If leased line link fails,then vpn should come up

Unanswered Question
Nov 22nd, 2009
User Badges:

I am using 2811 router in 5 locations (say siteA,siteB,siteC,siteD,siteE).

they all are connected through leased line.

i want to know if the leased line fails in 1 location( say in site A) all the other locations (siteB,siteC,siteD,siteE) shoud communication to that location (siteA) through VPN.

And communication beteween siteB to siteC,siteB to siteD,siteB to siteE ,siteC to siteD,siteC to SiteE,siteD to siteE should continue with the existing leased line.

Your help will be highly appreciated.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Danilo Dy Sun, 11/22/2009 - 04:44
User Badges:
  • Blue, 1500 points or more

Select an internet service provider to connect SiteA to all other sites.

Configure VPN between SiteA and all other sites. Watch the security, put an ACL in the internet facing interface of the router to only allow connection between SiteA internet facing interface IP Address and all otehr sites internet facing interface IP Address.

All sites primary routing should use Leased Line as a gateway with default Administrative Distance of 1.

All sites backup routing should use each sites internet gateway with a higher Administrative Distance than 1 (e.g. 10)

bapatsubodh Sun, 11/22/2009 - 09:21
User Badges:


IT is a very standard practice to have VPN over internet that will kick in the moment your WAN-link fails.

Firstly as posted in earlier text you need internet connection to all locations. Once you have set up internet connections you can setup site-to-site VPN between locations and then add route to corresponding subnet with higher administrative distance than your current routing protocol.

Second way is to form GRE tunnels between locations over  internet connections encrypt the data before sending it through the GRE tunnel. Beauty of the GRE is you can run the routing protocol on the GRE interfaces, run routing protocol in your network adjust the bandwidth of the links and you are good to go. I can broadly imagine the scenario, all locations will have your existing router with leased lines connectivity. You will need another router at each location to terminate the internet link with advance security IOS to support IPSEC.  On routers with leased line say subnet_A points _to serial 0/0 you need to add another line as subnet_A point to Eth0_Of_ Interne_router  with high admin distance. So when s0/0 is down packet for subnet_A will be forwarded to internet router. The internet router will forward the packet to corresponding location either by GRE or by Site-to-Site VPN whatever you have configured.



rate if possible



This Discussion