This discussion is locked

Ask the VIP: Network Path Redundancy Design

Unanswered Question
Apr 5th, 2012

Marwan Al-shawi

Cisco Support Community Ask the VIP conversation.

Learn about Network Path Redundancy Design from Cisco Designated VIP Marwan Al-shawi.

Marwan Al-shawi is a senior network engineer and technical consultant with Dimension Data Australia, a Cisco Global alliance partner that is part of the largest telecommunications company in Japan and Asia. He has also worked as a network architect with IBM Australia, global technology services, and other Cisco partners and IT integrators. He holds a master of science degree in internetworking from the University of Technology, Sydney, and holds Cisco certifications including CCNP, CCSP, CCDP, Cisco Unified Computing Technology Support Specialist, and CCDE (written).    

Remember to use the rating system to let Marwan know if you have received an adequate response. 


Marwan might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Network Infrastructure sub-community discussion forum shortly after the event. This event lasts through May 4 , 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Sebastian Garcia Tue, 04/24/2012 - 10:53

Hello Marwan,

I have a HQ site connected to 50 remote sites over MPLS ISP with any - any routing connectivity, each has its own internet connection

what is the best way to use the internet link as a back up path in the case that the MPLS/ISP link fails ?

Marwan ALshawi Tue, 04/24/2012 - 16:42

Hi Sebastian,

as long as you have local Internet connection at each site then the simplest way to connect all of the sites together over the Internet with minimal configurations overhead, secure and no complexity is by using DMVPN where a single tunnel only in each of the HQ and remote site is required ( no need for complex full mesh tunnels per site ! )

DMVPN provide you the ability to have a hub and spoke topology, where the HQ site will act as the DMVPN hub and the remote sites like spokes, in addition you can run routing over DMVPN tunnels and by using routing you can control the path selection where the MPLS/ISP path is more preferred than the DMVPN using IGP such as EIGRP

once the MPLS link failed this link can take over and also it can give you direct spoke to spoke communications if requried

please check out the below links for more ideas and details of how it can be designed


make sure the edge devices can support DMVPN ( Cisco routers do but firewalls don't  )



irina.shishkina.23 Wed, 04/25/2012 - 11:57

Hi Marwan,

I would like to know what is the technical difference between VSS and vPC to be used in a Data Center Distribution?

Thank you for your prompt response,


Marwan ALshawi Thu, 04/26/2012 - 05:30

Hi Irina,

Although VSS and vPC both can provide similar logical topology where no dependencies on STP,  both virtualize ( cluster ) two physical switch to appear as one switch and all links from control plane point of view are in forwarding over both switch

however from control plane point of view vPC differ from VSS as with vPC each physical switch use its own control plane while with VSS control planes works in active standby mode

also with VSS you can manage both VSS pair switch via one management interface using the active VSS peer while with vPC each vPC peer managed independantly

from design point of view both can be used in the Data center distribution and the technology selection is dependant on the network requirements and hardware needs for example if there is a need for high performance system with high 10G links density then vPC is the better choice with this redundant and scalable design using Nexus Switch that can provide high performance system with high density of 10G ports that can be design with vPC to be all in forwarding state and no STP blocking

irina.shishkina.23 Fri, 05/04/2012 - 08:45

Thank you for your answer. Marwan. Her is another question:

How i can utilize two internet links in the same router to send http/htps over one link and the rest of the traffic over the other link and in case of any link fails it will failover to the remaining one ? is there any advantage to use cisco  ASR 1000 in this case?

Thank you very much for your promt response


towry_support Thu, 04/26/2012 - 06:36

Hi Marwan,

Imagine a world where cloud services become the key enabler for business's and the criticality of access to these services becomes paramount (we are almost getting to that point ).

Is IP SLA link tracking the best method to use for critical failover of Internet access between multiple sites (primary and secondary data centre's)? Will it work?

