[c-nsp] Simple redundancy for 7200/NPE-G1 w/ two logical connections

[Daniska, Tomas]

Peter,

> -----Original Message-----
> I'm wondering how best to solve having a 7200/NPE-G1 with two
> connections ("inside" and "outside") in a redundant configuration,
> considering that the router only has 3 interfaces.
> 
> The router is supposed to terminate an IPSec tunnel on one side and
> route traffic towards the inside interface. The "upstream" connections
> come from a pair of 6500s, "inside" and "outside" in two different
VRFs
> there.
>
> My first idea is to use two dot1q trunks towards the router. Each
> physical interface would have two subinterfaces, and each pair of
> subinterfaces would be members of a seperate bridge-group. The IP
> configuration would then reside on BVI interfaces.
> Is this a bad idea? Are there any problems terminating an IPSec tunnel
> on a BVI? We're using a SA-VAM2 module for VPN acceleration; would
> anybody know if there are any problems accelerating traffic from a
BVI?
> 
> Maybe there are other ideas on how to configure this?

On the outside connection, do you really need to close the L2 loop at
the router side? I suggest it would be better to use two point-to-point
L3 subnets and a dynamically routed loopback interface that would
terminate the tunnel.

Similarly for the inside, I would not go with a common IP subnet for
both 6500 downlinks and bridging them to a BVIs but use two separate L3
uplinks to the tunnel router and dynamic routing over them as well. The
mention of VRFs on the 6500s suggests that you already have your L3
first-hop there, so no need to provide L2-based redundancy on the tunnel
router.


--

deejay