1. Home
  2. Cisco Systems
  3. Multi path VPN and Cisco

Multi path VPN and Cisco

Hello Groupies.

I have been lurking for a while, but it is my first post. So hello to all!

I am in the design/initial reconnaissance of a solution that would make me sleep well at night. :) Basically, we have a few branches that I need to have a redundant and reliable connectivity to. At first, I thought about using PIX (ASA) and Fatpipe - which I assume would work well, but it is PRICEY. So I did some more research and I think (I THINK! I THINK!) I can do that some other way. The branches are all connected with T's and DSL/Cable and the HQ is on multiple T-1s, but with no BGP. I was thinking about doing it this way:

(BRANCH) | LAN | ---- | ASA | ---- | FatPipe | ---- ---- | FatPipe | ---- | ASA | ---- | LAN | (HQ)

I would like to get rid of Fatpipes - they are the most expensive piece of equipment in that diagram - and would beef up ASA'es if possible. Am I thinking right? What would be my other options? I am also looking into A/A (active/active) and A/S (active/standby) redundancy... I just need some food for thought...

[d]
Reply to
responder
Loading thread data ...

The FatPipes provide a number of functions which are not available on the ASA/PIX (such as WAN optimization, link aggregation and load balancing). I suspect you are not using the capabilities already built into the Fatpipes you have (or you have run into some bugs which prevent them from working as advertised).

You can do redundant VPNs using ASA/PIX, but it takes more effort because the ASA/PIX is a firewall, not a router, and a very conservative firewall at that. (Note this is an observation, not a value judgment. The primary goal of a firewall is to block undesired traffic, the less bells and whistles added, the easier it is to ensure that the firewall is doing its primary job and the less risk that a mistake will open undesired holes.)

FWIW, your diagram is a continuous string of single points of failure from branch to HQ. You need to include all available paths before rational comments can be made (e.g., the multiple T1s at HQ: MLPPP to a single ISP router or one link to each of several ISPs, each with its own set of public IP addresses, or something inbetween... it makes a difference...)

Good luck and have fun!

Reply to
Vincent C Jones

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.