[c-nsp] Simple redundancy for 7200/NPE-G1 w/ two logical connections

[Peter Rathlev]

I'm wondering how best to solve having a 7200/NPE-G1 with two
connections ("inside" and "outside") in a redundant configuration,
considering that the router only has 3 interfaces.

The router is supposed to terminate an IPSec tunnel on one side and
route traffic towards the inside interface. The "upstream" connections
come from a pair of 6500s, "inside" and "outside" in two different VRFs
there.

My first idea is to use two dot1q trunks towards the router. Each
physical interface would have two subinterfaces, and each pair of
subinterfaces would be members of a seperate bridge-group. The IP
configuration would then reside on BVI interfaces.

Is this a bad idea? Are there any problems terminating an IPSec tunnel
on a BVI? We're using a SA-VAM2 module for VPN acceleration; would
anybody know if there are any problems accelerating traffic from a BVI?

Maybe there are other ideas on how to configure this?

TIA.

-- 
Peter