Hello everyone.
I'm exploring the infrastructure on a new job and have a question to which I didn't find an answer from the colleagues.
So we have a standard IPSec tunnel on the firewall, peer described in crypto map and lan subnets described in crypto acl. But additionally there are two static routes for these subnets, and they point to different bgp providers with different metrics. Both IPSec and static route have common outgoing interface, so the static route won't interfere with IPSec traffic.
I guess that it is made for redundancy in case of an ISP failure, but why would you do it on a firewall, shouldn't it be implemented on the ASBR? Is there any other purpose for such design?
And what will be with the traffic behavior in case of IPSec going down? Will the data transfer unencrypted due to static route and be dropped somewhere? For example it won't drop if the lan subnets from white range, but will drop if they are from private range.
No comments:
Post a Comment