Multisite Configuration Static or Dynamic Routing, GRE?

Unanswered Question

I am working on changing the setup for a customer site and want to toss up a few ideas for discussion.

Basic Topology: 3 geographical sites. Site 1, Server Farm w/ 50+Mb pipe WAN and DSL to Site 2. Site 2 has 2 T-1 links to site 3. Site 3 has a DSL connection to WAN. (so Site 2 has no direct WAN access, the DSL is a private loop). Each 'site' is a /24.

Currently they have a pretty awkward configuration with static routing between the sites. I am going to suggest that they use a dynamic routing protocol so that they can have redundant routes via a VPN tunnel should the private lines go down.

Question - Should I use IPsec over GRE on the private T1 and DSL lines, or should I just use GRE, or nothing at all? I plan on using EIGRP and I do not know if the T1 and DSL will handle multicast traffic.

Or: should I stick with the static routing and just add some SLA and tracking objects to provide the redundancy.

Requirements of the job: mission critical redundancy.

Hardware: A mix of Cisco routers on the edge, Pix 515s at site 2 & 3, and PIX 506e at Site 1. Various vendor switches.

WAN--Site1---DSL---Site 2----2xT1----Site3---WAN

For redundancy I am planning a VPN backup link between Site1 and Site 3, which will allow the failure of any 1 link to site2.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Danilo Dy Sat, 12/29/2007 - 02:22



1. Site1

Are both DSL and 50Mb-WAN connects to the same router?

2. Site2

Are both DSL and 2 x T1 connects to the same router?

3. Site3

Are both DSL-WAN and 2 x T1 connects to the same router?

Can you post a diagram (in JPG format) how all those links connected to your devices as you have multiple routers and firewalls.



1. Site one to Site 2 is a Private DSL line, 7Mb/1Mb

2. Site 2 - I am going to recommend that the DSL terminate directly to the router, however is currently on an external modem and then ethernet into a switch.

3. Site 3 - DSL is out of a different router that is also handling VoIP.

Site 1: 100MB ethernet into Pix. Pix ethernet link to DSL bridge that connects to site 2.

Site 2: DSL bridge to external modem, terminates at Catalyst switch. 2811 bridges 2xT1 to site 3. 2600 does VoIP.

Site 3: 2811 bridges 2xT1 to site 2. 2600 does VoIP and 7Mb/1Mb DSL to internet. Pix 525 handles firewall / VPN.

Richard Burts Thu, 01/03/2008 - 05:46


I am sure that there are subtle aspects of the situation which we do not understand. But based on my understanding of what you describe I would believe that running a dynamic routing protocol would be better than maintaining static routes especially from the perspective of managing failover to alternate connections.

The T1 and DSL should certainly be capable of carrying multicast/broadcast - if you are not using IPSec. The restriction about multicast/broadcast and need for GRE is a restriction of IPSec. If the DSL is a private connection then I do not see much need for IPSec. If traffic is carried on public links then the protection provided by IPSec is desirable. But if the links are private why would you want or need IPSec?




Thanks for the response!

I agree that a dynamic routing protocol would be the best solution, but I still have to sell that. Some of their equipment is running 12.1 so I fear they may be a bit difficult to change.

Because there is mixed vendor equipment that I am still researching capabilities, I will probably be limited to RipV2 wich is plenty adequate. I still need to meet with them and discuss network outages for the upgrade changes which may be difficult considering they are a 24/7 shop, and dont have any redundant hardware I can split-off to configure and then fail over. It is also complicated that one of the sites has no out-of-band management =(.

The need for IPsec/GRE tunnels will be a backup link from site 1 to site 3 over the internet should a link fail from 1 to 2 or 2 to 3.

What I have been trying to figure out if anyone knows, is a good simple example of using IP SLA pings for reliable static routing backup. The part where I break down is the use of Dialer interfaces which I do not yet understand completely.

Richard Burts Thu, 01/03/2008 - 11:12


I missed that some part of the connection would be over public Internet. In that case IPSec with GRE would be a good solution for that part of the network.

If there is old code running and a mixed vendor environment it does constrain the choice of routing protocols. But even RIPv2 would do what you need and should be adequate for their purposes.




This Discussion