[c-nsp] VPN architecture question...
Ryan Rawdon
ryan at u13.net
Thu Sep 1 18:03:35 EDT 2011
I haven't tested exactly this, but in theory it might work -
Run an IGP between the 3560s and the 1921, have the 1921 announce a loopback address into the IGP. Use that loopback address to establish the VPN endpoint on the 1921 side, that way it's not tied to a specific interface.
On Sep 1, 2011, at 11:36 AM, Jeff Behl wrote:
> I've got two 3560s forming the 'core' at a client site. They've
> requested a VPN tunnel between the datacenter and the corp office for
> easier access to their production environment by the dev team.
> They've purchased a single Cisco 1921, so my question is how to best
> make this single device function in the advent of the failure of one
> of the 3560s.
>
> Physically:
>
> 3560----------3560
> \ /
> \ /
> \ /
> 1921
>
>
>
> Both links are trunked. I was thinking I'd bridge the two interface
> on the 1921, making a BVI for the public and internal VLANs on the
> 1921 and source the IPSEC tunnel from bridged public interface
> (bvi100). I'm pretty sure this will work but wanted to know if
> there's a more clever way to do this. The main thing I don't like
> about this setup is the 1921 doesn't do fast spanning-tree so a
> failure of an interface takes 30s. I'm also not thrilled with have
> the 1921 involved at all in spanning tree.
>
> There a better way?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list