[c-nsp] Design - gre+ipsec+vpnsm+fwsm+vrf
Szilard Csordas
szilard.csordas at gmail.com
Fri Mar 9 01:57:14 EST 2007
Hello Ge Moua,
Thanks for the info and for the drawing.
We would like to use GRE with dynamic routing because we have lots of
networks to be advertised.
Maybe it would be nicer to have 7200 for terminating the IPSec but
unfortunatelly we already have the hardware and It would be hard to
push it through the management.
This is why I was asking if the 6500+vpnsm can be build up 2 tunnels
and route between them over the firewall if they are in different
VRFs.
Regards,
Szilard
On 3/8/07, Ge Moua <moua0100 at umn.edu> wrote:
> Szilard-
> This is what I'm thinking for your situation:
> - substitute the 7200 for your VPN SPA (we also initially considered using
> this as well)
> - FWSM is in transparent mode (layer 2) running 3.1(4)
> - Cat6k/Sup720 running: 12.2(18)SXF5
> - be sure to use vrf-aware IPSec (config very different from "plain" non-vrf
> IPSec)
> - we are also doing VRF lite on the 7200 to be able to use RRI
> (reverse-route injection) so that static routes (for the nets behind far
> side VPN gateway) are created on the fly (I like this because this mitigates
> routing configuration with VPN); other options could be tp use dynamic
> routing over GRE or just static routes
>
> Hopefully the drawing was helpful. Good luck.
>
> :-)
> Regards,
> Ge Moua | Email: moua0100 at umn.edu
>
> Network Design Engineer
> University of Minnesota | Networking & Telecommunications Services
> 2218 University Ave SE | Minneapolis, MN 55414-3029
>
> -----Original Message-----
> From: gmredmond at gmail.com [mailto:gmredmond at gmail.com] On Behalf Of Szilard
> Csordas
> Sent: Thursday, March 08, 2007 2:09 PM
> To: Ge Moua
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Design - gre+ipsec+vpnsm+fwsm+vrf
>
> Nice drawing,thanks.
>
> Additionally we want to move the VPN stuff to the 65k boxes as well, and you
> solved it with 7200. I suppose the dotted red line is the IPSec traffic,
> terminated on the 7200 and the green part is unencrypted.
> May I ask you what IOS and FWSM software are you using?
>
> thx,
> Szilard
>
>
> On 3/8/07, Ge Moua <moua0100 at umn.edu> wrote:
> > We are doing very similar to what you described for your situation.
> > See attached file.
> >
> >
> >
> > :-)
> > Regards,
> > Ge Moua | Email: moua0100 at umn.edu
> >
> > Network Design Engineer
> > University of Minnesota | Networking & Telecommunications Services
> > 2218 University Ave SE | Minneapolis, MN 55414-3029
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Szilard
> > Csordas
> > Sent: Thursday, March 08, 2007 12:20 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Design - gre+ipsec+vpnsm+fwsm+vrf
> >
> > Hello,
> >
> > We are in a quite complex situation and as always we don't have a real
> > lab to test it.
> > We did the design on paper but I am not sure if it works.
> >
> > 65k, sup720+FW+vpn spa. Let's say it has 2 sides, left and the right.
> > If I terminate a GRE+IPSec tunnel (tunnel protection) on the right
> > side, I want the traffic to flow through the firewall module (routed
> > or transparant) and to push that traffic into the other GRE+IPsec tunnel
> on the left side.
> > Is that possible with one box or do I have to split the functions to
> > more devices.
> >
> > To compicate matters further what happens if I want that Tunnel
> > interfaces to be in the VRFs (no mpls)?
> >
> > Any advice is appreciated.
> >
> > thanks,
> > Szilard
> > _______________________________________________
> > cisco-nsp mailing list cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
>
>
More information about the cisco-nsp
mailing list