cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
754
Views
17
Helpful
13
Replies

Using my tunnel as a backup to the WAN

Tshi M
Level 5
Level 5

we have a 10Mb Ethernet circuit between two offices. I would like to setup a site-to-site VPN over the Internet between both offices as well to be used as a backup to the Ethernet circuit. The tunnel configuration is not a problem but how do I make sure that the traffic uses goes over the tunnel in case of WAN disruption?

13 Replies 13

paolo bevilacqua
Hall of Fame
Hall of Fame

Hi, once you setup routing properly, you have floating static routes, or agains dynamic routing over VPN, so if the ethernet circuit goes down, traffic will be routed over the VPN.

Hope this helps, please rate post if it does!

Build a GRE tunnel over the VPN connection. Configure a floating static route, route w/higher admin distance, to forward the traffic to the remote LAN via the tunnel next_hop address. If you aren't running a routing protocol over the existing 10mb ethernet connection then you may have to use this feature called 'static route using object tracking' to ensure the floating static route always works.

HTH

Sundar

Richard Burts
Hall of Fame
Hall of Fame

Etienne

To give a good answer to your question we would need to know a few more things about your environment. In particular we need to understand your current routing setup. Do you use static routes? Do you run a dynamic routing protocol?

If you are running a dynamic routing protocol, would you plan to run the dynamic routing protocol over the VPN tunnel?

Running a dynamic routing protocol over both the normal Ethernet connection and the VPN tunnel would probably be easiest. You would simply make sure that the metric for the path over the Ethernet was more attractive than the path over the VPN tunnel.

It could also work with dynamic routing over the Ethernet and a floating static route to send traffic to the other site over the VPN tunnel. The advantage here is that the dynamic routing protocol would detect loss of connectivity over the Ethernet and converge which would allow the floating static route to be used.

If you are not running a dynamic routing protocol then you would need a primary static route and a floating static route for backup. The issue with this approach is that over the Ethernet you could lose connectivity but the static route usig the Ethernet would still be in the routing table. There is a feature of reliable static routes with object tracking which could help deal with this issue.

Let us know more about your situation and we may be able to provide better advice.

HTH

Rick

HTH

Rick

Yes we are running EIGRP over the Ethernet. However, the VPN will be set using PIX firewalls (ASA 5520 and a PIX 506).

I guess I can use the following static route for the firewall

ip route 10.20.10.0 255.255.255.0 10.50.100.5 112

Yes, that is what is called a floating static route. Now for reasons of "number niceness" people likes to use 200 as administrative distance value, but 112 will work as well.

I would suggest you use 200 as the admin distance for floating static route. Admin distance of External EIGRP is 170 and in case you are redistributing the connected LAN network into EIGRP then you would have problems with 112.

HTH

Sundar

Correct, so in fact is not just for number "number niceness" that we use 200 all the time :)

HI,

I agree to all the above comments.

Recommendations to use "200" as Administrative Distance for the second floating static routes.

In several environments i see only 200 is used for the second static route ie., Backup route.

DO RATE ALL HELPFUL POSTS.

Best Regards,

Guru Prasad R

Hi Experts,

Please clear my doubt.

If running EIGRP or any other routing protocol for that matter, will the routing updates that contain multicast traverse over the IPSec.

Regards,

Imran.

No these will not go over IPsec. For this reason if you want dynamic routing over IPsec, the best way is to setup a GRE tunnel. This not only will allow routing updates, but also crossing of any source and destination traffic without additional configuration of crypto maps.

mbroberson1
Level 3
Level 3

I would highly recommend setting up DMVPN connection to the remote site as a backup for when the ehternet circuit is down. In the setup you can configure your (ip nhrp holdtime 300) nhrp holdtime to something like 300 seconds. If you are using EIGRP place a low bandwidth on the tunnel interface to give precedence to the much faster ethernet circuit.

I should of pointed out that the site-to-site VPN is using an ASA5520 and a PIX 506E.

That's OK, you can still configure GRE tunnel in the routers and they will 'talk' eigrp over it - no ugly static routes necessary.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: