[c-nsp] traffic re-route on FW

Vincent C Jones v.jones at networkingunlimited.com
Wed Dec 16 13:34:38 EST 2009


On Wed, 2009-12-16 at 14:44 +0530, jack daniels wrote:
> Hi,
> 
> 
> I have a topolgy
> 
> MPLS                       INTERNET
> |                                 |
> |                                 |
> CE1
> CE2---------------------------------------------------------
> (172.16.1.1/30
> )                                                                          (
> 172.16.2.1/30)
> |
> |
> |
> |
> |-----172.16.1.2/30(FIREWALL CHECKPOINT)(172.16.2.2/30)-------------
> 
> 
> MPLS is my primary link and when its down I have a IPSEC TUNNEL from
> CHECKPOINT to remote peer (which is backup)..
> I'm confused how FW will be aware that MPLS SP is down and route traffic to
> Internet IPSEC TUNNEL.<<<<<<<<<<<<<<<<<<<
> I don't have licencse for dynamic routing on CHECKPOINT.
> 
> Thanks for help
> Jack

The simple answer, since you have a presence at both ends for this
application, is to put a cheap router at each end (inside the firewalls)
and run an routing protocol to select which of two tunnels is used. One
tunnel goes over the MPLS network, the other over your IPSec tunnel. An
1811 or SSG-5 will do the job if you're talking T1 speeds.

See the white paper "Redundant Routes in IPSec VPNs" on my web site
at http://www.networkingunlimited.com/white009.html for some ideas. It
won't provide a cookbook design for you, but it will walk you through
the issues and some of the trade offs that you'll need to make.

Good luck and have fun!
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
V.Jones at NetworkingUnlimited.com


More information about the cisco-nsp mailing list