08-13-2012 02:21 AM
In case we have 2 routers each having a WAN link provided by single ISP we can configure HSRP with SSO for failover of Classic IPSEC solutions . But in a case where there are 2 routers but WAN links are different ( Different service provider ) we wont be able to use HSRP because ip address ( subnet ) will be different and assigning a virtual ip from that is impossible .
In this case what kind of the best possible solution for failover link to function ? SVTI with crypto maps ? because in this case we can make 2 tunnels each with different souce and using IPSLA or dynamic routing change routes for a failover .
Solved! Go to Solution.
08-13-2012 03:06 AM
so you want to route based on the source-IP that some sources go through the tunnel and some don't?
That could be solved with policy-based-routing.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-13-2012 02:34 AM
In my opinion VTIs with a dynamic routing-protocol is a very good solution for that problem. But you don't nned the crypto-maps any more for that.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-13-2012 03:01 AM
If i use tunnel protection all data would be sent out to extranet .
08-13-2012 03:06 AM
so you want to route based on the source-IP that some sources go through the tunnel and some don't?
That could be solved with policy-based-routing.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
08-13-2012 10:02 PM
Yes PBR could be an option . If i go for tunnel protection I would can restrict certain traffic using PBR and if i go for crypto maps I can restrict using the crypto ACL .
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: