[c-nsp] highly available ipsec vpn
Jeff Orr
jeffborr at gmail.com
Thu Feb 8 18:13:49 EST 2018
We use HA VPN (HSRP) for our IPSEC based business partners. It has worked
well for years, but I’m only partly happy.
We have built our data centers to be as independent as possibly. Minimal
OTV, routed mainframe, separate internal and external up space. However,
with HA VPN, I have to have L2 stretch & advertise the specific/24 out if
both DCs.
The main benefit is our partners only setup one tunnel and neither side has
to work about DR. Internally we use RRI into our IGP to steer traffic to
the proper router.
On Thu, Feb 8, 2018 at 5:34 PM harbor235 <harbor235 at gmail.com> wrote:
> I am looking to implement a highly available IPSEC route based VPN.
> Traditionally I would bring up multiple tunnels with multiple BGP peers in
> a dual router setup.
>
> IPSEC HSRP design appears to be the flavor of the day, failover times
> appear to be lengthy compared to failover times via BGP. IS anyone using
> the HSRP HA setup? Are your experiences good or bad? Has the BGP route
> based IPSEC VPN design fallen from grace?
>
>
> Mike
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list