cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
0
Helpful
7
Replies

Cisco 2821 redundancy howto

godzilla0
Level 1
Level 1

Hi, we have now two 2821 VPN concentrator, is there any way to make redundancy between them, one down-other up ¿?

Thanks.

7 Replies 7

Istvan_Rabai
Level 7
Level 7

Yes, it's possible.

This link will give you a detailed explanation on how to implement IPSec High Availability using HSRP, giving an example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

If you need a simple configuration example, please tell.

Cheers:

Istvan

Ok so as I understand this doc, we only have to no-shutdown our free LAN ifaces on the routers, link the routers with a brand new cable, set the interfaces to a new subnet, create a crypto map to apply it to the new interfaces and then apply this block of code to each interface ( don't mind the example subnet example )

interface FastEthernet0/0

ip address 172.16.172.52 255.255.255.240

duplex full

speed 100

standby 1 ip 172.16.172.53

standby 1 priority 200

standby 1 preempt

standby 1 name VPNHA

standby 1 track FastEthernet0/1 150

crypto map vpn redundancy VPNHA

interface FastEthernet0/0

ip address 172.16.172.54 255.255.255.240

ip directed-broadcast

duplex full

standby 1 ip 172.16.172.53

standby 1 preempt

standby 1 name VPNHA

standby 1 track FastEthernet1/0

crypto map vpn redundancy VPNHA

Thanks.

Yes, and you should create the VPN tunnel between the HSRP virtual IP address (172.16.172.53) and the remote inteface.

I.e. on the remote router you should apply the "set peer 172.16.172.53" command within the static crypto map.

On the HSRP routers you will need to create dynamic crypto maps, possibly with reverse route injection.

Cheers:

Istvan

Keep in mind that the configuration does NOT

offer IPSec STATEFUL failover.

Yes,

Stateful failover is a different story. Only some high-end platforms have that feature.

Istvan

platform such as 2851 and 3845 can support

IPSec stateful failover.

That being said, IPSec stateful failover does

not work well on Cisco as compared to other

vendors such as Checkpoint or Juniper.

Ok, I'm only interested on physical redundancy anyways. Thank you all-

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: