failover scenario

Unanswered Question
May 13th, 2007


actually i am seeking help in configuring an automatic failover for our two separate connections in such a way thay if the primary link fails the router whould be able to automatically adjust and route traffic from the second link and once link comes up it should revert back to primary link.

just like we do while having ISDN connection for backup and when primary link comes up it moves back.

the only problem in that here it will be no ISDN only one Lease Line (primary) and other through Internet IPSec Tunnel.

any help would be gr8

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

There are many ways. You can configure two EIGRP processes , EIGRP 100 (Primary) and EIGRP 200 (GRE IPSEC VPN Tunnel). On EIGRP 200 set the 'distance eigrp 100 180' which will make it higher than the default.

When the primary link fails, the eigrp 200 would start routing over the tunnel. Keep in mind you will have to redistribute EIGRP 100 into 200 and on the other end of the tunnel, prevent suboptimal routing.


Paolo Bevilacqua Sun, 05/13/2007 - 03:55

I'm not sure, why the need for TWO separate processes? If you have control over your infrastructure, one should be enough.

Anyway, I think we need to know more exactly, how the router is connected, what is on the other side of the leased lines, what on the othewr side of the VPN tunnels, how the tunnles gets to the router etc.

kasame141006 Sun, 05/13/2007 - 12:55


thanks for the reply, i have drawn a diagram showing the basic connectivity between sites and links. maybe after viewing it things will be able to imagine how to get this failover work.. hoping for a positive reply.

design looks decent, though this takes careful planning. Remember, if you fail to plan, you plan to fail! I highly recommend getting with your network design engineer in regards.

I gave you one of many possibilities of doing failover, but I cannot continue any further as I dont know your organization needs.

Good luck!

zulqurnain Sun, 05/13/2007 - 14:07

hi thanks for the reply,

surly i will carefully plan it before implementing it. just another advise, i am looking into other possibilities e.g. rtr in router IOS, like configure it on the router which connects both the FW.

what's your opinion on it?

Paolo Bevilacqua Sun, 05/13/2007 - 15:39


nice slide. Build GRE tunnels full meshing one router per site. I suggest the one inside the firewall. The GRE tunnel can be point-to-point, or multipoint; I suggest you use point-to-point for simplicity as you have few sites. If you need your data to be encrypted, make IPSec VPN to carry GRE; there is documentation on CCO on how do this.

Then use a routing protocol, you may have one already running to carry reachability information for the LAN of your interest, both on the tunnel interfaces, and the physical WAN. It should not be necessary adjust metrics as by the default the tunnel interfaces has less.

This will provide failover for LAN-to-LAN connectivity on loss of WAN links.


This Discussion