I'm aware of other more complex solutions but am thinking of keeping it simple...



chandra1677 Thu, 04/26/2012 - 14:31

Hi Marwan:

   Are you whether CISCO-PORT-CHANNEL mib is completely supported on  Nexus 5K/7K ?  I  am trying to retrieve portChannel table info through MIB and not getting any data ?



Marwan ALshawi Thu, 04/26/2012 - 18:34

Yes Michael IP SLA can be very useful in this case

Generally speaking Cisco IPSLA can add some intelligence to the routing and path selection where you can track interface state or the existence of a specific route in the routing table and if a condition met you can change or remove a pre confirmed route for example such as static route with ipsla track

However if you have those two internet links connected to two separate edge internet routers then you need to take into considerations of how to align this IP SLA with the route selection/preference from the LAN side as it depends on how the LAN communicate with the edge routers in this case such as using IGP, iBGP or HSRP and in this situation Cisco Performance routing can be useful too PfR


Hope this helps


Marwan ALshawi Thu, 04/26/2012 - 18:38

Hi Chandra

you need to post your question on the relevant forum/sub-forum as its not related to the topic we are discussing here

i recommend you to post it under Data center or Network management sub-forum



minhtu_pro Sun, 04/29/2012 - 18:26

Hi Marwan,

Both MPLS-TE FRR and IP FRR have capability to minimize packet loss. The question is can  I use both of them?

Thank you,


Marwan ALshawi Mon, 04/30/2012 - 14:22

Hi Tu,

MPLS-TE FRR is widely deployed while IP FRR is a new compared to MPLS-TE FRR, IP FRR offers some benefits that you might aware of such as:

- Sub 50 msec convergence without using RSVP-TE.

- Simple operation with minimal configuration;

- Superior LFA scaling without tunnel requirement.

- Incremental deployment with no inter-operability req. There is no change to the standard based IGP protocols

IP FRR capability is internal to a box.

- Applicable to pure IP (IP FRR) and MPLS (LDP FRR) networks

but there is a few documentation about IPFRR as it is less deployed than MPLS-TE FRR, i never been in a situation where i needed both ! however you might have situation where you need both but in general from Design point of view it is not a good practice to have a lot of redundancy and redundancy mechanisms especially both technologies above achieve the same goal, i would say just chose the most suitable one to your network/core and supported in your platforms and always keep it simple and straight without adding additional layer of complexity that make hard to troubleshoot unless you have to due to network or topology limitations

hope this helps

Sarah Staker Mon, 04/30/2012 - 09:26

Hi Marwan,

This is our situation: we have an internet router connected to an internet ISP and from the LAN there is a firewall cluster uses default route to this router for internet access, we planing to add a second router using different ISP as a standby/backup router to the current one, what is the best way to do it and do we need iBGP between those two routers if we use eBGP with each ISP?

Thank you for your answer.


Marwan ALshawi Mon, 04/30/2012 - 14:36

Hi Sara,

since you are using a static default route from the FWs to the Internet router, then once you add the new router you can use HSRP without using iBGP or IGP ( keep it simple ) and in this case you can use the same current internal router IP as the HSRP VIP to avoid making any change in the firewall

for active/standby outbound direction HSRP can control this by increasing the HSRP priority on the active router

however HSRP by itself will not failover unless the internal link or router gose down, but by using some advanced IOS features such as object tracking you can track the default route received from the ISP over eBGP in the active router using enhanced object tracking and once this default route disappeares from the routing table ( due to bgp or ISP link failure ) the HSRP can decrement the priority in the active HSRP peer and force failover to the secondary HSRP and in this case HSRP become more network aware and reliable for active/standby Internet access


if you have a public IP range to be advertised over both ISPs/links you can use some bgp polices such as BGP AS-path to make the active router the preferred path for inbound traffic for that IP range to avoid asymmetrical routing situations



hooperp Tue, 05/01/2012 - 06:25

Hello Marwan,

My questions involves a design very similiar to your response to Sara. In our implementation there are  2 routers at a spoke site running HSRP. The routers connect to different MPLS providers and have DMVPN tunnels to 2 Hubs (one Hub is a back-up site). Over the DMVPN tunnels we run EIGRP as the routing protocol between Hub and Spoke.

