We have a customer who wishes to tunnel to us using an active/standby (2 VPN endpoints, 1 encryption domain) policy based VPN tunnel from one datacenter of theirs, to 2 datacenters of ours.
We reverse route inject our policy based tunnels then redistribute the static routes into bgp. With this customers request, our network would have 2 bgp route entries to the customer, with only one of them being viable at any given time depending on which tunnel (Site A or Site B) is active at that particular moment in time.
Is there anyway with policy based VPNs to essentially withdraw routes for tunnels that are down, or some other clever trick I can use to have my networks route back to the customer only through the site with the active VPN tunnel?
All VPNs involved are Cisco ASAs. Appreciate any opinions, and let me know if I can answer any questions.
No comments:
Post a Comment