Hi,
working in a building shared with two separate departments. both of them are sharing the same network segment 10.30.0.0/16 (using the DHCP server of Department1).
Till now we have one internet access (without any backup line) and connecting both to the same remote network (10.0.0.0/16) through the same site-to-site IPSec tunnel.
We are thinking to deploy a new backup line (Fiber) and use it as primary access for Dep1 and the existing copper access line (copper) for Dep2. those two lines are managed by the same ISP (including their access routers), so we cannot manage any real multihoming solution (with BGP and HSRP or VRRP). besides of that we need those two line to act as temporary backup for each dep1 (means if fiber is down dep1 can reach remote site through copper of dep2 and vice versa).
The issues I see here are:
- First, I guess I'll not be able to terminate 2 site-to-site ipsec tunnels to the same remote network (pix does not allow it)
-Second, since we can't manage the peripheral routers, I only have the possibility to configure static routes (with different metrics) to be able to split traffic orginating from each departmnt to the appropriate access line to reach the remote peer (again this is same for both); as I know that static routes would only detect if the outside interface is down or not but not if the tunnel is up or down.
-We can't deploy any routing protocols like OSPF in this case (I can do it on our 515E pix 7.1 but the other peer are not cisco guys and they have till now the version 6.9, besides of that they are totaly against dynamic routings)
- I cannot even deploy a kind of GRE tunnel (GRE over IPsec) to incorporate the interface "tunnelX" (like the case of routers)on a PIX, since the pixes do not allow termination of GRE tunnels.
This was actually not my idea to implement it in this way but I have to deal with the request of the headquarter.
Do you see any possible alternative to deal with this kind of problem.
Would be very thankful if you could suggest any thing.
Thanks guys
working in a building shared with two separate departments. both of them are sharing the same network segment 10.30.0.0/16 (using the DHCP server of Department1).
Till now we have one internet access (without any backup line) and connecting both to the same remote network (10.0.0.0/16) through the same site-to-site IPSec tunnel.
We are thinking to deploy a new backup line (Fiber) and use it as primary access for Dep1 and the existing copper access line (copper) for Dep2. those two lines are managed by the same ISP (including their access routers), so we cannot manage any real multihoming solution (with BGP and HSRP or VRRP). besides of that we need those two line to act as temporary backup for each dep1 (means if fiber is down dep1 can reach remote site through copper of dep2 and vice versa).
The issues I see here are:
- First, I guess I'll not be able to terminate 2 site-to-site ipsec tunnels to the same remote network (pix does not allow it)
-Second, since we can't manage the peripheral routers, I only have the possibility to configure static routes (with different metrics) to be able to split traffic orginating from each departmnt to the appropriate access line to reach the remote peer (again this is same for both); as I know that static routes would only detect if the outside interface is down or not but not if the tunnel is up or down.
-We can't deploy any routing protocols like OSPF in this case (I can do it on our 515E pix 7.1 but the other peer are not cisco guys and they have till now the version 6.9, besides of that they are totaly against dynamic routings)
- I cannot even deploy a kind of GRE tunnel (GRE over IPsec) to incorporate the interface "tunnelX" (like the case of routers)on a PIX, since the pixes do not allow termination of GRE tunnels.
This was actually not my idea to implement it in this way but I have to deal with the request of the headquarter.
Do you see any possible alternative to deal with this kind of problem.
Would be very thankful if you could suggest any thing.
Thanks guys