Brainstorming for multi-site LAN (local), WAN (w/IPsec VPN), LAN (Metro Ethernet) setup

Hello,

Sorry if this is a bit broad, but just need a nudge in the right direction.

Struggling with how to utilize Metro Ethernet as an SD-WAN path for RO WAN/LAN traffic through HO, and if it is even possible.

Also, similar issue, how to approach using IPsec failover for local LAN traffic in the event Metro Ethernet is down.

Goals are:

  1. To provide failover for LAN and WAN traffic at remotes using IPsec to HO (currently LAN->MetroE, WAN->CableModem)
  2. To provide load balancing for LAN traffic at ROs to HO using the MetroE & IPsec paths

Current schema:

  1. Network LAN traffic is passing over Metro Ethernet to Head Office fine, with OSPF configured and working for 13 RO subnets.
  2. Local internet traffic is passing over local internet interfaces.

 

Remote Offices XG125/135/210 v18-EAP3.

Port 1 – LAN (local networks) 192.168.n.x/24

Port 2 – WAN (internet and testing IPsec VPN to HO) using local cable modem

Port 4 – LAN (Metro Ethernet handoff) 172.30.255.x

 

Head Office XG230 v18-EAP3.

Port 1 – LAN (local networks) 192.168.x.x/16

Port 2 – WAN (HO internet, and planned backup internet for ROs) 

Port 3 – DMZ

Port 4 – LAN (Metro Ethernet handoff) 172.30.255.x

Port 5 – WAN (testing IPsec VPN to ROs)

Port 6 - HA

 

Thanks,

Paul

Parents
  • It will be much easier with EAP3 Refresh1, because the VTI (Route based VPN) is coming.

    In this concept, you can actually build an IPsec with a Interface and route the traffic with SD-WAN / Static routing.

    In that case, you do not have to figure out, which Precedence comes first. Instead both exists and uses the same "page". 

     

    Another approach would be: Use RED Site to Site.

    Same setup like VTI. You have an Interface for the VPN, so you can actually SD-WAN Route everything. 

    __________________________________________________________________________________________________________________

Reply
  • It will be much easier with EAP3 Refresh1, because the VTI (Route based VPN) is coming.

    In this concept, you can actually build an IPsec with a Interface and route the traffic with SD-WAN / Static routing.

    In that case, you do not have to figure out, which Precedence comes first. Instead both exists and uses the same "page". 

     

    Another approach would be: Use RED Site to Site.

    Same setup like VTI. You have an Interface for the VPN, so you can actually SD-WAN Route everything. 

    __________________________________________________________________________________________________________________

Children