Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1503
Views
0
Helpful
3
Replies

VPN to 2 x DataCentres, 2 ISP running OTV therefore same internal subnets?

scatman
Level 1
Level 1

‎01-26-2012 09:22 AM

Hi, I hope some one can help?

We are looking at building 2 new Datacentres with Cisco Nexus 7000's in each. The DC's will have internet presence in each DC and ASA firewalls or 3900 routers in each doing VPN's.

External offices will need to Site to Site VPN in to either DC in a failover situation. Due to the DC running OTV the DC's will advertise the same subnets.

How do you do a VPN site to 2 peer addresses having the same internal network advertised at either destination?

How will the routing work if it can see two peers advertising same subnet?

Any advise greatly appreciated..

Confused..

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎01-26-2012 12:45 PM

Simon,

Interesting problem, the external offices, what sort of platform are they, are all terminations point Cisco (ASAs? IOS routers? mix?).

Granted I'm not an expert on DC technologies, but I can give you some food for thought.

Both in case of ASA and 3900 you can have statefull failover, provided they units have L2 connectivity between them, and having only one active unit at a time.

This will require crypto maps (in either IOS or ASA deployment) and only one device would terminate crypto at a time.

This has lots of benefits - simplified deployments, abiality to terminate almost everything (Cisco or non-Cisco).

Another way to do it, if you have Cisco routers in all other branches is to use VTI technology.

Either DVTI-SVTI or SVTI-SVTI deployments.

Or DMVPN.

I.e. you have two separate concurrent tunnels to both DCs (I assume that's possible when OTV is running?)

The problem of same internal subnets is fixed by routing protocol rather than IPsec component.

M.

0 Helpful

scatman
Level 1
Level 1
In response to Marcin Latosiewicz

‎01-27-2012 06:37 AM

Marcin

Thank you for your reply. All external offices are cisco 3800 or 3900 routers.Everything is Cisco.

The advantage of OTV is that both DC's utilise the same subnets, mirrored. This makes vmotion between DC's seamless as the machine you vmotion across does not need to change ip address, the OTV layer between the DC's handles the duplicate ip address problem.

The issue is the DC end routers / ASA's will have different peer addresses but the same internal subnets in the match lists and advertised through ospf, I will need to read up on DVTI-SVTI or SVTI-SVTI as i haven't come across this. DMVPN is for fully meshed? These are hub and spoke but think of the DC's as Dual Hub.

Si

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to scatman

‎01-28-2012 07:14 AM

Simon,

I don't see a problem od having same subnet on both end as such - at least for IPsec.

To avoid suboptimal path problems you would need to make sure (via routing protocol for example) that traffic is following the more optimal path via IPsec - this can be a challange.

DMVPN is typical hub to spoke technology with spoke-to-spoke tunnels.

If you're going to Cisco Live in London by any chance you can reach out to Fred Detienne, he's always helpful and has quite a few sessions this year.

M.

0 Helpful
Customers Also Viewed These Support Documents