c3640 (Hub) <=> C5505 <=> PIX-515 <=> LEASED LINE <=> Internet
I hope thats clear !
Now my issue is this. The current setup does not have a VPN tunnel, therefore traffic from Site A (left/spoke) passes to Site B (right/hub) via the Frame Relay link and internet traffic from Site A goes out via the PIX515-a firewall.
Now what I want to do is create a VPN Tunnel between pix515-a (spoke) and pix515-b (hub) that will act as the primary conduit for data, yes I know this sounds daft, but I want the VPN to carry the traffic between sites with the Frame Relay link acting as a backup conduit.
I can create the VPN tunnel and get traffic to pass, thats not my problem, my problem is getting the Frame Relay circuit to act as the backup circuit. If the PIX could use HSRP then I would be okay, but I am at a loss on this one.
Any suggestions?, my gut feeling is that this just will not work. Any suggestions on how to make it work would also be gratefully accepted.
See if you can enable RRI on the pix. RRI stands for reverse route injection. THis feature is available on the VPN conc, but am not sure if its there on the pix.
Enable RRI (reverse route injection) on the pix, when you create the tunnel. This will create a static route for every remote network that the tunnel takes traffic to, and this route is automatically distributed into a dynamic routing protocol such as RIP. Now this route will be received by the 3640 and you can add a backup route via the frame ( a static route) with a higher administrative distance than the current routing protocol in use. This static route will kick in only when the RRI route gets removed (which happens when your internet connection goes down).
Yeah, you cannot enable RRI yet on the PIX. Hopefully some time soon they bring this feature to the PIX.
Run a routing protocol through the tunnel. Make sure you unicast the packets to the neighbor. (neighbor command). You should open up the required protocol/port numbers for the routing protocol on the pix.
configure a static route on the routers to use the frame as backup route (floating static - configure a higher admin distance).
I havent tried this yet, but you could definitely give it a try.
Protocols such as EIGRP would expect the neighbor to be on same subnet, so you might have to end up running RIP on the tunnel and use neighbor command uner RIP, to unicast the updates.
Or else you could create a Tunnel interface on eithe routers and run a routing protocol such as EIGRP on the tunnel interface. You should also permit the tunnel traffic to go through the VPN.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.