cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
306
Views
0
Helpful
3
Replies

Would redundant 3030s using VRRP be my best bet?

tvorhauer
Level 1
Level 1

Hi, I need a sanity check here. A customer of ours currently has a 3030 in place to terminate (no more than 500) Remote Access VPNs. They will be adding about 80 Site-to-Site VPNs over the next few months to this 3030. For full redundancy, they are looking to add an additional 3030 and run VRRP between the two. Are we on the right track, or is there a better way to do this?

Any advice is much appreciated!

Thanks,

TV

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

VRRP is a good option here, keeping in mind that if the primary does fail all the clients will have to reconnect, but they won't need to make any changes to their client profile.

Load balancing is also a good option, but only for VPN clients. In your scenario, because you have both clients nd L2L connections, VRRP is the better choice.

Thanks for the info. I have been digging around a bit more and came across a doc discussing the Backup Lan-to-Lan feature. Now I'm wondering if this would be a better option. It states that you can configure Backup Lan-to-Lan & Load Balancing on the same box. Any recommendations?

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/prod_release_note09186a00801787a6.html#253051

Thanks,

TV

Load balancing is a better option (in my opinion) than VRRP for clients, cause if one box fails then you only lose half your client connections rather than all of them (cause they've been load-shared acorss the two concentrators rather than all being on the one primary). The ones that do get disconnectd can then just sim[ply call back in onto the other concentrator.

With load-balancing you set up a virtual cluster IP address and the clients actually connect to this, the master of the cluster responds to the client with the actual concentrator IP address to connect to, and the connection proceeds.

You could then set up your L2L connections to connect to the specific IP addresses of one concentrator within the cluster (you can't connect to the cluster IP address for a L2L connection), and could put the other concentrator IP address in as a backup under the L2L tunnel section.

This would certainly work and provide better redundancy for your clients than just straight VRRP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: