[c-nsp] PIX VPN Mesh w/ OSPF

Rodney Dunn rodunn at cisco.com
Tue Jan 11 14:12:55 EST 2005


I like Jim's approach to keep it simple.

If your number of locations is small and isn't
going to grow much then just statically build
a full GRE mesh using the transit ip addresses
on the serial links to the ISP.
By doing it this way and not including the
serial ip addresses in your EIGRP process you
don't have to worry about recursive routing
issues. Make the BW and delay on all the
tunnels the same and the routing will take
care of itself.

If the ip addresses for locations were dynamic
you could consider some DMVPN layout.

Rodney


On Tue, Jan 11, 2005 at 01:32:35PM -0500, Jim McBurnett wrote:
> Dave,
> Do you have an internal router at each site?
> If you do use EIGRP on those routers and GRE tunnels.
> The EIGRP will pass traffic over the GRE and the dynamically route the
> data based on the VPN delay.
> This will be totally independent of the ISP status...
> I think I would use 2811 or 2801 VPN routers....
> 2801 would be cheaper than the PIX anyway.. And give you other
> functions.....
> 
> 
> Jim
> 
> -----Original Message-----
> From: Dave Breiland [mailto:superdave at dynamicis.com] 
> Sent: Tuesday, January 11, 2005 12:56 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] PIX VPN Mesh w/ OSPF
> 
> I want to make sure I'm on the right track and haven't set myself up for
> failure...
> I have 4 offices around the US.  Each site has a different ISP... 
> connected with a T1.  My plan was to have a PIX-515 at each site.  I
> would use the PIX's to create VPNs between each and every site.  My
> guess is that there will be times that the ISPs will have routing issues
> between each other.  To get around this, I would think that...
> -Route between Site A and Site B fails
> -Site B re-routes data to Site C which still has VPN to Site A.
> Presumably this would require EIGRP or OSPF.  Unfortunately it looks
> like the PIX only supports OSPF. 
> Is this the right direction/steps I should be taking?
> Am I just over complicating things?
> Has anyone had success with OSPF and the PIXs?
> 
> Thanks for any input.
> 
> Dave
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list