Hello Everybody,
Just wondering if anybody could share any ideas I haven't thought of in terms of the following scenario please?
We have a customer with a pair of v6 7000 controllers in a large site, along with another pair of 7000 master/standby in a datacentre. In each datacentre, there is also a pair of Cisco ASA firewalls that we aim to use for WiFi guest user termination and internet egress.
When doing IPSEC tunnels (for the Guest WiFi egress, starting from the locals at the site) I'm pretty sure we can only set one IP peer in each IPSEC tunnel. This gives us a problem with resilience when targetting 2 data centre firewalls on different IP subnets (no layer2 between DCs).
Things that aren't a resilience problem are: resilience FROM the locals, as they run a v6 VRRP for AP termination (controllers AREN'T active/active therefore), and we will have another VRRP for IPSEC egress to the DCs, which tracks the AP VRRP. Also at the individual DC end, the ASAs work in resilent pairs with vitual interfaces. So the only issue should be failing between datacentres.
We could either...
1. Look at GRE over IPSEC and use tunnel-groups on the controllers, however, not sure if Cisco ASAs will cope with that? Sounds like lots of experimentation required? Outcomes should be nice and slick if they work though?
2. Setup a pair of default routes in the controllers with weighted metrics, which use a pair of IPSEC tunnels in order of priority. Having of course already taken into account other existing IPSEC tunnels and any "normal" controller IP traffic flows that must remain in tact (e.g. authenticiation/monitoring/management etc.) and prioritised with normal IP routes with better metrics. My big problem with this option is an operational one. Whilst it will be time consuming to "tweak-out" IP stuff that shouldn't be routed up the IPSEC tunnels and get the routing table "just right", it feels like one day, this setup is REALLY easy for somebody to make a mistake with and cause havoc?
Thoughts?