Setting up new site

qureshi_asrar · ‎10-02-2008

Hi ,

Need to provide solution to my new client. But facing some issue.

My client have 5 branch office each branch office have 2 links, primary as dedicated lease line & secondary as IP sec tunnel. Primary link is terminated on 1 cisco router & secondary would be using as Ipsec tunnel, on 2nd cisco router.Between this two routers My HSRP is running. If my primary links goes down, automatically my traffice should pass via Ipsec-tunnel. what & how it can be done, as client required 100% up time for there data connectivity.

satish_zanjurne · ‎10-02-2008

hi

1.HSRP is not supported on GRE tunnel interface

2.It is not possible to use the HSRP configuration to track the GRE tunnel interface. However, the tunnel interface never goes down and the track never triggers failover

3.Using HSRP with IPSec has restrictions like

The IKE and IPsec configuration that is set up on the active device must be duplicated on

the standby device

Both routers should be the same type of device, have the same CPU and memory, and have either no encryption accelerator or identical encryption accelerators.

4.In your case one router is Leases Line router & other IPSec internet router

5.So instead of HSRP , implement static default route.

6.Make static default route on Leased Line router as primary Administrative Distance 0 & static default route on IPSec/internet router as secondary or backup by increasing Administrative Distance

HTH..rate if helpful..

qureshi_asrar · ‎10-03-2008

Hi,

As, i would be using 2 cisco-2811 for each location ,with advanced security IOS i.e 12.2.

Assume i am having 2 cisco 2811 with 6 Wic-2T card i.e Router A & B.My query is that, on router A i would be terminating all my dedicated lease-line with Static routes & on router B, i would be using as a backup with IPsec-Tunnelling & HSRP running between A & B. If A fails my traffice should get diverted on IPSec router B. I want to know how much up-time or failover will Ipsec tunnel will take,as my client requirement is 100 % uptime.

As having router with same series, IOS,memory & asll the serial interface is of same make.

satish_zanjurne · ‎10-03-2008

1.Now multiple remote sites are there.

2.If remote sites are not communicating each other apart from HQ, then you need to use static routes to each of the sites as primary routes, otherwise you need to use dynamic routing protocol like EIGRP or OSPF.

3.Add floating static routes to each of those sites.

4.You can not use HSRP with IPSec , because both of your routers are not running internet.

5.You cannot run HSRP in this scenario.

6.Convergence would almost immediate if you are using static routes.

HTH..rate if helpful..

qureshi_asrar · ‎10-03-2008

Hi Satish,

Sending you the diagram of Network required.

As, first diagram shows how connectivity is with Lease-line as primary & IPSEC VPN tunnel as secondary & in second diagram, Lease-line is failed of one of my branch & IPSEC tunnel has to be formed.It should be from Branch A to Router-B via Internet, then router-A, as it has IPLC link coming to my location.

I think with Network diagram you can understand as HSRP & other things should be 100% up.

qureshi_asrar · ‎10-03-2008

Hi,

As, i would be using 2 cisco-2811 for each location ,with advanced security IOS i.e 12.2.

Assume i am having 2 cisco 2811 with 6 Wic-2T card i.e Router A & B.My query is that, on router A i would be terminating all my dedicated lease-line with Static routes & on router B, i would be using as a backup with IPsec-Tunnelling & HSRP running between A & B. If A fails my traffice should get diverted on IPSec router B. I want to know how much up-time or failover will Ipsec tunnel will take,as my client requirement is 100 % uptime.

As having router with same series, IOS,memory & asll the serial interface is of same make.