[c-nsp] What product for a VPN Gateway/backend network

Kaj Niemi kajtzu at basen.net
Tue Mar 4 17:52:14 EST 2008


Hi,


I would imagine that using a WS-SVC-WEBVPN-K9 for management  
connectivity is not really cost effective. That said it should work  
most of the time. :) It kind of depends on how much traffic you expect  
to have. Typically for occasional management connectivity it would not  
be that much. Remember, one ASA 5510 (or two for F/O) is a pretty  
powerful box, too, and will handle WebVPN, SSL VPN Client (SVC) and  
IPSec L2L or RA clients fine. As far as I know PIXes do not do WebVPN/ 
SVC at all.

If you want to prevent the servers from seeing eachother, you most  
likely want set the access ports as isolated (PVLAN) on the access  
switches. You would most likely need to set the downlink access switch  
ports on the 6500(s) to isolated as well, otherwise it would be  
possible to send traffic from behind one access switch to a device  
behind another access switch through the 6500(s). As always YMMV.



Kaj

On Mar 4, 2008, at 15:45, Drew Weaver wrote:

> assign it a private IP address and have the functionality of secure  
> management (rather than users running SSH/RDP over the public  
> internet..yikes) So far we've come up with 3 options for the VPN  
> solution but we're not sure which would fit our goals the best.
>
> The L3 switch for the private network will be a 6500, so the VPN  
> services cards (WebVPN, etc) are interesting to us, does anyone have  
> any experience with WebVPN they'd like to share? We're obviously  
> evaluating using a PIX/ASA for the VPN gateway.
> And due to a long standing relationship with WatchGuard we are also  
> considering one of their 'Peak' Products.
>
> Also, as we have 5 different datacenter "areas" in our main  
> facility, we are thinking about using multiple smaller 48 port  
> switches in each area and then simply aggregating them back to the  
> 6500, I'm guessing that since we definitely wouldn't want the  
> servers to see each other (netbios, etc) in the private network we  
> would want to create VLANs on the 6500 and then tag them for the 48  
> port switches to handle the access?
>
> Any advice anyone can offer based upon experience is greatly  
> appreciated.




HTH

Kaj
-- 
Kaj J. Niemi
<kajtzu at basen.net>
+358 45 63 12000



More information about the cisco-nsp mailing list