09-30-2010 02:12 AM
Hello, i'm student from Greece and i have a graduation project to setup Backup VPN between two universities. Primary communication accomplished with Leased Lines. I have study a lot, but now that is the time for implementation i have some considerations:
- What hardware and Software IOS do i need ? cisco 1841 it's ok for A-D Routers?
- Use IPsec Tunnel mode or IPSec GRE transport mode ?
- What will be the failover mechanism switching the traffic from Leased Line to IP Backup VPN and oposite? One professor told me something about Interface Prioritys. I have read somewhere this is done with routing protocol such as EIGRP. who is right the professor or the book? :-D
- At one site they have Firewall and NAT, i need to do any actions for that?
The attach file contains the topology that I want to implement
Site 1 "my" spoke
Site 2 Central Site
E communicates with A but no traffic goes to A from E with normal circumstances. Subnet on E get Internet access through F and then D. VPN will setup over DSL but only traffic from specific E source will get through the Backdoor VPN ( i believe the solution to this is ACLs on router A). They have no routing protocol on "my" site A , only Directly connected routers and default routes.
how to imlement this?
I think that the first thing should i do is A to D connectivity
i' ll try to make this to packet tracer first, but how can ' i emulate the SP network?
I will need any help i can get !!
Solved! Go to Solution.
09-30-2010 07:04 PM
Hi John,
In our scenario, since our primary connection is a direct leased line between E and F, so I am assuming that there is no other network between the two routers. In this case we wont have to configure SLA monitoring or any interface priority. We can just enter two default routes:
ip route
ip route
In this scenario, if the leased line interface goes down, the second default route kicks in and the traffic would be routed through router A.
SLA monitoring monitors connection (using ping tests) through one of the interfaces on the router and when we are not able to ping some server (specified in the SLA configuration) through the interface, then we change the default route to route the traffic through some another interface.
So, in your scenario, we can monitor the link between E and F, and when the link goes down we can change the default route to point to A.
This is useful in the scenario when we have another ISP connection as our primary connection.
Here is a link on how to configure SLA monitoring on the router:
http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsicmp.html
After configuring SLA monitoring using the above link you can link it to the default route using the following route command:
ip route
ip route
Also, the configuration example which you have give in the doc is almost correct, just that the transform set is missing a hash algorithm. Here is a link with an example for a lan-to-lan tunnel between two routers:
10-01-2010 05:47 PM
Hi John,
Yup, you have got both the points correctly.
For point 1, 254 is the metric of the route. We specify a higer metric here because if both the routes have the same metric then E will start load balancing between the two routes and we want E to use the default route to A only as a backup. So, we specify the metric so that the default route to A is used only when the main default route (default route to F) goes down.
I have attached a doc with the same example. I hope that helps.
Regards,
Apaar
09-30-2010 06:19 AM
Hi John,
From your problem description I understand that you have a primary leased line between the two sites (E and F) and you want the vpn tunnel (between B and C) as the backup i.e. traffic should pass from site 1 to site 2 through the vpn tunnel only if the primary (leased line) link is down. The default gateway at site 1 is E, and when the leased line is down, E should route the traffic to A which should then be sent through the vpn tunnel to C.
-- You can use either IPSec tunnel mode or GRE transport mode, the advantage of GRE would be that you would be able to run a routing protocol between the two sites. However since you mentioned that you are using only static routes so a normal IPSec tunnel would do.
-- We usually use default routes to route traffic to the remote end or the internet. So, in case your primary default route is through the leased lines (on router E) then you can configure SLA monitoring on router E to route traffic to router A (this is assuming that the PC's at the site 1 have router E as their default gateway). Similarly we might have to do SLA monitoring on router F as well depending upon the routing at site 2.
-- If you have configured Firewall and NAT on any routers through A to D then you will have to allow the traffic through that firewall using the mpf/access-lists configured.
