Re: BVI and IPSEC bug

From: Wu Jiang (wujiang@xxxxxxxxx)
Date: Wed Jan 10 2001 - 23:30:56 GMT-3

   
So here is my design I beleve to have full redundance and fast rollover:
1. Split E0 and E1 of VPN router into two subnets (VLANs);
2. Trunk the two subnets between ISP Router-1 and switch, switch and switch, sw
itch and ISP Router-2;
3. Configure HSRP for both subnets (precedence, track, etc.);
4. Source the IPSec tunnel on a loopback (or E2);
5. Advertise IPSec soure route to ISP routers by EIGRP or OSPF over the two sub
nets (adjust metric for backup);
6. Use equal cost static routes for load balancing in VPN router, or unequal ad
ministrator distances for backup.

I think there must be a way if your routers do not support trunking, though I c
annot think it out till now...

Wu

----- Original Message -----
From: "Sam Munzani" <sam@munzani.com>
To: "Wu Jiang" <wujiang@bj163.com>
Cc: <ccielab@groupstudy.com>
Sent: Tuesday, January 09, 2001 11:21 PM
Subject: Re: BVI and IPSEC bug

> I don't have luxury to try it again since it's live in customer environment.
> I might have spaning tree issues blocking second switch port etc. I will try
> again next month during maintenance period.
>
> Thanks,
> Sam
>
>
> > Sam,
> > Just configured IPSec over BVI. It worked fine.
> > Are your two ISP routers' interfaces in the same subnet? It seems that the
> two switches are connected by a link. Did spanning tree block one of your
> interface? I am not sure if you need to place cryto map on the physical
> interfaces too. With only one bridged interface in my testing, it seems to
> have no difference.
> >
> > Wu
> >
> > ----- Original Message -----
> > From: "Sam Munzani" <sam@munzani.com>
> > To: <erickbe@yahoo.com>; <ccielab@groupstudy.com>
> > Sent: Tuesday, January 09, 2001 4:27 AM
> > Subject: Re: BVI and IPSEC bug
> >
> >
> > > I already verified that. That's not the problem.
> > >
> > > Sam
> > >
> > >
> > > > Have you tried 'no ip route cache' on the BVI
> > > > interface. I ran into a similar problem where
> > > > fast-switching on the BVI was broke in 12.1(4) and
> > > > recent T releases. The first packet went through then
> > > > everything after which was cached didn't go. Cisco TAC
> > > > coudln't dupe the problem and was puzzled.
> > > >
> > > > Anyone know a source for cheap flash for a 800 router?
> > > > I need to upgrade my home router so I can practice
> > > > IPSec. MemoryX wants $200'ish for a 8 meg Kingston
> > > > flash.
> > > >
> > > > --- Sam Munzani <sam@munzani.com> wrote:
> > > > > Hi Group,
> > > > >
> > > > > I just came across a bug that is worth sharing with
> > > > > you fine people out =
> > > > > there.
> > > > >
> > > > > If you apply crypto map to a BVI interface, your
> > > > > IPSEC VPN doesn't work. =
> > > > > The first packet will go through and then it will
> > > > > die.
> > > > >
> > > > > You would love to use BVI in redundant ISP Router
> > > > > environment like =
> > > > > below.
> > > > >
> > > > > ISP Router-1 ISP Router-2
> > > > > | |
> > > > > S/W ------------ S/W
> > > > > | /
> > > > > | /
> > > > > | /
> > > > > | /
> > > > > VPN Router
> > > > > |
> > > > >
> > > > > E0 and E1 of VPN router is connected to those 2
> > > > > switches and creates a =
> > > > > BVI. E2 connects to inside of the network.=20
> > > > >
> > > > > This will not work.
> > > > >
> > > > > Regards,
> > > > >
> > > > > Sam
> > > > >
> > > > >

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:27 GMT-3