Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
833
Views
15
Helpful
5
Replies

Location of device used for VPN configs in topology?

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎03-03-2020 06:14 PM

Let's say you have  a router that is connected to a switch which has the connection to a transport provider device that is used as the path to VPN peer devices you want to build tunnels with.

 

Other Transport Router<<<<<<<<<<ROUTER >>>>>>>>Switch>>>>>>>>>>>TRANSPORT Router towards VPN Peers

Would it be ok to build the configurations for IPSEC, DMVPN, etc on the ROUTER although the tunnel connection will still traverse through the switch (which could still be doing lots of routing with SVIs for servers connected to it, etc.)?

I am used to terminating tunnel configs on an actual device at the edge where egress connections go. Looking for some guidance.

 

 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-04-2020 01:42 AM

Hi,

 

    The VPN gateway device is selected purely based on your Security Design. In the end, the transport network, will forward your IPsec packets back and forward between the VPN gateways, regardless of their nature (layer2/layer3) and type (router, switch, etc).

 

Regards,

Cristian Matei.

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎03-07-2020 11:08 AM

There are things that we do not know about your situation and some of them might affect our answer. For example is there any device doing address translation along the path from your router to the vpn peers? Or does any device (like your switch) implement any filtering of traffic that would go from your router to the vpn peers? But in general it is correct that the device doing vpn can be anywhere in the network and not necessarily at the edge.

 

I have worked with several customers who have routers doing vpn where the router is inside their network and not at the edge. And it works fine. You are correct that the most common implementation is vpn on a router at the edge of the network. And in some respects it might make it a bit easier to set up the vpn. But as long as your vpn router has IP connectivity to the peer devices and as long as no device along the path is going to try to change or filter that vpn traffic then your vpn router can be anywhere in your network that you want.

HTH

Rick

View solution in original post

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎03-09-2020 06:22 AM

It certainly sounds like implementing the vpn on the router will be simpler for this environment. For deployment of a new device you should consider alternatives. I am not sure that it makes much difference in the setup of the device itself whether it is at the edge of the network or on the interior of the network but considerations of address translation and/or traffic filtering might make it simpler at the network edge.

 

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information.

HTH

Rick

View solution in original post

5 Replies 5

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-04-2020 01:42 AM

Hi,

 

    The VPN gateway device is selected purely based on your Security Design. In the end, the transport network, will forward your IPsec packets back and forward between the VPN gateways, regardless of their nature (layer2/layer3) and type (router, switch, etc).

 

Regards,

Cristian Matei.

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Cristian Matei

‎03-05-2020 05:58 PM

Yes thanks but the IPSEC traffic still has to traverse a switch lets say acting as a Core with servers on it before reach a router behind it to be decrypted. Basically it really does not matter correct?
0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎03-07-2020 11:08 AM

There are things that we do not know about your situation and some of them might affect our answer. For example is there any device doing address translation along the path from your router to the vpn peers? Or does any device (like your switch) implement any filtering of traffic that would go from your router to the vpn peers? But in general it is correct that the device doing vpn can be anywhere in the network and not necessarily at the edge.

 

I have worked with several customers who have routers doing vpn where the router is inside their network and not at the edge. And it works fine. You are correct that the most common implementation is vpn on a router at the edge of the network. And in some respects it might make it a bit easier to set up the vpn. But as long as your vpn router has IP connectivity to the peer devices and as long as no device along the path is going to try to change or filter that vpn traffic then your vpn router can be anywhere in your network that you want.

HTH

Rick

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Richard Burts

‎03-08-2020 02:48 PM

Awesome!

 

No device in the path would be doing NAT. Basically, terminating the VPN on the router would make it easier as no other major configurations would have to change if I just left the devices in place as they are.

Yes, if we were to get a new device to be used strictly for VPN peers and/or a VPN hub, perhaps using DMVPN, I would intall it on the edge if it made the setup easier.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to CiscoPurpleBelt

‎03-09-2020 06:22 AM

It certainly sounds like implementing the vpn on the router will be simpler for this environment. For deployment of a new device you should consider alternatives. I am not sure that it makes much difference in the setup of the device itself whether it is at the edge of the network or on the interior of the network but considerations of address translation and/or traffic filtering might make it simpler at the network edge.

 

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information.

HTH

Rick
Customers Also Viewed These Support Documents