[c-nsp] VPN architecture question...
Kevin Graham
kgraham at industrial-marshmallow.com
Fri Sep 2 12:19:52 EDT 2011
Assuming you're stuck with lanbase (since this is trivial with an igp) on the 3560's, why not make the 1921's point-to-points and statics on each 3560 pointing down those interfaces (with 2 statics on the 1921)?
With a FHRP on the 3560 SVI's towards the interior network, pulling the plug on either should be clean. If you can get away with the FHRP priority tracking the 1921-facing interfaces, then you can even address segmentation.
[sent from my mobile]
On Sep 1, 2011, at 8:36 AM, Jeff Behl <jbehl at logicmonitor.com> wrote:
> I've got two 3560s forming the 'core' at a client site. They've
> requested a VPN tunnel between the datacenter and the corp office for
> easier access to their production environment by the dev team.
> They've purchased a single Cisco 1921, so my question is how to best
> make this single device function in the advent of the failure of one
> of the 3560s.
>
> Physically:
>
> 3560----------3560
> \ /
> \ /
> \ /
> 1921
>
>
>
> Both links are trunked. I was thinking I'd bridge the two interface
> on the 1921, making a BVI for the public and internal VLANs on the
> 1921 and source the IPSEC tunnel from bridged public interface
> (bvi100). I'm pretty sure this will work but wanted to know if
> there's a more clever way to do this. The main thing I don't like
> about this setup is the 1921 doesn't do fast spanning-tree so a
> failure of an interface takes 30s. I'm also not thrilled with have
> the 1921 involved at all in spanning tree.
>
> There a better way?
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list