Customer has point to point from A to B using 1720s at both sites. Connection is HDLC. Both sites have independant Internet connections.
Customer has a pix firewall at A connected to an ISP and 2600 series router. Pix firewall connects to B using site to site VPN as a method of fault tolerance.
Customer would like to put a 1751 with 3 Ethernet interfaces - one for internal (that would become the default gateway for A's LAN), one to the pix, and one to the point to point router. Ultimate goal is if the point to point goes down traffic is routed over site to site VPN.
It's possible to do so but , It is going to increase one more hop in between . Best solution is to used a 4-port 10/100 Fast Ethernet PCI expansion card in the PIX it self . 515E pixfirewall has two expansion slots.
If the LAN has enough bandwidth to spare, you can do the job with what is already in place!
Just set the 1720 as the default route for all local users, and let the 1720 send Internet traffic back over the LAN to the PIX (one armed routing) and over the point-to-point link for destinations on the remote LAN. Don't forget to turn off ICMP redirects on the 1720 Ethernet interface. A routing protocol can detect the loss of the point-to-point link and a floating static route can be used to forward traffic to the VPN on the PIX. (Configure the VPN on the PIX to only VPN traffic to the remote LAN).
Primary "gotcha" is if the VPN MTU is less than 1500 bytes. This may require hardcoding the MTU on users systems to a value small enough to survive the VPN.
The specific command is "no ip icmp redirect." Look up what ICMP redirects do in your favorite TCP/IP text book and you'll see that it is not a question of improving resilience, but rather a question of having functional resilience.
WARNING: If you don't fully understand how your redundant solution works, the chances of it working the way you want it to are pretty slim. Consider hiring a competent consultant to help you avoid unnecessary downtime as you learn from experience :-) There is a lot more to improving availability than just adding a second link... If you want to lose sleep mulling over the many ways your network can fail, curl up with a copy of my book. And recognize after 600 someodd pages, you've only scratched the surface!
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...