Compare cert salaries and plan your next career move
networker050184 wrote: If you are using the VTI you only need a crypto policy applied to the tunnel interface. No crypto maps needed as all traffic traversing the tunnel will be encrypted.
kpjungle wrote: networker050184 wrote: If you are using the VTI you only need a crypto policy applied to the tunnel interface. No crypto maps needed as all traffic traversing the tunnel will be encrypted. True, but why when you use a map do you need it both on the vti and the physical interface, thats what eludes me i think.
gojericho0 wrote: I think the beauty of the VTI is you do not even need a crypto-map (you create an IPsec policy to match your transform-set). It makes configuration quite simple, allows for dynamic routing, and you do not have the GRE overhead. You just have to make sure when configuring the tunnel interface you use ipv4 tunnel protection for your labhttp://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html EDIT: Also note the Ipsec Profile, this takes place of your crypto map. No match clauses are used because your end points are defined in the tunnel and everything is encrypted. So all basically you have to set is your transform set
gojericho0 wrote: The VTI's are are fairly new and I would use them unless another device you are tunneling to does not support them. They are not tested in the ISCW, but its still good to know. Thats part of the reason its taking me so long to study mine. I keep going off on tangents just to see alternatives and evaluate what is best for various solutions. Here is another good link if you are interested:http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008074f22f.pdf Its out of scope of the exam, but gives you the pros/cons of each IPsec solution and when you might want to use them
Compare salaries for top cybersecurity certifications. Free download for TechExams community.
