Failover Network Setup

Unanswered Question

I am in the process of working out a failover network. we have a 10mbit line coming in from XO and 2 t1's coming from Sprint. I have a 2811 with the advsecurity IOS for firewall and vpn. Here is what we want to achive. We have 4 sites all connected via PIX point to point VPN's. I want to take the Pix's out of the equation, and use the 2811's as the firewalls and VPN. In a normal situation all sites would be talking on thier XO links. If XO goes down I want the T1's to kick in. Is this possable??

Thanks Folks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cisconoobie Thu, 07/26/2007 - 09:30
User Badges:

I'm also curious if this is possible. I'm guessing you are using 1 router with a WAN ethernet card and 2 t1 cards bundled?

The thing that is interesting is that you will have different IP addresses for each interface. So if you create the Site to Site VPNs you are connecting IP's to IP's.

What about creating Site to Site VPNs to each provider interface and maybe changing the metric somehow?

Interesting, I would like to do a similiar thing.

Yes 1 router 2 T1 nics the 10mbit connects to fa0/1. Yes different public ip addresses for XO and Sprnt. I really want the Sprint links to be quiet till needed that will allow me to build site to site using ip based VPN. As long as the Sprint link is quiet till the XO goes down then we don't get the VPN being initiated to the same site on 2 different IP's. If I can not get that to work the metric will be the way to go. Right now I have the 2 t1 sprint links to test with as the XO is production. So my default route goes to SE0/0/0 and my metric 2 goes to 0/1/0, when I fail over se0/0/0 se0/1/0 picksup just fine, but when I bring se0/0/0 back up traffic still goes out se0/1/0.

Amit Singh Thu, 07/26/2007 - 10:12
User Badges:
  • Cisco Employee,

Yes it is possible to create VPN to two different sites on you router. Please see the sample config below:

On your remote router, when you configure the crypto map, you will configure something like :

crypto map mymap 10 ipsec-isakmp

set peer a.b.c.d

set peer e.f.g.h

set transform-set my set

match address XXX

Where a.b.c.d is the IP of the primary router and e.f.g.h is of the secondary interface IP.

On your HO routers you will use a combination of static and floating static routes to reach the remote sites and then configure the cryptomap for each side. This will make sure that till the time your XO interface is up, the remote peer will be reach bit and when it is down it will take the T1's, route.

HTH,Please rate if it helps,

-amit singh

Thanks I was aware of this. The issue I am having is like this. I have 2 t1's setup on the test router right now. I have 2 Nats seup to nat to se0/0/0 ACL 1 and one for se0/1/0 ACL 5. I have routes for se0/0/0 metric 1 and se0/1/0 metric2 does this sound right or am I going down the wrong path?


This Discussion