×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Large Scale VPN Design Question

Unanswered Question

I am looking at designing a hub and spoke VPN solution. 30 sites to main data center. All sites have T-1's with 2620's. I am looking at 2 scenarios:


1.) Two 7204VXR routers at data center with VPN Accelerator Module 2 configured in HSRP. Remote sites with PIX 515's.


2.) Two 7204VXR routers at data center with VPN Accelerator Module 2 configure in HSRP. Remote sites with existing 2620's running IOS Firewall.


Any ideas, suggestions ? I require some sort of firewall protection at the remote sites. I have used PIX's alot for just firewall, but have never mixed them in with a router VPN solution.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
artherrera Sun, 06/22/2003 - 15:36
User Badges:

Hello,


Since you already have the 2620 routers at the remote sites, option 2 will be cost saving design. You can use High Availability feature at the Central site, and IOS firewall at the remote sites. This is a sample configuration of HA,

http://www.cisco.com/warp/public/707/ipsec_feat.html


Also an excellent document for Designing VPN

http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_paper09186a008009c8bc.shtml


Regards

Arthur

I definatly agree with deploying IPSEC HA at the central site with 7200's.


1) Do you know if a PIX has a similar "ike keepalive" setting to take advantage of the IPSEC HA at the central site? (Incase the decision is made to go with PIX at remote sites)

2) If RRI is not used and static routes are used at the central site, (static routes pointing to the internal HSRP address of the 7200's) will the same functionality exist?


artherrera Mon, 06/23/2003 - 18:49
User Badges:

1)Yes, the PIX also uses DPD (dead peer detection) this is necessary for your HA configuration.


2) It is recommended to use a Dynamic routing protocol, the HSRP address will be on the outside, your routing protocol will point to the interface that is going to be active and viewable from the inside.

Actions

This Discussion