Hello list- As an MSP, we manage all of our clients over VPN tunnels. Most of our clients are using the new virtual tunnel interfaces (VTIs), which Spectrum correctly discovers as a connection between two interfaces. However, some customers still use legacy cryptomaps, which leave no virtual interfaces to connect. The problem with this is that we need to connect the "outside" interface on every remote customer firewall with the "outside" interface on each of the two VPN terminators here. Spectrum will not allow me to connect more than one interface to another. However, I'm not sure the best way to represent these connections.
I considered creating a fanout for each customer that would connect the customer firewall to the two firewall hosts, something like this: custa-fw_outside -> fanout terminator-a_outside -> fanout terminator-b_outside -> fanout This works great for one customer, but I cannot connect any more customer fanouts to the terminators' outside interfaces. I can't create another fanout on our side either, since Spectrum should not connect two fanouts together. I could create one fanout that represents "the Internet" and connect everything to it like so: terminator-a_outside -> Internet terminator-b_outside -> Internet custa-fw_outside -> Internet custb-fw_outside -> Internet custc-fw_outside -> Internet ... However, I'm concerned what this would do to root cause, since it would look to Spectrum like one customer could reach another through the "Internet fanout", which of course isn't true. There are also a couple of customers that have two firewalls hosting tunnels, but one cannot talk to the other through us either. Is there a best practice, or at least some guidance, for this unusual situation? Thank you, Jim -- JIM PFLEGER | Application Architect | Insight Networking | insight.com o. 480.889.9680 f. 480.889.9599 [email protected] The information contained in this message and any attachment may contain privileged or confidential information protected from disclosure. If you are not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this information is strictly prohibited. If you have received this transmission in error, please notify the sender immediately by replying to this message and destroying the original and all copies. Thank you. --- To unsubscribe from spectrum, send email to [email protected] with the body: unsubscribe spectrum [email protected]
