02-13-2006 05:04 AM - edited 03-03-2019 11:44 AM
Hi
I have two location`s with 2801 and both sides have 2 isp connections to internet and site-to-site VPN connection on both the links and both locations, each link should be load balanced and act as failover in case one goes down.
The links are 2 Mbps each to the internet, 1 tunnel running on each of the links.
1 WIC card which has 2 serial connections and 1 ISP connected to s0/1/0 and the other connected to s0/1/1.
Each link has a tunnel to the other side, and they have to do load balancing and failover.
Doing cef load-sharing algorithm for tunnels, using eigrp. We have 2 static routes with same metric and using IPSec on GRE tunnels.
How to achive my requiremts as per the attached diagram and above explanation?
Any help please...
Sample test config from Loaction A. Same settings in Location B also, except the ip address.
!
ip cef
ip cef load-sharing algorithm tunnel
ip ips po max-events 100
ip domain name x.com
ip name-server x.x.x.x
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
!
crypto isakmp key sdfdafadfa address x.x.x.x
!
crypto isakmp keepalive 30 10
!
crypto ipsec transform-set test esp-aes 256 esp-sha-hmac
!
crypto map xxx-map 10 ipsec-isakmp
description Tunnel to Location1
set peer x.x.x.x
set transform-set xxx
set pfs group5
match address xxx-tunnel
!
interface Tunnel10
description ISP A-tunnel
bandwidth 2048
ip address x.x.x.x
tunnel source x.x.x.x
tunnel destination x.x.x.x
!
interface Tunnel20
description ISP B-tunnel
bandwidth 2048
ip address x.x.x.x
tunnel source x.x.x.x
tunnel destination x.x.x.x
!
interface FastEthernet0/0
description "lan1"
ip address x.x.x.x
ip access-group inside in
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
interface FastEthernet0/1
no ip address
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/1/0
bandwidth 2048
ip address x.x.x.x
ip access-group outside in
ip nat outside
ip virtual-reassembly
shutdown
no fair-queue
clockrate 2000000
crypto map xxx-map
!
interface Serial0/1/1
mtu 6000
bandwidth 2048
ip address x.x.x.x
ip access-group outside in
ip nat outside
ip virtual-reassembly
load-interval 30
crypto map xxx-map
!
router eigrp 10
redistribute connected route-map xxx
network x.x.x.x
auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 0.0.0.0 0.0.0.0 x.x.x.x
!
ip nat inside source route-map ISP A interface Serial0/1/1 overload
ip nat inside source route-map ISP B interface Serial0/1/0 overload
!
ip access-list extended XXX
permit ip x.x.x.x x.x.x.x any
!
ip access-list extended xxx-tunnel
permit gre host x.x.x.x host x.x.x.x
permit gre host x.x.x.x host x.x.x.x
02-13-2006 05:25 AM
If you are running GRE, you might as well enable EIGRP on the links. One big advantage of GRE tunnels is that they forward the eigrp multicast traffic. This will operate much more reliable than static routes.
To achieve this, you should add the tunnel-networks to eigrp 10.
Regards,
Leo
02-13-2006 05:43 AM
Thank you for the reply.
Is my sample test config the best solution or is there any other better method?
router eigrp 10
redistribute connected route-map test1
redistribute static route-map test1
network x.x.x.x
auto-summary
test1 incules the tunnel-network ACL.
02-13-2006 05:52 AM
Generally speaking, the simplest solution is often the best one. I do not exactly know why you think you need the redistribute-lines for.
I would start with the following:
router eigrp 10
network x.x.x.x (your LAN side)
network
network
no auto-summary (required when you are using subnets from the same network)
Then check your routing table and add redistribution only when equired.
Regards,
Leo
02-13-2006 05:36 AM
CEF per-destination (per-flow) will happen by default in this scenario. As long as there is a sufficient number of flows, traffic should statistically be loadshared equally between the two links to your SPs.
One thing you should make sure of is that you have a static route for the destination ip address of tunnel10 to ISP-A and another one for tunnel20 to ISP-B. It should go something like this:
ip route
ip route
Hope this helps,
02-13-2006 05:49 AM
I forgot to mention that you should have static routes for the network(s) at the remote sites pointing at both tunnel interfaces.
You could also run a dynamic routing protocol as suggested by the previous poster.
Hope this helps,
02-13-2006 05:53 AM
I am running EIGRP and using IPsec with GRE.
Is there any sample config?
02-13-2006 05:49 AM
So I`ll have 4 route commands?
ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP-A)
ip route 0.0.0.0 0.0.0.0 x.x.x.x (ISP-B)
ip route
ip route
So if ISP-A goes down, how will the tunnel10 will route the traffic? Will it automatically shift to ISP-B?
02-13-2006 06:20 AM
Yes, 4 static routes. In this case, you also need a dynamic routing protocol.
If ISP-A goes down, tunnel10 will stay up but going through the default route pointing at ISP-B, which is fine.
Hope this helps,
02-13-2006 07:33 AM
Because the tunnel will stay up, when one of the ISPs fails. I will not recommend the static default routes. I will prefer if the LAN addresses were learnt dynamically through eigrp. The config is simple enough
router eigrp
network
network
no auto-summary
02-28-2006 03:53 PM
Hi All,
Sorry for late replay.
Thank you very much for the support, the suggestions has helped a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide