Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 2821 redundancy howto

Hi, we have now two 2821 VPN concentrator, is there any way to make redundancy between them, one down-other up ¿?

Thanks.

7 REPLIES

Re: Cisco 2821 redundancy howto

Yes, it's possible.

This link will give you a detailed explanation on how to implement IPSec High Availability using HSRP, giving an example:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

If you need a simple configuration example, please tell.

Cheers:

Istvan

New Member

Re: Cisco 2821 redundancy howto

Ok so as I understand this doc, we only have to no-shutdown our free LAN ifaces on the routers, link the routers with a brand new cable, set the interfaces to a new subnet, create a crypto map to apply it to the new interfaces and then apply this block of code to each interface ( don't mind the example subnet example )

interface FastEthernet0/0

ip address 172.16.172.52 255.255.255.240

duplex full

speed 100

standby 1 ip 172.16.172.53

standby 1 priority 200

standby 1 preempt

standby 1 name VPNHA

standby 1 track FastEthernet0/1 150

crypto map vpn redundancy VPNHA

interface FastEthernet0/0

ip address 172.16.172.54 255.255.255.240

ip directed-broadcast

duplex full

standby 1 ip 172.16.172.53

standby 1 preempt

standby 1 name VPNHA

standby 1 track FastEthernet1/0

crypto map vpn redundancy VPNHA

Thanks.

Re: Cisco 2821 redundancy howto

Yes, and you should create the VPN tunnel between the HSRP virtual IP address (172.16.172.53) and the remote inteface.

I.e. on the remote router you should apply the "set peer 172.16.172.53" command within the static crypto map.

On the HSRP routers you will need to create dynamic crypto maps, possibly with reverse route injection.

Cheers:

Istvan

Silver

Re: Cisco 2821 redundancy howto

Keep in mind that the configuration does NOT

offer IPSec STATEFUL failover.

Re: Cisco 2821 redundancy howto

Yes,

Stateful failover is a different story. Only some high-end platforms have that feature.

Istvan

Silver

Re: Cisco 2821 redundancy howto

platform such as 2851 and 3845 can support

IPSec stateful failover.

That being said, IPSec stateful failover does

not work well on Cisco as compared to other

vendors such as Checkpoint or Juniper.

New Member

Re: Cisco 2821 redundancy howto

Ok, I'm only interested on physical redundancy anyways. Thank you all-

261
Views
0
Helpful
7
Replies