Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Heather_Lewis
Participant

VPN redundancy (site-to-site)

For an environment with two geographically diverse hub sites with in excess of 50 internal VPNs, do you prefer MEP or VTI with dynamic routing?

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

VTI will likely be required if any of the VPN endpoints aren't Check Point devices. 
Otherwise, it's likely a horses for courses argument as to which one is better. 

0 Kudos
Heather_Lewis
Participant

Thanks. Have you seen a vti deployment at hub sites for more than 50 branches? All are internally managed Check Point. Multi-point VTI is not supported, is that right?

0 Kudos
Duane_Toler
Advisor

Correct, no multipoint.  However, you can do unnumbered VTIs and with BGP routing.

 

Topology:

# eth0 = external, internet

# eth1 = internal, interior network

# remote peer's eth1 interior interface is 192.168.100.1

# this local gateway's eth1 interior interface is 192.168.200.1

 

1. Create an unnumbered VTI:

add vpn tunnel 100 type unnumbered peer remote_peer dev eth1  #eth1 of local gateway for proxy interface

# (repeat for other peers; Ansible and/or Gaia API run-script can be your frie

 

2. Add static route to remote BGP peer across VTI

set static-route 192.168.100.1/32 nexthop gateway logical vpt100 on  # VTIs are point-to-point after all

 

3. Configure eBGP with multihop

set bgp external-as 65001 on

set bgp external-as 65001 peer 192.168.100.1 on

set bgp external-as 65001 peer 192.168.100.1 multihop on  #multihop for eBGP since VTI route is a second hop to the interior

4. Verify

show bgp peers

# 192.168.100.1  will become Established

 

You can add BFD as well with "set bgp external-as 65001 peer 192.168.100.1 ip-reachability-detection on" 

I've done this a few times myself.  This is also documented in sk138192.  The SK is good, but it requires very careful reading. 🙂 It's a lot of (really good) info!

 

Greg_Harewood
Contributor

What's multipoint vti?

0 Kudos
Greg_Harewood
Contributor

I have an opinion on this in concept.  VTIs can become surprisingly hard to manage.  They always ought to be more functional.  But CP make MEP communities so EASY that you'd better have something you expect to gain from VTIs to offset the pain.  THere is a lot you CAN gain.... all that routing integration with other links, other vendors, local networks... more future proof in some ways.  But SO much extra work if you don't need it.

(1)
Duane_Toler
Advisor

As you noted, this is for route advertisements between sites, (including support with 3rd party devices now that everyone does VTI and IKEv2 with Universal Traffic Selectors).  You can use unnumbered VTIs and proxy off an internal interface (or loopback) and avoid subnet allocation management. You could also use the 169.254.1.0/24 subnet if you needed a numbered VTI (this is what Amazon AWS uses).

 

As for the "work", once you get the first one done, especially for unnumbered VTIs, you can either add more with Ansible or your own API script.  It's largely a one-and-done, copy/paste/paste/paste, implementation.  Routing policies with BGP route-maps gives you extensive control of traffic engineering.  Lots of good reasons. 😀

(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events