Hi Jay & Nadeem, yes this is an option I am looking at & also simply
running IPSec over BGP. I suppose what keeps bugging me is the BGP peering
between the Hub and the spokes (branches). That is, do I create Dot1Q
interfaces with multiple IP addresses of /30 between the Hub and the spokes
OR because all devices are in the same VLAN do I simply peer based on their
interface IP addresses (which is a pool of /24). I also intend to provide
QoS guarantees between the Hub and the spokes, so I feel individual /30
would be the best way to go. Like to know what you guys think.
Thanks heaps.
Jit
On Fri, Jul 19, 2013 at 9:31 PM, Jay McMickle <jay.mcmickle_at_yahoo.com>wrote:
> I'm not sure I understand the issue fully, but can't your create a GRE
> tunnel between each hub/spoke and run BGP over the tunnel? You can password
> protect BGP and/or run IPSEC over GRE if you are really concerned about
> Security.
>
> Regards,
> Jay McMickle- 2x CCIE #35355 (R/S,Sec)
> Sent from my iPhone 5
>
> On Jul 19, 2013, at 1:40 AM, Jitendra Anbu <jitanbu_at_gmail.com> wrote:
>
> > Thanks Nadeem, I guess you're right, this method will work fine. But, I
> was
> > wondering if there was any Cisco best practice when it comes to this sort
> > of implementations.
> >
> > Rgds,
> > Jit
> >
> >
> > On Fri, Jul 19, 2013 at 4:20 PM, Nadeem Anjum <nadeemkool_at_yahoo.com>
> wrote:
> >
> >>
> >>
> >> This is already a batter way. Do you require any specific feature btw
> this
> >> connectivity.
> >>
> >>
> >>
> >> Thanks,
> >> Nadeem Anjum
> >>
> >> ------------------------------
> >> *From:* Jitendra Anbu <jitanbu_at_gmail.com>
> >> *To:* Cisco certification <ccielab_at_groupstudy.com>
> >> *Sent:* Friday, July 19, 2013 9:54 AM
> >> *Subject:* Real world scenario
> >>
> >> Hi experts, I have a real world question & hoping someone can provide
> some
> >> advice/guidance. The diagram bellow represents network connection(s)
> with a
> >> service providers Layer 2 switched network. These connections are
> Ethernet
> >>
> >> and all customer devices have layer 3 reachability between the Hub
> router
> >> and the Branch routers. Here are my questions and concerns;
> >>
> >> What is the best way to run a "secure" BGP connection(s) between the HUB
> >> and the branches B1 and B2? Assuming each branch and Hub will be in its
> own
> >> private AS. Also, the ISP does not take part in any routing. This might
> >> sound simple, just running p2p BGP sessions between the Hub and the
> >> branches and using IPSec to secure the data plane. But is there a better
> >> way to do this?
> >>
> >> HUB
> >>
> >> |
> >>
> >> ___|___
> >>
> >> |__ISP__|
> >>
> >> | |
> >>
> >> | |
> >>
> >> B1 B2
> >>
> >> Thanks,
> >> J
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sun Jul 21 2013 - 06:56:37 ART
This archive was generated by hypermail 2.2.0 : Thu Aug 01 2013 - 08:45:50 ART