I am in the process of working out a failover network. we have a 10mbit line coming in from XO and 2 t1's coming from Sprint. I have a 2811 with the advsecurity IOS for firewall and vpn. Here is what we want to achive. We have 4 sites all connected via PIX point to point VPN's. I want to take the Pix's out of the equation, and use the 2811's as the firewalls and VPN. In a normal situation all sites would be talking on thier XO links. If XO goes down I want the T1's to kick in. Is this possable??
Yes 1 router 2 T1 nics the 10mbit connects to fa0/1. Yes different public ip addresses for XO and Sprnt. I really want the Sprint links to be quiet till needed that will allow me to build site to site using ip based VPN. As long as the Sprint link is quiet till the XO goes down then we don't get the VPN being initiated to the same site on 2 different IP's. If I can not get that to work the metric will be the way to go. Right now I have the 2 t1 sprint links to test with as the XO is production. So my default route goes to SE0/0/0 and my metric 2 goes to 0/1/0, when I fail over se0/0/0 se0/1/0 picksup just fine, but when I bring se0/0/0 back up traffic still goes out se0/1/0.
Yes it is possible to create VPN to two different sites on you router. Please see the sample config below:
On your remote router, when you configure the crypto map, you will configure something like :
crypto map mymap 10 ipsec-isakmp
set peer a.b.c.d
set peer e.f.g.h
set transform-set my set
match address XXX
Where a.b.c.d is the IP of the primary router and e.f.g.h is of the secondary interface IP.
On your HO routers you will use a combination of static and floating static routes to reach the remote sites and then configure the cryptomap for each side. This will make sure that till the time your XO interface is up, the remote peer will be reach bit and when it is down it will take the T1's, route.
Thanks I was aware of this. The issue I am having is like this. I have 2 t1's setup on the test router right now. I have 2 Nats seup to nat 172.16.5.0-172.16.5.255 to se0/0/0 ACL 1 and one for se0/1/0 ACL 5. I have routes for 0.0.0.0 0.0.0.0 se0/0/0 metric 1 and 0.0.0.0 0.0.0.0 se0/1/0 metric2 does this sound right or am I going down the wrong path?
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...