From: Jay Hennigan (jay@west.net)
Date: Fri Mar 28 2003 - 15:48:31 GMT-3
On Fri, 28 Mar 2003, Tim Fletcher wrote:
> I would not put it on both because of the additional overhead. There's no
> reason to encrypt it twice. My preference would be on the egress interface,
> but I can't think of any reason why it couldn't be on the tunnel interface.
> However, I usually don't even bother with tunnel interfaces when I'm doing
> IPSEC.
It needs to be on the egress interface. If there are multiple possible
egress interfaces (dynamic routing), on all of them. Specify the tunnel
endpoints with protocol GRE in the access list. If you use tunnel
interfaces, you don't need (or want) to apply the map to the tunnel itself.
You'll need to bother with the tunnel interfaces if you're encrypting
another protocol such as IPX.
-- Jay Hennigan - CCIE #7880 - Network Administration - jay@west.net NetLojix Communications, Inc. - http://www.netlojix.com/ WestNet: Connecting you to the planet. 805 884-6323
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:46 GMT-3