Hi everyone, I hope you're all well. This is not so much a question, but I'd be interested to know your thoughts on best practice for a request I've been asked to work on.
Attached is a very crude network diagram (apologies!).
We have two DC's - DCR and DCS. We have a customer called Mobile City. Currently there's an IPSec VPN tunnel between Checkpoint 5800 DCR and Cisco ASA Mobile City. A lot of O365 traffic passes through this tunnel so it's rather risky not having any resilience. Hence, my request.
I've been asked to add a second tunnel between Checkpoint 5800 DCR and Cisco ASA Mobile City, then also two brand new tunnels between Checkpoint DCS and Mobile City. It's a fairly straightforward request but I just wanted to ask whether there are any best practices when it comes to this type of request.
This is the configuration I've been provided with by Mobile City:
- Mobile City public peer IP - 202.154.29.17
- DCR/DCS public peer IP - 149.133.213.4
- Mobile City LAN subnet – 172.28.5.0/24
- DCR/DCS LAN subnets
- - 10.101.0.0/16
- 10.102.0.0/15
- 10.104.0.0/16
- 10.128.0.0/16
- 10.129.0.0/16
- 10.130.0.0/16
- 10.131.0.0/16
- 10.132.0.0/14
- 10.20.0.0/16
- 10.20.30.0/24
- 10.32.0.0/13
- 10.41.0.0/16
- 10.42.0.0/16
- 10.43.0.0/16
- 10.86.0.0/15
- 10.88.0.0/16
- 10.97.0.0/16
- 10.98.0.0/16
- 172.21.0.0/16
- Crypto settings to be confirmed but IKEV2 will be used along with AES-256, DH 14 and SHA-256
I'm confident I can get the tunnels up, but just wanted clarity on any further configuration on the LAN side, i.e routing.
What would be the best way of routing the interesting traffic, considering Mobile City has a single /24 network whereas there are a number of larger DC subnets?
Also, would it be wise to enable ISP redundancy for this type of solution.
Hope you can help 🙂
Many thanks in advance.
B
