. If IP multicast forwarding is not required in the crypto switching path, RRI could be used as an alternative to IPsec+GRE in this scenario, eliminating the need for GRE encap/decap and enabling network architects to take full advantage of the crypto hardware accelerators on their IPsec VPN gateways. The key takeaway to consider when choosing IPsec+GRE (including DMVPN) or RRI is careful evaluation of the need for IP multicast forwarding, and careful consideration of RRI-based geographic HA when IP multicast is not required in the crypto switching path.

DMVPN is a form of IPsec+GRE that dramatically decreased the complexity of configuration and management in large-scale IPsec+GRE designs. Additionally, DMVPN can be configured such that spokes can be provisioned without any additional configuration on the hub. This is a very attractive feature of DMVPN, as it eliminates the possibility of misconfiguration on the hub IPsec router during the addition of new spokes that would damage communications of those IPsec spokes already included in the DMVPN. Additionally, as DMVPN does not require crypto map configuration (including crypto ACL and peer configuration), DMVPN spoke configuration can be deployed uniformly across different spokes, as shown in our DMVPN configuration examples relevant to the design topology of Figure 7-5.



Previous page
Table of content
Next page
IPsec Virtual Private Network Fundamentals
IPSec Virtual Private Network Fundamentals
ISBN: 1587052075
EAN: 2147483647
Year: N/A
Pages: 113
Authors: James Henry Carmouche
BUY ON AMAZON
Project Management JumpStart
Certified Ethical Hacker Exam Prep
Lotus Notes and Domino 6 Development (2nd Edition)
Introduction to 80x86 Assembly Language and Computer Architecture
Programming Microsoft ASP.NET 3.5
GO! with Microsoft Office 2003 Brief (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy