[c-nsp] VPN architecture question...

Jeff Behl jbehl at logicmonitor.com
Tue Sep 6 18:35:59 EDT 2011 

This particular client has the ISP on the public network block, acting as
the default gateway (ick), so dividing up the block and routing smaller
chunks to the 1921 isn't going to work.  This is obviously sub-optimal and
something that will need to be fixed later, but such is the way of things
for now...

My final conclusion:  if they want fast failover and real redundancy for
their VPN link, they need to get another 1921. So until the VPN traffic is
used for production purposes (currently used for Amazn VPC endpoint for QA
systems), they are happy staying with the bridged-interface (and slow
failover) solution...

Thanks -
Jeff

On Fri, Sep 2, 2011 at 9:19 AM, Kevin Graham <
kgraham at industrial-marshmallow.com> wrote:

> Assuming you're stuck with lanbase (since this is trivial with an igp) on
> the 3560's, why not make the 1921's point-to-points and statics on each 3560
> pointing down those interfaces (with 2 statics on the 1921)?
>
> With a FHRP on the 3560 SVI's towards the interior network, pulling the
> plug on either should be clean. If you can get away with the FHRP priority
> tracking the 1921-facing interfaces, then you can even address segmentation.
>
> [sent from my mobile]
>
> On Sep 1, 2011, at 8:36 AM, Jeff Behl <jbehl at logicmonitor.com> wrote:
>
> > I've got two 3560s forming the 'core' at a client site.  They've
> > requested a VPN tunnel between the datacenter and the corp office for
> > easier access to their production environment by the dev team.
> > They've purchased a single Cisco 1921, so my question is how to best
> > make this single device function in the advent of the failure of one
> > of the 3560s.
> >
> > Physically:
> >
> > 3560----------3560
> >   \               /
> >    \             /
> >     \           /
> >        1921
> >
> >
> >
> > Both links are trunked.  I was thinking I'd bridge the two interface
> > on the 1921, making a BVI for the public and internal VLANs on the
> > 1921 and source the IPSEC tunnel from bridged public interface
> > (bvi100).  I'm pretty sure this will work but wanted to know if
> > there's a more clever way to do this.  The main thing I don't like
> > about this setup is the 1921 doesn't do fast spanning-tree so a
> > failure of an interface takes 30s.  I'm also not thrilled with have
> > the 1921 involved at all in spanning tree.
> >
> > There a better way?
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 

Jeff Behl
LogicMonitor
805-628-2345 (mb)
jbehl at logicmonitor.com

More information about the cisco-nsp mailing list