Higham, Josh wrote: > I have a couple of internal groups that need some level of private > connectivity within our network, and I'm looking at some high level > input about the various options. > > We currently have an MPLS network between most sites, with IPSEC > connectivity for a few minor sites as well as backup for all locations. > Number of sites is small and will stay in that range (10-20). > > We need to be able to connect networks internally, but maintain > security. One example is guest networks, which must be able to traverse > the internally network to have internet redundancy, as well as hit DMZ > servers at all locations. We also have some internal non-network labs > that need to be connected across sites without impacting the production > network.
Sounds like multiple VRFs, deploy multiple VRFs at each site and have them follow the default back to devices which can groom the VRFs out and route between them (perhaps applying ACLs or firewall policy), you can distribute these devices such to improve performance (follow least cost IGP path to next hop for egress from VRF) and give you a bit of redundancy. > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/