Network Design/Config questions

Unanswered Question
Oct 22nd, 2007
User Badges:

Hey all, I'm not a Cisco Engineer or anything like that but I have a small amount of configuration knowledge on Cisco Routers and Switches. My problem is that our Cisco guy has just left and it looks like I'm going to be asked to fill his shoes, anyway enough of my sad story.

My problem is in the drawing attached,

The system at the top of the figure is located at a customer's site which may be anywhere in the world. The system at the bottom is our LAN. The task is to configure the Cisco Routers located at our facility such that:

1. network devices located on LAN1 or LAN2 at our facility can

communicate with network devices located on LAN1 of the system located

at our customer's site using standard IP packets.

Q. So what do I need to do to make this happen? Do both sites need to be running the same routing protocol? (I know a VPN is needed)

2. Intersite communication would not be disrupted by the failure of

either of the two Cisco routers located in my LAN.

Q. Would I need to configure the switches to forward the traffic to the redundant Router if one of them failed?

3. The communication channels over the Internet are secured using VPN

Q. In order for the VPN to work do I need to insert a static route for the remote network.

The ip addresses of the devices connected on LAN1 and LAN2 at both

locations are private reserved addresses

Any help/advice with this would be so gratefully appreciated.

Many thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
stephen.stack Tue, 10/23/2007 - 12:03
User Badges:
  • Silver, 250 points or more

Hi Chris,

Hopefully I can help out here. From what I gather you need to configure VPNs between your main site and customers remote site(s). You also need to maintain a level of redundancy for your own LANs internet access and the VPNs to the customers site.

Some basics, firstly. Ideally your local subnet address needs to be different from your customers. i.e. you LAN 192.168.0.x - your customer 192.168.1.x etc…

We can use GRE over IPSec which employs a tunnel interface and encryption to build a VPN link between the sites. We can also use 'backup' VPNs in the event that the first tunnel fails.

You either have a choice of using static routes (excess administration) or a dynamic routing protocol for the VPN. Because GRE over IPSec uses 'tunnel interfaces' dynamic routing protocols treat these interfaces much like real interfaces. So a good choice would be eigrp. It is simple and easy to configure.

As for redundancy - as I said you can configure 'backup' VPN links so that I a router fails at your main site then the VPN could easily switch over to your backup router. If you have multiple customers sites you may also, use different routers as the primary and backup routers to load balance.


Cust 1 = VPN1

VPN1 = Router1(primary) /Router 2 (Backup)

Cust2 = VPN2

VPN2 = Router2 (Primary)/ Router1 (Backup)

As for redundancy inside your network, you can employ a technology known as HSRP (Hot Standby Routing Protocol). This basically allows you to configure your two routers with a Single 'Virtual' IP address. Thus allowing you to configure all your network hosts with a single default gateway. Again a very straightforward configuration, with only a few decisions to be made regarding network setup.

I Hope this helps. Should you need some ideas as to how to go about this, please let mw know.



chrismcnaught Tue, 10/23/2007 - 16:43
User Badges:

Hi Stephen,

Thanks very much for your reply, i've only had a quick read through it and what you have said makes sense.

Your right we want to create VPN's from site to site with high availability built in.

The GRE protocol, how do i configure this ? EIGRP was what i was thinking would be the best as i didn't want to get into OSPF.

As for the load balancing i don't think that we're going to need that quite yet, but good idea.

I like the idea of the HSRP, that sounds like what we will need to employ.

I will certainly have more questions regarding this so is there anyway of me getting in touch if need be?


This Discussion