Link to home
Start Free TrialLog in
Avatar of leblanc
leblanc

asked on

VPN failover on switch or on FW

I need feedback on the preference to implement VPN failover on a layer 3 switch or on a FW. Basically, I will have a layer 3 switch connecting to a primary MPLS connection and the Internet as the VPN backup. My question is which scenario is best practice: 1 or 2 (see below)

scenario 1:
internet<-->fw<-->3560x<-->internal
                                |
                              MPLS CE router

scenario 2:
internet<-->fw<-->3560x<-->internal
                     |
            MPLS CE router
Avatar of netcmh
netcmh
Flag of United States of America image

What is your FW? Where is the VPN configured? I would go with the FW handling your VPN failover.
Avatar of leblanc
leblanc

ASKER

I am still shopping for FWs. But it will be between a Fortinet and a Juniper. So if i understanding correctly, scenario 2 is the prefer way? Thanks
ASKER CERTIFIED SOLUTION
Avatar of netcmh
netcmh
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of leblanc

ASKER

So your ASA is connecting to the main WAN connection and the Internet connection and from the L3 switch, you just have a default route pointed to the ASA. Correct?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the grade. Good luck.