02-02-2012 11:04 AM - edited 03-04-2019 03:07 PM
All- I want to connect the remote site to DC (datacenter) and DR (Data Recovery) via site to site VPN. This remote site is connected to one ISP. The remote site connects to DC as the active connection, and to DR as the standby. They are terminated on the routers. The goal is when the active connection is down, the standby becomes up, and when the previous active connection comes up, it will kick in as active connection and the connection to DR becomes standby again. Please provide the sample configuration if possible.
Regards,
Joe
02-03-2012 12:19 AM
Hello Joe,
Below link may help you. Give a read
Thanks
Vivek
02-03-2012 06:50 AM
Hello Vivek,
I saw this link before. My case is different. My remote site has only ISP, how can i setup the SLA to track the peer when it is up or down?
Thanks,
Joe
02-04-2012 01:33 AM
Sorry Joe, I mis-read your query. If you have a GRE tunnel to DC/DR, then you can run dynamic routing protocol to avoid IP SLA hassles. Below are some suggestions :
1) Run a IPSEC over GRE tunnel to your DC & DR routers from branch.
2) Run a dynamic routing protocol like OSPF or EIGRP inside the tunnel.
3) Advertise the routes from your DC / DR. Assume that you have a network (192.168.1.x/24 behind DC/DR) then you can make those routes preferred via DC. Let DR be the backup path.
If you were to run static routing then
1) Have a static floating routes to Dc & DR. DR with a higher metric value.
2) You may need to run IP SLA as static routes doesn't get withdrawn from the routing table automatically.
3) IP SLA parameters
* ICMP-ECHO to a server X.X.X.X in DC.
4) Enable tracking the routes by tracking the static routes to DC only.
5) Have a static route to server X.X.X.X always pointing to DC. This will help you to achieve failback once your primary path comes back online.
NOTE : Make sure server X.X.X.X be a device or loopback IP of a switch/router which is not required to be available after the failover. Because you are pointing a static route to the IP always via DC. So, after failover that IP will not be reachable to you via DR.
Hope this helps. Do let me know incase you have any questions.
Thanks
Vivek
02-04-2012 04:28 AM
Just to add to Vivek's explanation. If you using dynamic routing protocols you need to change the metrics etc to make one prefer over the other. In case of EIGRP increase the delay metric on the Tunnel to the DR and in case of OSPF increase the cost on the tunnel to the DR.
If you using static routes then just increase the AD on the static route to the DR
HTH
Kishore
02-05-2012 09:42 AM
Thank you Vivek! Attached is the netwrok layout.
In DC and DR, the site to site VPN will be terminated on the router R3. And each remote site has only one ISP connected to the Internet. Some remotes we need to run dynamic protocol, some will run static protocol.
1) If running IPSec over GRE with dynamic protocol, can we run BGP instead of the OSFP and EIGRP? To get the preferred route to DC on the remote site, how can we configure it? weight is better option?
2) In DC, DR, they have MPLS cloud via BGP, Question is...if we run BGP on R3 and transport over ASA, should we run iBGP or eBGP on the R3?
3) If running static route on the remote sites, understand how to setup the metric on the static route to make the DC as prefered route, but we only have one static route, " ip route 0.0.0.0 0.0.0.0 143.10.10.1", not clear how can we have two different static routes on the router?
Best Regards,
Joe
02-05-2012 03:00 PM
To create two static routes you need to uses network addresses
Example
for DC
ip route 192.168.10.0 255.255.255.0 [ip address of R1 DC side]
for DR
ip route 192.168.10.0 255.255.255.0 120 [ip address of R1 DR side]
Then redistribute this static routes into EIGRP or OSPF
Hope this helps
Eugen
02-05-2012 05:09 PM
Hello Eugen,
To DC and DR are the same network subnet address, that is the main purpose
to have the redundancy IPSec.
thanks,
Ken
On Sun, Feb 5, 2012 at 6:00 PM, ebarticel <
02-05-2012 07:42 PM
Hi Ken,
If it was me I will have RIP running in that topology, have default routes from remote sites, and have static route configured for DR with AD greater than RIP, say 130, then redistribute that route by RIP, all devices in RIP will know about the back up route, if RIP route to DC fail then RIP will advertise the static route, and when link comes up than RIP will install again the route to DC. I hope this makes sense
Eugen
02-05-2012 09:00 PM
Hello Joe,
Your explanation about the topology in your first post is entirely different than the one i see in the attached file. Some things you require to consider.
1) Where will you perform the NAT - R1 or ASA firewall?
2) IPSEC/GRE traffic has to be NATted. Make sure to use right IPSEC protocols. AH won't support your scenario. ESP to be used. NAt-Traversal to be enabled for which ESP provides support.
3) This setup could be easily achieved using OSPF or EIGRP. Not sure why you propose to run BGP. This will add complexity. Though you are not bonded - you can freely run BGP.
4) You run iBGP from R3 to remote sites. Can i know how many remote sites you have?
Re-consider your decision of running a right protocol for your environment. Even OSPF / EIGRP / RIP is capable of doing what you want to achieve with BGP.
Thanks
Vivek
02-04-2012 02:05 AM
Hi Joe
I am working on smth like that could you provide diagram?
I think you need Ipsec HA and ip sla maybe hsrp also included
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide