A network administrator is in charge of multiple IPsec VPN headend devices that service thousands of remote connectivity, point-to-point, IPsec/GRE tunnels.
During a recent power outage, in which it was found that a backup power supply in one of those headend devices was faulty, one of the headend routers suffered a complete shutdown event.
When the router was successfully recovered, remote users found intermittent connectivity issues that went away after several hours.
Network operations staff accessed the headend devices and found that the recently recovered unit was near 100% CPU for a long period of time.
How would you redesign the network VPN headend devices to prevent this from happening again in the future?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
To prevent a similar event from happening in the future, the network administrator should consider the following redesign options:
A. Move the tunnels more evenly across the headend devices:
This option suggests redistributing the existing tunnels more evenly across multiple headend devices. This approach helps distribute the traffic load and avoids overwhelming any single device. However, it requires additional resources and configuration changes on the part of the administrator. If the organization is expanding or expecting more remote connectivity, it is a good long-term solution.
B. Implement Call Admission Control:
Call Admission Control (CAC) is a network mechanism used to regulate the admission of new calls or connections to a network resource based on available resources. It is a bandwidth management technique that ensures quality of service (QoS) by prioritizing critical traffic over non-critical ones. By implementing CAC in the VPN headend devices, the administrator can limit the maximum number of simultaneous tunnels and restrict the amount of bandwidth each tunnel can consume. This helps prevent overload situations in the headend devices.
C. Use the scheduler allocate command to curb CPU usage:
The scheduler allocate command allows the administrator to allocate CPU resources for specific processes, such as VPN or routing protocols. By configuring this command, the administrator can control the CPU resources used by VPN processes and prevent them from monopolizing the device's resources. This option is ideal for situations where the administrator wants to ensure that critical processes receive adequate resources.
D. Change the tunnels to DM VPN:
Dynamic Multipoint VPN (DM VPN) is a scalable VPN solution that uses a hub-and-spoke topology. It allows for the creation of multiple VPN tunnels using a single hub device, which reduces the number of tunnels needed to be managed by individual headend devices. DM VPN provides benefits such as improved scalability, reduced configuration complexity, and simplified VPN management. This option is ideal for organizations with a high number of remote connectivity requirements.
In conclusion, the best option to prevent similar events from happening again in the future depends on the specific needs of the organization. The network administrator should consider the long-term needs, available resources, and potential trade-offs when choosing a solution. Options such as implementing Call Admission Control, using the scheduler allocate command, or changing the tunnels to DM VPN can all be effective, depending on the organization's specific needs.