Redundant VPN advice

Unanswered Question
Dec 1st, 2009

Hello.

We are looking to implement a redundant VPN setup but I am not sure on the best way to proceed.

Originally I was looking towards hub-and-spoke but I am conscious about the loss of the central hub site and how to re-establish connections in this case.

Is Fully Meshed the best solution? How does this work in terms of routing and redundant routes?

GRE tunnels? BGP?

What is the best way to proceed?

I hope someone has put in a similar solution and can help!

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Tue, 12/01/2009 - 15:37

Mike

We would need more information about the topology of your network and a better understanding of your true requirements to be able to give you good advice. For many Enterprise environments an implementation of hub and spoke is very appropriate. If there is a concern about failure of the hub router then it is easy to provision a second hub router and to have the spokes peer to both hub routers. I have implemented this several times and it works quite well.

HTH

Rick

Eduardo Aliaga Tue, 12/01/2009 - 21:47

Hi. You could implement hub and spoke with 2 hubs (one active hub and the other would be an stand-by hub). If the "active" hub goes down, then the "stand-by" hub will be the new "active" hub and all vpn sessions will continue to flow transparently.

The spokes don't need any special configuration. The hubs do need redundancy configuration:

1) If you're using Cisco IOS Routers, then you need IPSEC High Availability

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd80278edf.html

2) If you're using Cisco ASA then you just have to enable Failover

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Please rate if you find this information useful.

mikedelafield Wed, 12/02/2009 - 00:16

Hi.

HSRP and Failover isn't really an options in this case.

What we are looking for is a redundant VPN setup across say 10 inter-connected sites where-by if the Hub site goes down completely (ie telecoms) we can re-establish the VPNs and the routing through some kind of alternate paths.

Whether the best way for this is Full Meshed or a secondary Hub in another site i don't know???

There must be some kind of best practice for this?

Richard Burts Thu, 12/03/2009 - 05:44

Mike

The Best Practice is to understand the network topology and the connectivity requirements. Based on this an optimal suggestion can be developed. Without knowing your network environment and your connectivity requirements we can not accurately tell you whether dual hub or full mesh is a better solution.

I will observe that in my experience the dual hub is implemented much more frequently than full mesh. From that you may surmise that for many network environments dual hub is a better fit than full mesh.

HTH

Rick

mikedelafield Thu, 12/03/2009 - 05:51

We have various critical site to site VPNs and we need high availability. That is essentially that.

Dual router/ISP in each site is not a problem and is already in place in most site, but we are more concerned about the complete loss of a site or data centre connection particularly the Hub site causing an outage to the whole VPN setup.


Is their a way of having fallback setup. Either through a backup Hub or fully meshed setup?

Thanks again.

Richard Burts Thu, 12/03/2009 - 06:13

Mike

There are solutions that provide redundancy and failover. The extent of the redundancy depends on what your requirements are and has direct implications for the cost of the solution. Let me describe the redundancy provided by one of my customers (who have very serious requirements for high availability). They have implemented a hub and spoke VPN with dual hubs. They have a main data center and a back up data center in geographically separate locations. The data centers have several independent data links so that they stay in sync with each other. They have a hub router in the main data center and the backup hub is in the back up data center. Each hub router uses a different ISP (so that an outage in one provider will not impact reachability for the remote sites). Each remote site has a VPN connection to each hub. They run EIGRP over the VPN tunnels so that failover will be automatic, transparent, and fast (no manual intervention means quicker reaction and less chance for human error in the failover).

Would a solution like that work in your situation? (and would your management want to pay for that?) You can get the redundancy that you need. Bur first you must have a clear understanding of the requirements and a committment to supply the resources to achieve it.

HTH

Rick

mikedelafield Thu, 12/03/2009 - 07:52

hi thanks a lot that might work if we decide to use routers

though i presume you mean using GRE over IPSEC to implement EIGRP?

is there any possible similar solution using ASA to ASA? could it be fashioned with static routes and route tracking?

the problem is each site is currently setup with ASAs only, but if required we could purchase routers to sit behind the firewalls

Actions

This Discussion