Man I feel gooooood....
The Sr. Architects at work have been trying to hammer out a design for a new Virtual Desktop VPN solution. They've been trying to come up with a way to get this to work for 6 months! Their issue... How do we segregate partner traffic so partners can't see each other, especially when the vmware servers VLANs don't have L2 reachability to the VPN hub?
Well it took me one day. But I came up with the perfect solution. L2MPLS over GRE, trunking to a an ASA cut-through proxy using Dynamic Access Policies. Putting all the sub-interfaces in the same security zone prohibits inter-vlan routing, and the DAP ACLs solve the rest.
MMmmm I feel good. I hope I just scored major brownie points. Time to put it into concept. This is going to be some great CCIE training.
Well it took me one day. But I came up with the perfect solution. L2MPLS over GRE, trunking to a an ASA cut-through proxy using Dynamic Access Policies. Putting all the sub-interfaces in the same security zone prohibits inter-vlan routing, and the DAP ACLs solve the rest.
MMmmm I feel good. I hope I just scored major brownie points. Time to put it into concept. This is going to be some great CCIE training.
Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide
Comments
-
ITdude
Member Posts: 1,181 ■■■□□□□□□□
Great going.....A major pat on the head.....
I usually hang out on 224.0.0.10 (FF02::A) and 224.0.0.5 (FF02::5) when I'm in a non-proprietary mood.
__________________________________________
Simplicity is the ultimate sophistication.
(Leonardo da Vinci) -
shodown
Member Posts: 2,271
Props on the accomplishmentCurrently Reading
CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related -
Forsaken_GA
Member Posts: 4,024
The Sr. Architects at work have been trying to hammer out a design for a new Virtual Desktop VPN solution. They've been trying to come up with a way to get this to work for 6 months! Their issue... How do we segregate partner traffic so partners can't see each other, especially when the vmware servers VLANs don't have L2 reachability to the VPN hub?
Well it took me one day. But I came up with the perfect solution. L2MPLS over GRE, trunking to a an ASA cut-through proxy using Dynamic Access Policies. Putting all the sub-interfaces in the same security zone prohibits inter-vlan routing, and the DAP ACLs solve the rest.
MMmmm I feel good. I hope I just scored major brownie points. Time to put it into concept. This is going to be some great CCIE training.
Now do your company a favor and make sure someone else can understand it. If you get hit by a bus, you didn't do them any favors hehe -
sides14
Member Posts: 113
I said the same thing once (about being hit by a bus) and it wasn't well received - no sense of humor. Great job on the solution.