cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
450
Views
5
Helpful
5
Replies

Large Scale VPN Design Question

itnetwork
Level 1
Level 1

I am looking at designing a hub and spoke VPN solution. 30 sites to main data center. All sites have T-1's with 2620's. I am looking at 2 scenarios:

1.) Two 7204VXR routers at data center with VPN Accelerator Module 2 configured in HSRP. Remote sites with PIX 515's.

2.) Two 7204VXR routers at data center with VPN Accelerator Module 2 configure in HSRP. Remote sites with existing 2620's running IOS Firewall.

Any ideas, suggestions ? I require some sort of firewall protection at the remote sites. I have used PIX's alot for just firewall, but have never mixed them in with a router VPN solution.

5 Replies 5

artherrera
Level 1
Level 1

Hello,

Since you already have the 2620 routers at the remote sites, option 2 will be cost saving design. You can use High Availability feature at the Central site, and IOS firewall at the remote sites. This is a sample configuration of HA,

http://www.cisco.com/warp/public/707/ipsec_feat.html

Also an excellent document for Designing VPN

http://www.cisco.com/en/US/netsol/ns110/ns170/ns171/ns128/networking_solutions_white_paper09186a008009c8bc.shtml

Regards

Arthur

I definatly agree with deploying IPSEC HA at the central site with 7200's.

1) Do you know if a PIX has a similar "ike keepalive" setting to take advantage of the IPSEC HA at the central site? (Incase the decision is made to go with PIX at remote sites)

2) If RRI is not used and static routes are used at the central site, (static routes pointing to the internal HSRP address of the 7200's) will the same functionality exist?

1)Yes, the PIX also uses DPD (dead peer detection) this is necessary for your HA configuration.

2) It is recommended to use a Dynamic routing protocol, the HSRP address will be on the outside, your routing protocol will point to the interface that is going to be active and viewable from the inside.

Sorry, didn't make 2nd point clear. We would be running HSRP on the inside interfaces too.

It should work ok...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: