Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
381
Views
0
Helpful
3
Replies

VPN failover for T1

spickett
Level 1
Level 1

‎02-17-2004 02:38 PM - edited ‎03-02-2019 01:39 PM

I am trying to find out the best way to implement VPN as a failover / backup to a T1. This assumes two seperate devices (router and vpn conc).

Is the best way to use weighted routes, ie:

ip route 10.0.0.0 255.255.255.0 serial0

ip route 10.0.0.0 255.255.255.0 192.168.1.1 100 (<-- VPN conc)

?

Also, what about when using routing protocols, such as EIGRP?

Scott Pickett

Labels:
0 Helpful
3 Replies 3

vcjones
Level 5
Level 5

‎02-17-2004 07:06 PM

As is the case with most networking questions, the correct answer is "it depends."

If your T1 is a point-to-point link, the link layer will reliably detect link down, and the floating static route you propose could work very well. However...

If your T1 is frame relay and is not configured for end-to-end keepalives, the link could go down while the link layer (which only talks to the local frame relay switch) stays up. In this case you must either enable "frame-relay end-to-end keepalive" (a Cisco proprietary feature) or run a routing protocol to detect link failure.

Depending upon the exact configuration of your VPN, you may also have an MTU problem when switching over to the VPN backup. Typically, this will occur if your VPN MTU is less than 1500 bytes. There are several potential solutions to this problem, but to be honest, none of them are very pretty.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

0 Helpful

spickett
Level 1
Level 1
In response to vcjones

‎02-18-2004 11:00 AM

I agree with the "it depends" statement. I find myself answering many questions like that.

The toplogy is FR over IP (L2TPv3), but it seems to behave like a ptp link (down,down -etc) when there is trouble.

Am I correct in assuming that the best way to accomplish the same thing while using EIGRP would be to have the VPN backup device listed as the gateway of last resort? That way, when the link goes down, there will be no route to the host via the link and it will send to the gateway of last resort. Or is there a better way to add weight to routes with EIGRP?

Sorry for all the questions, I've only done basic EIGRP up to this point.

Scott Pickett

0 Helpful

vcjones
Level 5
Level 5
In response to spickett

‎02-18-2004 02:38 PM

Sounds like a good approach, belt and suspenders style. By running EIGRP over the primary link, even if the link does not go down at the link level, the problem will still be detected within 15 seconds and the default route will take over. This is better than using floating static routes, which can take up to one minute (30 seconds average) to "float" into action if the physical and link layer do not fail.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

0 Helpful
Customers Also Viewed These Support Documents