Currently we use EIGRP distribute-lists to try and avoid asymetric routing. The distribute list increases the metric on the HSRP Standby router so that 2-way traffic takes the Active HSRP device.

HSRP is configured to track a route that is being announced by the Primary Hub.  If the route is missing then HSRP will fail to the secondary router which also has an EIGRP peer to the Primary Hub.  We also track based on IPSLA for Latency and Packet loss across the Provider MPLS network to the Primary Hub.

The problem that we encounter with the above design is that if the Active HSRP router changes while EIGRP neighor adjacencies to the Hub are still up on the former Active router then we may encounter asyemtric routing.

So, my question is: "Is there a way to manipulate route metrics based on the state of HSRP?"

Marwan ALshawi Tue, 05/01/2012 - 18:02


so your problem is when the HSRP track go to down state lets say when there is latency for example but the actual DMVPN mGRE tunnel is still up and in this case it keeps advertising your LAN to the hub via the " pervious active" HSRP Router, while outgoing traffic using HSRP will go out using the second HSRP router "current active HSRP"

if this is the case then one simple way that you can use to fix it is by using Cisco Embedded Even Manager EEM

where EEM can watch the state of your track used in HSRP ( in the primary/active router ) and when its gose to the down state it can add an offset list to the EIGRP configuration to increase the advertised LAN route metric

then when the track state comes back up, another EEM applet will remove the command to put it back to the original config

this might require some seconds to converge

bellow an example of config you can try on the active/primary HSRP router only

assuming in this example the track being used is "track 10" and eigrp AS is "100", DMVPN tunnel interface is " tunnel1" and the LAN subnet is

and make sure that the eigrp metric value below to be something higher than the secondary hsrp router value with the distribute list you mentioned about,this to make the former hsrp active eigrp routes less preferred by the hub site during failover situation

ip prefix-list 1 seq 5 permit

event manager applet EIGRP-1

event track 10 state down

action 1.0 cli command "en"

action 1.1 cli command "config t"

action 1.2 cli command "router eigrp 100"

action 1.3 cli command "offset-list 1 out 100 tunnel 1"

event manager applet EIGRP-2

event track 10 state up

action 1.0 cli command "en"

action 1.1 cli command "config t"

action 1.2 cli command "router eigrp 100"

action 1.3 cli command "no offset-list 1 out 100 tunnel 1"

please note this is just an example, it is highly recommended that you test it before using it in a production network

EEM is a very powerful IOS feature where you can automate a lot of network failover and add additional level of network topology awareness to the failover for unconventional requirements such as your case above

hope this help

bwilloby46 Wed, 05/02/2012 - 08:30

Hello Marwan,

My question involves failover routing over an IPSEC/GRE Tunnel.  We currently have 20 spoke sites connecting to one central datacenter over MPLS, all via t1 or bundled T1s.  Every local Lan at each spoke and the datacenter runs EIGRP (same AS across the board).  This EIGRP process is redistributed into BGP at each location to traverse the MPLS WAN. 

AT&T upgraded our network a year or so back and we were forced to go to BGP over the WAN.  We were using EIGRP with no static and no connected redistribution everywhere before upgrade and had IPSEC backups on our equipment.  With only EIGRP process, all worked great.  Had a couple of static routes for the tunnel and isakmp, and added the tunnel IP to the eigrp process with a delay on tunnel interface. No need for floating static and let EIGRP do all the work. The failover worked fantastically and flipped back once the serial WAN returned to active state.  Now that we have implemented a different WAN protocol (BGP) with EIGRP redistributing into it, i cannot get failover to work properly.  I have to remove the tunnel network from EIGRP now, otherwise a routing loop occurs and the connections fight to establish routes causing loss of functionality.  There has to be something i am missing to make EIGRP use the failover when the MPLS BGP WAN goes down.  Can attach a snippet of config if needed. Thanks for any assistance.


