[c-nsp] highly available ipsec vpn

harbor235 harbor235 at gmail.com
Fri Feb 9 07:08:44 EST 2018


I will be using ASRs, route based VPNs with VTIs.


Mike

On Thu, Feb 8, 2018 at 6:13 PM, Jeff Orr <jeffborr at gmail.com> wrote:

> We use HA VPN (HSRP) for our IPSEC based business partners. It has worked
> well for years, but I’m only partly happy.
>
> We have built our data centers to be as independent as possibly. Minimal
> OTV, routed mainframe, separate internal and external up space. However,
> with HA VPN, I have to have L2 stretch & advertise the specific/24 out if
> both DCs.
>
> The main benefit is our partners only setup one tunnel and neither side
> has to work about DR. Internally we use RRI into our IGP to steer traffic
> to the proper router.
>
> On Thu, Feb 8, 2018 at 5:34 PM harbor235 <harbor235 at gmail.com> wrote:
>
>> I am looking to implement a highly available IPSEC route based VPN.
>> Traditionally I would bring up multiple tunnels with multiple BGP peers in
>> a dual router setup.
>>
>> IPSEC HSRP design appears to be the flavor of the day, failover times
>> appear to be lengthy compared to failover times via BGP. IS anyone using
>> the HSRP HA setup? Are your experiences good or bad? Has the BGP route
>> based IPSEC VPN design fallen from grace?
>>
>>
>> Mike
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>


More information about the cisco-nsp mailing list