[c-nsp] cisco-nsp Digest, Vol 64, Issue 84
Brian Stiff (bstiff)
bstiff at cisco.com
Fri Mar 21 16:17:26 EDT 2008
Hi Rupert-
You said:
"I'm going to put 1801w routers in each store, as they're perfectly
taylored
to the needs of a small-ish Retail location, and run DMVPN to handle the
spoke to spoke VoIP traffic.. What I'm still trying to decide on is what
to
put at the head-office hub end. I need something to concentrate the VPN
tunnels, and to terminate a SDSL line and so am thinking either a ASA
5510
with a 1803 router, or a just a 2800 series router. At present we've got
something to terminate "road-warrior" clients and so that isn't a
consideration."
If you're going to use DMVPN for spoke-to-spoke traffic, you'll need a
router to run as a hub for the DMVPN, as ASA doesn't presently support
DMVPN.
How much spoke-to-spoke traffic will your network carry, as compared to
spoke-to-hub? Also, how much aggregate crypto traffic will the hub see?
Regards,
Brian
Brian Stiff
720.562.6462
IOS Firewall
Technical Marketing Eng.
Security Technology Group
http://www.cisco.com/go/iosfw
From: "Rupert Finnigan" <rupert.finnigan at googlemail.com>
I'm going to put 1801w routers in each store, as they're perfectly
taylored
to the needs of a small-ish Retail location, and run DMVPN to handle the
spoke to spoke VoIP traffic.. What I'm still trying to decide on is what
to
put at the head-office hub end. I need something to concentrate the VPN
tunnels, and to terminate a SDSL line and so am thinking either a ASA
5510
with a 1803 router, or a just a 2800 series router. At present we've got
something to terminate "road-warrior" clients and so that isn't a
consideration.
Just interested in various options/comments or any pointers anyone can
offer..
Thanks Muchly,
Rupes
------------------------------
Message: 10
Date: Fri, 21 Mar 2008 11:41:47 -0700
From: Colin McNamara <Colin at 2cups.com>
Subject: Re: [c-nsp] L3 to access layer
To: James Slepicka <cisco-nsp at slepicka.net>
Cc: cisco-nsp <cisco-nsp at puck.nether.net>
Message-ID: <47E4016B.1060201 at 2cups.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
If you want to do teaming across chassis in a L3 to the edge design, you
have to do something like VSS which makes it kinda "fuzzy".
Two L3 to the edge designs that I have seen lots of success around it
setting up MPLS VPN's inside the enterprise datacenter, and then popping
out to fwsm contexts (or a full throttle ASA now) between vpn's. This
solves a multitude of problems, especially mergers and acquisitions, and
segregated business units. You can also do this on a small scale by
using vrf-lite, though you really need to script the heck out of your
configs, and if you get to many VRF's running you can run into scaling
issues.
The other main gotcha with L3 to the edge is VMware. ESX clusters need
layer 2 adjacency to dynamically move virtual machines between ESX
servers. Ideally you want these devices in different area's of your DC
or Metro area for redundancy, but having l3 to the edge really throws a
wrench in that.
One solution I have been toying with is using VPLS to establish a tag
switched "vlan" spanning the L3 chassis that ESX exists on. This allows
you to have the l2 adjacency, while removing STP from your core (VPLS
contains full paths through your label switch routers). And it also
allows you to cleanly fit into a metro failover design, while keeping
your wan label switched.
--
Colin McNamara
(858)208-8105
CCIE #18233,RHCE,GCIH
http://www.colinmcnamara.com
http://www.linkedin.com/in/colinmcnamara
"The difficult we do immediately, the impossible just takes a little
longer"
James Slepicka wrote:
> Maybe only a consideration in the data center, but you can't do NIC
> teaming across multiple switches for fault tolerance.
>
>
> Mike Johnson wrote:
>
>> Is anyone doing layer 3 to the access layer? Problems? Cost?
>>
>> I know it would be cheaper to go layer 2 to the access but I am
looking for
>> problems/issues tchnically that make it less attractive?
>>
>>
>> thanx in advance,
>>
>> harbor235
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
------------------------------
_______________________________________________
cisco-nsp mailing list
cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
End of cisco-nsp Digest, Vol 64, Issue 84
*****************************************
More information about the cisco-nsp
mailing list