[c-nsp] redundancy via VPN
Brandon Applegate
brandon at burn.net
Wed Jul 13 17:14:43 EDT 2011
On Wed, 13 Jul 2011, Scott Voll wrote:
> I would like to add some redundancy to our network. we currently have a MAN
> connection between two sites. Each site also has internet connectivity with
> other providers (not our MAN provider).
>
> Which is the better way to add redundancy over those internet connections:
> GetVPN, or DMVPN using GRE or is there a better option yet?
>
> TIA
>
> Scott
> _______________________________________________
If your topology is simple enough, and the set of routes manageable /
nicely aggregated - why not just a VPN that will get used by virtue of
following the default route ? In other words, assuming
OSPF/BGP/BFD-static etc on the MAN connection - when that goes away, the
more specific to the other site is gone. Assuming default flows toward
the internet devices, if they can do VPN, it will get used by virtue of
not having the more specific MAN route.
For something more complex, I'd look at some kind of dynamic protocol, and
using the same one if you can get away with it (i.e. no mutual
distribution, filtering, etc). BGP has good knobs to influence this,
OSPF/EIGRP would take a tunnel bandwidth into account and should work as
well.
I've historically also done this with GRE from devices riding an IPSEC
tunnel that only encrypted the GRE endpoints. I assume nowadays in IOS
with VTI's you can do this more elegantly. On ASA (at least code I've
touched) there isn't much at your disposal WRT IPSEC stuff. Not very
flexible or dynamic. Other vendors fare differently because you can run
OSPF/BGP on their firewalls, and actually have the VPN manifest as an
'interface'. Kill multiple birds with one stone.
--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151. This is the serial number, of our orbital gun."
More information about the cisco-nsp
mailing list