[c-nsp] cisco-nsp Digest, Vol 64, Issue 84

Brian Stiff (bstiff) bstiff at cisco.com
Fri Mar 21 16:17:26 EDT 2008 

Hi Rupert-


You said:

"I'm going to put 1801w routers in each store, as they're perfectly
taylored
to the needs of a small-ish Retail location, and run DMVPN to handle the
spoke to spoke VoIP traffic.. What I'm still trying to decide on is what
to
put at the head-office hub end. I need something to concentrate the VPN
tunnels, and to terminate a SDSL line and so am thinking either a ASA
5510
with a 1803 router, or a just a 2800 series router. At present we've got
something to terminate "road-warrior" clients and so that isn't a
consideration."

If you're going to use DMVPN for spoke-to-spoke traffic, you'll need a
router to run as a hub for the DMVPN, as ASA doesn't presently support
DMVPN.

How much spoke-to-spoke traffic will your network carry, as compared to
spoke-to-hub?  Also, how much aggregate crypto traffic will the hub see?

Regards,
Brian


Brian Stiff
720.562.6462
IOS Firewall
Technical Marketing Eng.
Security Technology Group
http://www.cisco.com/go/iosfw


From: "Rupert Finnigan" <rupert.finnigan at googlemail.com>

I'm going to put 1801w routers in each store, as they're perfectly
taylored
to the needs of a small-ish Retail location, and run DMVPN to handle the
spoke to spoke VoIP traffic.. What I'm still trying to decide on is what
to
put at the head-office hub end. I need something to concentrate the VPN
tunnels, and to terminate a SDSL line and so am thinking either a ASA
5510
with a 1803 router, or a just a 2800 series router. At present we've got
something to terminate "road-warrior" clients and so that isn't a
consideration.

Just interested in various options/comments or any pointers anyone can
offer..

Thanks Muchly,

Rupes


------------------------------

Message: 10
Date: Fri, 21 Mar 2008 11:41:47 -0700
From: Colin McNamara <Colin at 2cups.com>
Subject: Re: [c-nsp] L3 to access layer
To: James Slepicka <cisco-nsp at slepicka.net>
Cc: cisco-nsp <cisco-nsp at puck.nether.net>
Message-ID: <47E4016B.1060201 at 2cups.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

If you want to do teaming across chassis in a L3 to the edge design, you

have to do something like VSS which makes it kinda "fuzzy".
Two L3 to the edge designs that I have seen lots of success around it 
setting up MPLS VPN's inside the enterprise datacenter, and then popping

out to fwsm contexts (or a full throttle ASA now) between vpn's. This 
solves a multitude of problems, especially mergers and acquisitions, and

segregated business units. You can also do this on a small scale by 
using vrf-lite, though you really need to script the heck out of your 
configs, and if you get to many VRF's running you can run into scaling 
issues.

The other main gotcha with L3 to the edge is VMware. ESX clusters need 
layer 2 adjacency to dynamically move virtual machines between ESX 
servers. Ideally you want these devices in different area's of your DC 
or Metro area for redundancy, but having l3 to the edge really throws a 
wrench in that.

One solution I have been toying with is using VPLS to establish a tag 
switched "vlan" spanning the L3 chassis that ESX exists on. This allows 
you to have the l2 adjacency, while removing STP from your core (VPLS 
contains full paths through your label switch routers). And it also 
allows you to cleanly fit into a metro failover design, while keeping 
your wan label switched.

-- 
Colin McNamara
(858)208-8105
CCIE #18233,RHCE,GCIH 
http://www.colinmcnamara.com
http://www.linkedin.com/in/colinmcnamara

"The difficult we do immediately, the impossible just takes a little
longer"



James Slepicka wrote:
> Maybe only a consideration in the data center, but you can't do NIC 
> teaming across multiple switches for fault tolerance.
>
>
> Mike Johnson wrote:
>   
>> Is anyone doing layer 3 to the access layer? Problems? Cost?
>>
>> I know it would be cheaper to go layer 2 to the access but I am
looking for
>> problems/issues tchnically that make it less attractive?
>>
>>
>> thanx in advance,
>>
>> harbor235
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>   
>>     
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   



------------------------------

_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp

End of cisco-nsp Digest, Vol 64, Issue 84
*****************************************

More information about the cisco-nsp mailing list