12-14-2015 10:41 AM - edited 03-05-2019 02:56 AM
Hello we have a 3850 at each of our remote sites and I would like to configure ISP failover (IP SLA?).
The 3850 Primary ISP is connected through a MPLS metro LAN service back to HQ.
The Secondary ISP is going to be connected through a Cellular LTE bridge (public IP).
Our HQ perimeter firewall is CheckPoint.
I would like to do something like this but the 3850 does not seem to support ipsec. http://www.cisco.com/c/en/us/support/docs/security/ios-easy-vpn/23784-ipsec-checkpt.html
I would be ok with adding an ASA at HQ but would rather not add equipment at the remote sites.
What are my options? GRE seems unsupported also on the 3850.
thank you
Solved! Go to Solution.
01-26-2016 06:39 AM
According to the 3.7.3 release notes GRE tunnels are now supported on 3850s.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3850/software/release/3e/release_notes/rn-3dot7e-3850.html
Under "Resolved Cavets" -
12-14-2015 12:18 PM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Your might ask your ISPs, whether they can also provide a VPN link across their public infrastructure. If so, you wouldn't need to build your own VPN tunnel. (My guess would be your MPLS Metro LAN ISP might be able to provide, not so sure about Cellular LTE.)
If they cannot, then you would need a device that can host a VPN tunnel.
12-15-2015 09:53 AM
I'm trying to stay away from using the same ISP for resiliency so I guess my only solution is to drop a tunneling device at every remote offices. grrrrrrr
The 3850 seemed like a good MPLS small campus L2/L3 device but the lack of IPSEC, GRE or tunneling capabilities make for an expensive L3 switch. I rather have tunneling capabilities that Wi-Fi.
01-26-2016 06:39 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide