Re: VPN Design - is it possible?


"Walter Roberson" <roberson@xxxxxxxxxxxxxxxxxx> wrote in message
news:doct5h$lt2$1@xxxxxxxxxxxxxxxxxxxxxxxxxx
> In article <docqk1$90b$1@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>,
> Buzz Lightbeer <buzz.lightbeer@xxxxxxxxxxxxxxxxxxx> wrote:
>
>>"Walter Roberson" <roberson@xxxxxxxxxxxxxxxxxx> wrote in message
>>news:docn00$dvc$1@xxxxxxxxxxxxxxxxxxxxxxxxxx
>
>>> "It can be done that way" hides a multitude of practical problems
>>> involving detecting failure, detecting resumption of normal operation,
>>> and getting LAN 'A' to send data to the currently active tunnel.
>
>>Isn't this what routing protocols are for ?
>
> And the PIX can actively partake in which routing protocols?
> And can advertise what kind of routes with different costs? And
> can convert between which protocols and which others? Can do what kind
> of end-to-end testing?
>
>
>>> If you advertise the IP space through two different IPs, then
>>> you can have the two ISPs converge at a device outside the PIX A, and
>>> PIX A's one single outside IP configured as -the- peer IP on PIX B
>>> [but now with two ISP paths to reach that IP] -- but if you do this
>>> then you have a single-point failure on the link between PIX A and
>>> the WAN device that the two ISPs converge at.
>
>>Why are you assuming a single WAN device ? For resilience 2 routers, 2
>>Pix;
>>and a couple of switches too. Where's the single point of failure ?
>
> Uh huh. You are expecting someone who obviously doesn't know a lot
> about redundancy and resiliancy considerations, to jump into HSRP and
> failover PIX configurations. And you are expecting the failover PIXes
> to be able to detect the case where a router's external routing
> goes down but the router continues to send a trickle of traffic
> (such as for those routing protocols you mention). If the PIX gets
> traffic on an interface, then as far as the failover mechanism is
> concerned, the interface is up, even if you can't get anything
> through to further on.
>
>
>>This was to point out that there are more that 1 (or in this case more
>>than
>>2) ways of cracking an egg! A lot depends on how much resilience you want
>>&
>>for what cost.
>
> IMHO, "You could do it that way" without further qualification of the
> problems in doing it "that way", is tantamount to declaring it routine
> or relatively simple to do it "that way".
>
> There is, to my mind, a noticable "mood" difference between "You could
> do it that way" (i.e., "the detail you have given is sufficient for me
> to judge that your proposed method is workable in your situation") vs
> e.g.,
> "There are ways that could be made to work" (i.e., "there are some
> complexities involved that make that unworkable or infeasible in a
> number of situations, and you haven't given us enough information for
> us to judge your particular situation, but -generally speaking- if your
> situation happens to have certain characteristics, and you gather all
> the right pieces and hook the pieces up the right way, then that
> approach is one of the options.")
> --

Okay to spell it out: internal routers at each site running a routing
protocol (OSPF, EIGRP, RIP, you choose) over point-to-point connections
provided by the PIX tunnels to each other. This supplies the failover & can
include other benefits such as load balancing, if an appropriate routing
protocol is chosen. The PIX's provinde the paths between the internal
routers across the internet & no more. The external routing environment
provides resilience for the internet access only. The whole scenario,
although potentially requiring more hardware is simple to mange, resilient &
scaleable; each device providing the specific function it was designed for -
rather than having a small number of devices with a complex configuration
which would be more difficult to manage in the long term.

BL
--
"Americans always try to do the right thing - after they've tried everything
else."
- Winston Churchill (1874 - 1965)


.

Relevant Pages

  • Re: VPN Design - is it possible?
    ... >provided by the PIX tunnels to each other. ... >include other benefits such as load balancing, if an appropriate routing ... >provides resilience for the internet access only. ... MTU reduction inherent in GRE tunnels. ...
    (comp.dcom.sys.cisco)
  • Re: dymanic route table problem
    ... If it only happens in segments where the default ... gateway is pointed at the PIX, the PIX is responsible - it may not be doing ... router's routing table, ... Phillip Windell ...
    (microsoft.public.win2000.networking)
  • Re: VPN Design - is it possible?
    ... >> involving detecting failure, detecting resumption of normal operation, ... >> and getting LAN 'A' to send data to the currently active tunnel. ... And the PIX can actively partake in which routing protocols? ...
    (comp.dcom.sys.cisco)
  • Re: dymanic route table problem
    ... The redirect has been mentioned by another person as well and that is surely what it seems like it is happening. ... gateway is pointed at the PIX, the PIX is responsible - it may not be doing ... router's routing table, ... it will learn direct routes to hosts via an ip redirect. ...
    (microsoft.public.win2000.networking)
  • Re: Routing protocols from small networks
    ... A file server is used to share and store the data. ... What routing protocols are used to route packets by using a manually ... What is the network ...
    (comp.dcom.sys.cisco)