Marwan ALshawi Wed, 05/02/2012 - 15:00


are you using DMVPN with mGRE protected by ipsec or not ? if not i recommend you to use it as its more scalable and simplify your routing and failover design

and about your failover issue i am not sure how you configured your routers however if you receive same routes over eBGP and EIGRP then it should be simple as eBGP will be preferred !, and do NOT redistribute between EIGRP and BGP, keep them separate in the same router, and if you need to advertise specific routes leaned via eigrp from the lan over bgp you can use the network command under bgp config in this case without redistribution

for the tunnel ipsec/gre connection i would say keep the static route to make sure that the tunnel uses one interface to establish the tunnel and not to go over the ebgp which might cause issues ( in both ends of the tunnel ), in this case you will have the tunnel established and up with eigrp and each router will chose between eBGP or EIGRP routes locally ( no redistribution between EIGRP and BGP required here ) and once the preferred route over eBGP for example disappeared the second protocol (EIGRP) routes will be considered !

see the below document although it is about DMVPN but the concept still applicable for ipsec over gre

hope this help

saquib.tandel Thu, 05/03/2012 - 05:06

Hi Marwan

Are there any limiation for IPSLA with EEM

Here is the IP SLA example

track 1 ip sla 1 reachability

track 2 ip sla 2 reachability

ip sla 1
icmp-echo source-interface FastEthernet0/0
threshold 500
ip sla schedule 1 life forever start-time now

ip sla 2
icmp-echo source-interface FastEthernet0/1
threshold 500
ip sla schedule 2 life forever start-time now

show ip sla statistics
IPSLAs Latest Operation Statistics

IPSLA operation id: 1
        Latest RTT: 67 milliseconds
Latest operation start time: *12:34:14.449 UTC Thu May 3 2012
Latest operation return code: OK
Number of successes: 37
Number of failures: 0
Operation time to live: Forever

IPSLA operation id: 2
        Latest RTT: 892 milliseconds
Latest operation start time: *12:34:14.649 UTC Thu May 3 2012
Latest operation return code: Over threshold
Number of successes: 37
Number of failures: 0
Operation time to live: Forever

when the IP SLA fails the router should trigger an alert via email, but this seems not to be working. If you had similar case before and working then share your thoughts.



Marwan ALshawi Thu, 05/03/2012 - 15:37


this is a configurations and EEM issue which is not directly related to the discussed Topic here

i would recommend you to post your question under network management sub-fourm

however have a look at the below links it might be helpful


Sarah Staker Thu, 05/03/2012 - 07:10


Thank you for your answer, extremelly helpful. Another question: I was reading a document saying that cisco Nexus 7000 can be configured as access and distribution in the Data center using same physical box with VDC, when this option can be used?

Marwan ALshawi Thu, 05/03/2012 - 15:42

Hi Sarah

The virtual device contexts (VDCs) can be used to virtualize the device itself, presenting the physical switch as multiple logical devices. Within that VDC it can contain its own unique and independent set of VLANs and VRFs. Each VDC can have assigned to it physical ports, thus allowing for the hardware data plane to be virtualized as well.

And based on that Cisco support what is called a Collapsed Architecture with Nexus 7000 using VDCs, where for example small to medium data centers can get the benefit of having a redundant and hierarchal DC design model with less number of N7K physical chassis which make it a cost effective solution.

For example a chassis can be mix of F1/F2/M1 line cards, and the virtualised access layer need layer 2 capabilities only ( cisco N2K FEXs can be used here to increase access ports density), While the virtualized distribution layer requires a line card that support L3 functionality

hope this helps


This Discussion

Related Content