Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
338
Views
0
Helpful
1
Replies

VPN failover and ISP failover!!!

examples20001
Level 1
Level 1

‎07-20-2006 03:23 PM - edited ‎02-21-2020 02:32 PM

Hi All,

Currently we have site-site IPSec b/w HO and BO`s, DC and BO`s.

I am designing a VPN network with my 2 B.O and 1 H.O and 1 DC.

H.O and 2 B.O will be in dynamic routing VPN IPSec VTI (EIGRP) and 2 B.O and DC will be site2site VPN.

The 2 B.O is also connected between them thru 100MFTT line.

So when one ISP A goes down then the B.O A`s traffic will be routed to ISP B of B.O B and vice-versa too.

Now I want to design the VPN like that to my H.O and DC from 2 B.O, when one of the ISP of any B.O goes down, the VPN traffic should automatically redirect to others VPN tunnel.

Can you please suggest some methods, how to design it and what all are the points to look for?

How can the VPN failover achived with out routing protocol and anothere way with routing protocol?

I have attached a design with equipments, which currently we have got, and also a rough design plan, config sample of B.O A.

Thank you.

Labels:
Preview file
5 KB
Preview file
102 KB
0 Helpful
1 Reply 1

wong34539
Level 6
Level 6

‎07-26-2006 10:02 AM

IPSec Stateful Failover (VPN High Availability) is a feature that enables a router to continue processing and forwarding packets after a planned or unplanned outage. You can employ a backup (standby) router that automatically takes over the primary (active) router's tasks in the event of an active router failure. The process is transparent to users and to remote IPSec peers. The time that it takes for the standby router to take over depends on HSRP timers.

IPSec Stateful Failover (VPN High Availability) is designed to work in conjunction with Reverse Route Injection (RRI) and Hot Standby Router Protocol (HSRP) with IPSec. When used together, RRI and HSRP provide a more reliable network design for VPNs and reduce configuration complexity on remote peers.

RRI and HSRP are supported together with the restriction that the HSRP configuration on the outside interface uses equal priorities on both routers. As an option, when not using RRI, you can use an HSRP configuration on the LAN side of the network (equal HSRP priority restriction still applies.

http://www.cisco.com/en/US/products/ps6550/products_white_paper09186a0080116d4c.shtml

0 Helpful
Customers Also Viewed These Support Documents