[c-nsp] VPN architecture question...

Jeff Behl jbehl at logicmonitor.com
Thu Sep 1 11:36:11 EDT 2011


I've got two 3560s forming the 'core' at a client site.  They've
requested a VPN tunnel between the datacenter and the corp office for
easier access to their production environment by the dev team.
They've purchased a single Cisco 1921, so my question is how to best
make this single device function in the advent of the failure of one
of the 3560s.

Physically:

3560----------3560
   \               /
    \             /
     \           /
        1921



Both links are trunked.  I was thinking I'd bridge the two interface
on the 1921, making a BVI for the public and internal VLANs on the
1921 and source the IPSEC tunnel from bridged public interface
(bvi100).  I'm pretty sure this will work but wanted to know if
there's a more clever way to do this.  The main thing I don't like
about this setup is the 1921 doesn't do fast spanning-tree so a
failure of an interface takes 30s.  I'm also not thrilled with have
the 1921 involved at all in spanning tree.

There a better way?


More information about the cisco-nsp mailing list