-- To allow only certain traffic to go through the vpn tunnel from site 1 to site 2, the simplest way would be to use access-lists on router A or router C and block the unwanted traffic
09-30-2010 07:06 AM
Actualy routers B and C is SP-Routers and it's inside the cloud, so Tunnel will be between A-D. Thats correct subnets have E for Default gateway and will use the Tunnel through A-D in case of failover. Router A also has subnets (students network) but that traffic will not pass through Tunnel.
ACLs will select traffic through the Tunnel, and also permit certain Traffic from it(passing firewall and NAT), ok I understand this.
So i wil setup IPSec Tunnel at A-D routers(with no Routing protocol), but i didn't get that thing with SLAs, How can i config this ? Is there any way to setup interface prioritys at E and F? Can I use Admin Distance as the failover mechanism ?
For IPSec i will setup pre-shaed keys. I must config IPSec and IKE as follows at the example of the picture, right ?
09-30-2010 07:04 PM
Hi John,
In our scenario, since our primary connection is a direct leased line between E and F, so I am assuming that there is no other network between the two routers. In this case we wont have to configure SLA monitoring or any interface priority. We can just enter two default routes:
ip route
ip route
In this scenario, if the leased line interface goes down, the second default route kicks in and the traffic would be routed through router A.
SLA monitoring monitors connection (using ping tests) through one of the interfaces on the router and when we are not able to ping some server (specified in the SLA configuration) through the interface, then we change the default route to route the traffic through some another interface.
So, in your scenario, we can monitor the link between E and F, and when the link goes down we can change the default route to point to A.
This is useful in the scenario when we have another ISP connection as our primary connection.
Here is a link on how to configure SLA monitoring on the router:
http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsicmp.html
After configuring SLA monitoring using the above link you can link it to the default route using the following route command:
ip route
ip route
Also, the configuration example which you have give in the doc is almost correct, just that the transform set is missing a hash algorithm. Here is a link with an example for a lan-to-lan tunnel between two routers:
10-01-2010 03:56 AM
So let's see if i get it right. there are 2 cases:
1 - E and F directlt connected with no networks between them and simply add Static Routes to E:
ip route
ip route
where 254 is the metric?
what if (the 1st ip route) they have defautl route:
ip route 0.0.0.0 0.0.0.0.0
I haven't seen the routing table on E yet(i'll take a look on Monday), but i think that this is big probability.
2 - E and F with networks between them(2nd tunnel through another ISP, with E and F to be like A-D DSL Routers):
Config Router E with SLAs from " 1st link" that you post.
ip route
ip route
Both cases: I 'll config A and D with IPSec from link 2
But i don't have access to that link. Is there any way to get access or to see the file of that link?
I think that the first one is my case, but it's good to see any other possibility's !!
10-01-2010 05:47 PM
Hi John,
Yup, you have got both the points correctly.
For point 1, 254 is the metric of the route. We specify a higer metric here because if both the routes have the same metric then E will start load balancing between the two routes and we want E to use the default route to A only as a backup. So, we specify the metric so that the default route to A is used only when the main default route (default route to F) goes down.
I have attached a doc with the same example. I hope that helps.
Regards,
Apaar
10-02-2010 03:36 AM
Hi Apaar,
Great. I think that this will work !!
Although perhaps there is one last issue about flickering, when leased line goes down for few seconds. Can i do anything about that?
Thakns,
John
10-02-2010 10:18 PM
Hi John,
As soon the leased line will go down the interface will go down, and as soon as the interface will go down the default route through the leased line will be deleted and the backup default route will be installed in the routing table. This change will be instantaneous. After that as soon as the interface comes up, the old default route (through the leased line) will come without any delay. So, even in such cases there should be no loss in service except for maybe a couple of packet drops.
However, if you are concerned about the flickering of the leased line then I would suggest you to start a discussion in the WAN team, they will be the right guys to help you out with this query.
Regards,
Apaar
10-03-2010 08:45 AM
Hi Apaar,
I 'll implement this scenario to see it in action. If i 'll have any problem with flickering, your advice is the first thing i shall do !
Realy this discussion it was very helpful. I couldn't see so clearly the solution of this problem without your help.
Once again,
Thanks,
John
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: