Re: Multi path VPN and Cisco
- From: Vincent C Jones <v.jones@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 09 Jul 2007 11:07:46 -0400
responder@xxxxxxxxxxx wrote:
Hello Groupies.
I have been lurking for a while, but it is my first post. So hello to
all!
I am in the design/initial reconnaissance of a solution that would
make me sleep well at night. :) Basically, we have a few branches that
I need to have a redundant and reliable connectivity to. At first, I
thought about using PIX (ASA) and Fatpipe - which I assume would work
well, but it is PRICEY. So I did some more research and I think (I
THINK! I THINK!) I can do that some other way. The branches are all
connected with T's and DSL/Cable and the HQ is on multiple T-1s, but
with no BGP. I was thinking about doing it this way:
(BRANCH) | LAN | ---- | ASA | ---- | FatPipe | ---- <INTERNET> ---- |
FatPipe | ---- | ASA | ---- | LAN | (HQ)
I would like to get rid of Fatpipes - they are the most expensive
piece of equipment in that diagram - and would beef up ASA'es if
possible. Am I thinking right? What would be my other options? I am
also looking into A/A (active/active) and A/S (active/standby)
redundancy... I just need some food for thought...
[d]
The FatPipes provide a number of functions which are not available on the
ASA/PIX (such as WAN optimization, link aggregation and load balancing). I
suspect you are not using the capabilities already built into the Fatpipes
you have (or you have run into some bugs which prevent them from working as
advertised).
You can do redundant VPNs using ASA/PIX, but it takes more effort because
the ASA/PIX is a firewall, not a router, and a very conservative firewall
at that. (Note this is an observation, not a value judgment. The primary
goal of a firewall is to block undesired traffic, the less bells and
whistles added, the easier it is to ensure that the firewall is doing its
primary job and the less risk that a mistake will open undesired holes.)
FWIW, your diagram is a continuous string of single points of failure from
branch to HQ. You need to include all available paths before rational
comments can be made (e.g., the multiple T1s at HQ: MLPPP to a single ISP
router or one link to each of several ISPs, each with its own set of public
IP addresses, or something inbetween... it makes a difference...)
Good luck and have fun!
--
Vincent C Jones, Consultant Expert advice and a helping hand
Networking Unlimited, Inc. for those who want to manage and
Tenafly, NJ Phone: 201 568-7810 control their networking destiny
http://www.networkingunlimited.com
.
- Prev by Date: ISDN dial-peers
- Next by Date: Re: gre tunnel blocks printers
- Previous by thread: ISDN dial-peers
- Next by thread: Re: gre tunnel blocks printers
- Index(es):
Relevant Pages
|
