IP Addressing
Proper IP addressing is critical for a successful VPN as any large IP network. In order to maintain scalability, performance, and
manageability, it is highly recommended that remote sites use a subnet of the major network to allow for summarization. This
way, the cryptographic ACLs will contain a single line for every local network, possibly a single entry if the local networks are
themselves summarizable. For example, a remote-site network 10.1.1.0/24 is summarizable into the major network 10.0.0.0/8.
If any host on the 10.1.1.0/24 subnet needs to connect to any other subnet in the 10.0.0.0 network via the headend, a single
ACL entry will suffice. If you cannot summarize the remote networks in a major network, an ACL entry is required at the remote
site for every local network-to-remote network. Increasing ACL entries slows performance, complicates troubleshooting, and
hinders the scalability by requiring ACL changes at remote sites constantly to keep up with new networks available at the
headend. Each ACL entry will build a separate tunnel (two IPSec SAs). Proper subnetting also allows for simplified router
headend configuration to enable spoke-to-spoke intercommunication and requires a fewer numbers of tunnels on all devices to
classify traffic flows. IP addressing also affects many facets of VPNs including remote management connection of overlapping
networks.
No comments:
Post a Comment
Note: only a member of this blog may post a comment.