09-27-2010 09:02 AM
I have 3 Sites (could be more), which i want to build a fully "Meshed" vpn topology. This is for testing purposes only.
I have 2 different internet providers for each site. I want to build a VPN site-to-site topology that is in essence a mesh, so that if one ISP goes down for a site, the other one will continue to work and maintain connectivity to the other sites. See attached image and imagine the center router as a cloud. I'll keep adding detail to this diagram and update as i get a clearer idea of how this should be set up the most efficient way!
If Routers are named R1, R2, and HQ show my crypto maps look like this
crypto map R1R2 1 ipsec-isakmp
description R1 to R2 tunnel
set peer <R2 ISP 1 IP>
set peer <R2 ISP 2 IP>
set transform-set proposal1
set pfs group1
match address 111
!
crypto map R2HQ 1 ipsec-isakmp
description R2 to HQ
set peer <HQ ISP 1 IP>
set peer <HQ ISP 2 IP>
set transform-set proposal1
set pfs group1
match address 112
!
or do something like this
crypto map R1R2 1 ipsec-isakmp
description R1 to R2 tunnel 1
set peer <R2 ISP 1 IP>
set transform-set proposal1
set pfs group1
match address 111
crypto map R1R2 2 ipsec-isakmp
description R1 to R2 tunnel 1
set peer <R2 ISP 2 IP>
set transform-set proposal1
set pfs group1
match address 112
Or something completely different. I would intend on using Tunnel Interfaces for each site-to-site vpn.
Cheers for the help!
09-27-2010 09:12 AM
Why don't you use DMVPN ? It is easier to configure and you will be even able to run routing protocols due of the use of the GRE Tunnel. And for your scenarion (high availability) it's perfect.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml
09-27-2010 09:48 AM
That looks like a great option, was not aware of this feature. How would you suggest make use of both ISP links... in the example there of course they are using just one ISP link so they have a gateway of last resort set....
I'm thinking maybe do a ip sla monitor to check if one tunnel is up and then have it put in a second gate way of last resort with a higher metric...
Then i assume i can just put 2 different "tunnel source
This seems a heck of a lot easier to setup!
Cheers!
09-27-2010 10:25 AM
I think you could use this guide
You would be using 2 DMVPNs
Thanks to the routing protocolo you will be running you can sen the traffic to only 1 hub if it fails that use the another hub. You will have to configure 2 tunnels per Spoke.
The scenario is a little bit more complicated but so much better that using site to sita VPN. Plus the routing will be in change of the redundancy.
09-27-2010 01:30 PM
The main difference between "Dual Hub - Dual DMVPN Layout" and mine is that i only have 1 router at each site, and they have the site with 2 routers being their "Hub". For mee do you think that i could just make a standard DMVPN and use my HQ as the Hub. And then do a second DMVPN and use one of the sites as the HUB, thereby achieveing a kinda a mesh topology taking advantage of my dual ISP connections! I'm currently working on getting the first DMVPN set up with the HQ as the "hub" and having a bit of trouble with the VPN Tunnel flapping up and down. When i have a chance I'll update my Visio and then post some configs and maybe someone will have an idea as to why it is flapping...
09-27-2010 01:48 PM
are you using a routeing protocol?
If eigrp remember to put the no ip split-horizon eigrp X and the no ip next-hop-self eigrp X
I am not sure but I think you sould be able create the dual layout. you have a different interface with a different IP. Just configure the hub with 2 tunnels with different IP addressing of course. this redundancy is only effective if the ISP fails of course, because if for any reason the HUB router hardaware fails nothing is going to work.
09-27-2010 03:59 PM
Hi you can try a hub and spoke configuration, i think this is what you are lokking for, i tried 2 week ago and it work great. If you need help to configure it let me know.
Good Luck
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide