Hi Rupert-
You said: "I'm going to put 1801w routers in each store, as they're perfectly taylored to the needs of a small-ish Retail location, and run DMVPN to handle the spoke to spoke VoIP traffic.. What I'm still trying to decide on is what to put at the head-office hub end. I need something to concentrate the VPN tunnels, and to terminate a SDSL line and so am thinking either a ASA 5510 with a 1803 router, or a just a 2800 series router. At present we've got something to terminate "road-warrior" clients and so that isn't a consideration." If you're going to use DMVPN for spoke-to-spoke traffic, you'll need a router to run as a hub for the DMVPN, as ASA doesn't presently support DMVPN. How much spoke-to-spoke traffic will your network carry, as compared to spoke-to-hub? Also, how much aggregate crypto traffic will the hub see? Regards, Brian Brian Stiff 720.562.6462 IOS Firewall Technical Marketing Eng. Security Technology Group http://www.cisco.com/go/iosfw From: "Rupert Finnigan" <[EMAIL PROTECTED]> I'm going to put 1801w routers in each store, as they're perfectly taylored to the needs of a small-ish Retail location, and run DMVPN to handle the spoke to spoke VoIP traffic.. What I'm still trying to decide on is what to put at the head-office hub end. I need something to concentrate the VPN tunnels, and to terminate a SDSL line and so am thinking either a ASA 5510 with a 1803 router, or a just a 2800 series router. At present we've got something to terminate "road-warrior" clients and so that isn't a consideration. Just interested in various options/comments or any pointers anyone can offer.. Thanks Muchly, Rupes ------------------------------ Message: 10 Date: Fri, 21 Mar 2008 11:41:47 -0700 From: Colin McNamara <[EMAIL PROTECTED]> Subject: Re: [c-nsp] L3 to access layer To: James Slepicka <[EMAIL PROTECTED]> Cc: cisco-nsp <[email protected]> Message-ID: <[EMAIL PROTECTED]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed If you want to do teaming across chassis in a L3 to the edge design, you have to do something like VSS which makes it kinda "fuzzy". Two L3 to the edge designs that I have seen lots of success around it setting up MPLS VPN's inside the enterprise datacenter, and then popping out to fwsm contexts (or a full throttle ASA now) between vpn's. This solves a multitude of problems, especially mergers and acquisitions, and segregated business units. You can also do this on a small scale by using vrf-lite, though you really need to script the heck out of your configs, and if you get to many VRF's running you can run into scaling issues. The other main gotcha with L3 to the edge is VMware. ESX clusters need layer 2 adjacency to dynamically move virtual machines between ESX servers. Ideally you want these devices in different area's of your DC or Metro area for redundancy, but having l3 to the edge really throws a wrench in that. One solution I have been toying with is using VPLS to establish a tag switched "vlan" spanning the L3 chassis that ESX exists on. This allows you to have the l2 adjacency, while removing STP from your core (VPLS contains full paths through your label switch routers). And it also allows you to cleanly fit into a metro failover design, while keeping your wan label switched. -- Colin McNamara (858)208-8105 CCIE #18233,RHCE,GCIH http://www.colinmcnamara.com http://www.linkedin.com/in/colinmcnamara "The difficult we do immediately, the impossible just takes a little longer" James Slepicka wrote: > Maybe only a consideration in the data center, but you can't do NIC > teaming across multiple switches for fault tolerance. > > > Mike Johnson wrote: > >> Is anyone doing layer 3 to the access layer? Problems? Cost? >> >> I know it would be cheaper to go layer 2 to the access but I am looking for >> problems/issues tchnically that make it less attractive? >> >> >> thanx in advance, >> >> harbor235 >> _______________________________________________ >> cisco-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp End of cisco-nsp Digest, Vol 64, Issue 84 ***************************************** _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
