Solved: VPN and Point to Point connection

Tazio4436 · ‎04-05-2022

Hi,

I have 2 locations which are connected through VPN.

One is the office with 2 internet lines from 2 different ISP and the second one is the Data center with one internet connections.

Both locations the ISP goes to the Firewalls and then to the core Switch for distribution.

The 2 ISP at the office are aggregated at the Firewall levels and if one fails the other takeover automatically .

For client VPN at the office we are using a virtual IP which is mapped to a name so that if one ISP fails the end user will not have to do anything and VPN still continues to work as they are pointed to the name and not to the Ip address.

Now the first question is that I want to have a dedicated point to point connection from the office to the Data center and I want to know when the ISP will hand over the connection to me on both end where should I plug the cable ?is it in Firewall in Core Switch?

The second question is lets say both ISP fail at the office will I be able to route traffic automatically on the point to point connection ?That is I want to know if the point to pint connection can be a backup for site to site vpn?

Please see a brief topology attached.

Thanks

Tazio

Jon Marshall · ‎04-12-2022

If the connection is L2 then you can use L3 ports on the firewall ie. a common subnet on both sides.

If you run the new connection between the firewalls then nothing should need to be done on the core switches as the default route on both core switches point to the firewalls anway so the configuration would be done on the firewalls assuming they can do it.

If the new connection was between the core switches then yes it would be on the core switches but you would have to trust the office and the fact you are going through firewalls at the moment suggests you still want to firewall.

Jon

View solution in original post

David Ruess · ‎04-05-2022

Hello,

For question 2 since its easier, If BOTH ISPs fail and you have no other path out to the internet then the point to point link does you no good unless its plugging into a 3rd ISP or outside connection. The VPNs are usually the OVERLAY which means it sits over the physical links of the ISPs. (Hopefully that made sense, it was clearer in my head)

For question one I think what you are saying is the 2 ISP links function as 1? If thats the case you might be able to build a tunnel (VPN- GRE or DMVPN) from the core to the data center as long as you have IP reachability.

-Please mark any answer helpful as such and have a great day

-David

Tazio4436 · ‎04-12-2022

Hello,

I am still not sure how this will work. I asked several other people and they told me that the point to point connection should be from the Firewall to Firewall. Then I am thinking that the ports on both firewalls connecting to each other should be layer 2 as the point point point connection is layer 2.

Now I have also been told that there need some configurations on core on both side so that if the Point to point link fails then the site to site VPN will kick in automatically.

Thanks

Tazio

Jon Marshall · ‎04-12-2022

If the connection is L2 then you can use L3 ports on the firewall ie. a common subnet on both sides.

If you run the new connection between the firewalls then nothing should need to be done on the core switches as the default route on both core switches point to the firewalls anway so the configuration would be done on the firewalls assuming they can do it.

If the new connection was between the core switches then yes it would be on the core switches but you would have to trust the office and the fact you are going through firewalls at the moment suggests you still want to firewall.

Jon

Tazio4436 · ‎04-18-2022

Thank you very very for all your help

Thanks

Tazio