Új hozzászólás Aktív témák

• #3214 jerry311 nagyúr Hedgehanter #3212

  Új Válasz 2013-01-24 11:11:15 #3214

  Új hozzászólás

  Összes hozzászólása itt Válaszok az összes hozzászólására itt Válaszok erre a hozzászólásra

  Privát üzenet küldése

  

  jerry311

  nagyúr

  válasz Hedgehanter #3212 üzenetére

  Haaat igy elsore nem hatott meg.
  Nyilvan mindennek vannak elonyei es hatranyai, meg ugye az adott szituaciohoz kell konfigolni, igy a mi esetunkben egyelore jobb valasztasnak latom a hagyomanyos mosoport.

  Restrictions for IPsec Virtual Tunnel Interface

  IPsec Transform Set
  The IPsec transform set must be configured in tunnel mode only.

  IKE Security Association
  The Internet Key Exchange (IKE) security association (SA) is bound to the VTI. Because IKE SA is bound to the VTI, the same IKE SA cannot be used for a crypto map.

  IPsec SA Traffic Selectors
  Static VTIs support only a single IPsec SA that is attached to the VTI interface. The traffic selector for the IPsec SA is always "IP any any."
  A dynamic VTI also is a point-point interface that supports only a single IPsec SA, but the dynamic VTI is flexible in that it can accept the IPsec selectors that are proposed by the initiator.

  Proxy
  Static VTIs support only the "IP any any" proxy.
  Dynamic VTIs support only one proxy, which can be "IP any any" or any subset of it.

  QoS Traffic Shaping
  The shaped traffic is process switched.

  Stateful Failover
  IPsec stateful failover is not supported with IPsec VTIs.

  Tunnel Protection
  The shared keyword is not required and must not be configured when using the tunnel mode ipsec ipv4 command for IPsec IPv4 mode.

  Static VTIs Versus GRE Tunnels
  The IPsec VTI is limited to IP unicast and multicast traffic only, as opposed to GRE tunnels, which have a wider application for IPsec implementation.

  VRF-Aware IPsec Configuration
  In VRF-aware IPsec configurations with either static or dynamic VTIs (DVTIs), the VRF must not be configured in the Internet Security Association and Key Management Protocol (ISAKMP) profile. Instead, the VRF must be configured on the tunnel interface for static VTIs. For DVTIs, you must apply VRF to the virtual template using the ip vrf forwarding command.

  Benefits

  Simplifies management
  Customers can use the Cisco IOS® Software virtual tunnel constructs to configure an IPSec virtual tunnel interface, thus simplifying VPN configuration complexity, which translates into reduced costs because the need for local IT support is minimized. In addition, existing management applications that can monitor interfaces can be used for monitoring purposes.

  Supports multicast encryption
  Customers can use the Cisco IOS Software IPSec VTIs to transfer the multicast traffic, control traffic, or data traffic---for example, many voice and video applications---from one site to another securely.

  Provides a routable interface
  Cisco IOS Software IPSec VTIs can support all types of IP routing protocols. Customers can use these VTI capabilities to connect larger office environments---for example, a branch office, complete with a private branch exchange (PBX) extension.

  Improves scaling
  IPSec VTIs need fewer established security associations to cover different types of traffic, both unicast and multicast, thus enabling improved scaling.

  Offers flexibility in defining features
  An IPSec VTI is an encapsulation within its own interface. This offers flexibility of defining features to run on either the physical or the IPSec interface.

Új hozzászólás Aktív témák