Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Site-to-Site VPN with Dial Back-Up Capability

Hello,

Our network currently uses alot of Frame-Relay links, for these connections we use Cisco 1720's with dial back-up over analog line in case the Frame-Relay fials.

I am looking for a way to connect site to site VPN and still have the option of dial back-up in case of ISP failure. We currently have a Cisco Pix 515E that would host the connections, what would be my best option on the branch office side? PIX Firewalls or Cisco 1720's with VPN modules, maybe a combination of both? What would be more secure?

Thank you in advance for any help you may provide.

Mauro

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Site-to-Site VPN with Dial Back-Up Capability

Mauro,

Do you want to replace the FR links with VPN and then back the VPN up with ISDN, or retain the FR, fall back to VPN, then fall back to ISDN?

Either way, the way to go is to use a dynamic routing protocol over the FR and VPN, so when a link fails the IP routing protocol reconverges. This way you can still trigger the ISDN with a floating static route.

For EIGRP (or other dynamic routing protocol) you will need a GRE tunnel over the VPN to allow the neighbourgh multicast's through.

3 REPLIES
New Member

Re: Site-to-Site VPN with Dial Back-Up Capability

I guess combination of both

Silver

Re: Site-to-Site VPN with Dial Back-Up Capability

Mauro,

Do you want to replace the FR links with VPN and then back the VPN up with ISDN, or retain the FR, fall back to VPN, then fall back to ISDN?

Either way, the way to go is to use a dynamic routing protocol over the FR and VPN, so when a link fails the IP routing protocol reconverges. This way you can still trigger the ISDN with a floating static route.

For EIGRP (or other dynamic routing protocol) you will need a GRE tunnel over the VPN to allow the neighbourgh multicast's through.

Silver

Re: Site-to-Site VPN with Dial Back-Up Capability

Both approaches can be equally secure. My preference would be to use separate firewalls to simplify the configuration, making high security easier to attain. You may also find that buying a PIX501 for the office is significantly cheaper than upgrading the IOS to a firewall feature set, but there are many considerations which could be unique to your situation, so no blanket answer will be valid.

There are examples of both approaches in a white paper on my website (look for "redundant IPsec") that you could modify to meet your specific requirements. There are also several example configurations here on CCO if you choose to take the GRE tunnel approach.

One final note: to be _really_ secure, you need to use separate firewalls, because _real_ security requires that no one individual be able to circumvent security, so you use firewalls under the control of the security department and reenforce the access rules on the routers under the control of the networking department. But if you were this advanced in your needs, you would not be posting here :-)

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

100
Views
5
Helpful
3
Replies
CreatePlease to create content