Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configure redundant VPN connection

All- I want to connect the remote site to DC (datacenter)  and DR (Data Recovery) via site to site VPN. This remote site is connected to one ISP. The remote site connects to DC as the active connection, and to DR as the standby. They are terminated on the routers. The goal is when the active connection is down, the standby becomes up, and when the previous active connection comes up, it will kick in as active connection and the connection to DR becomes standby again. Please provide the sample configuration if possible.

Regards,

Joe


10 REPLIES

Configure redundant VPN connection

New Member

Configure redundant VPN connection

Hello Vivek,

I saw this link before. My case is different. My remote site has only ISP, how can i setup the SLA to track the peer when it is up or down?

Thanks,

Joe

Configure redundant VPN connection

Sorry Joe, I mis-read your query. If you have a GRE tunnel to DC/DR, then you can run dynamic routing protocol to avoid IP SLA hassles. Below are some suggestions :

1) Run a IPSEC over GRE tunnel to your DC & DR routers from branch.

2) Run a dynamic routing protocol like OSPF or EIGRP inside the tunnel.

3) Advertise the routes from your DC / DR. Assume that you have a network (192.168.1.x/24 behind DC/DR) then you can make those routes preferred via DC. Let DR be the backup path.

If you were to run static routing then

1) Have a static floating routes to Dc & DR. DR with a higher metric value.

2) You may need to run IP SLA as static routes doesn't get withdrawn from the routing table automatically.

3) IP SLA parameters

     * ICMP-ECHO to a server X.X.X.X in DC.

4) Enable tracking the routes by tracking the static routes to DC only.

5) Have a static route to server X.X.X.X always pointing to DC. This will help you to achieve failback once your primary path comes back online.

NOTE : Make sure server X.X.X.X be a device or loopback IP of a switch/router which is not required to be available after the failover. Because you are pointing a static route to the IP always via DC. So, after failover that IP will not be reachable to you via DR.

Hope this helps. Do let me know incase you have any questions.

Thanks

Vivek

Configure redundant VPN connection

Just to add to Vivek's explanation. If you using dynamic routing protocols you need to change the metrics etc to make one prefer over the other. In case of EIGRP increase the delay metric on the Tunnel to the DR and in case of OSPF increase the cost on the tunnel to the DR.

If you using static routes then just increase the AD on the static route to the DR

HTH

Kishore

New Member

Re: Configure redundant VPN connection

Thank you Vivek! Attached is the netwrok layout.

In DC and DR, the site to site VPN will be terminated on the router R3. And each remote site has only one ISP connected to the Internet. Some remotes we need to run dynamic protocol, some will run static protocol.

1) If running IPSec over GRE with dynamic protocol, can we run BGP instead of the OSFP and EIGRP? To get the preferred route to DC on the remote site, how can we configure it? weight is better option?

2) In DC, DR, they have MPLS cloud via BGP, Question is...if we run BGP on R3 and transport over ASA, should we run iBGP or eBGP on the R3?

3) If running static route on the remote sites, understand how to setup the metric on the static route to make the DC as prefered route, but we only have one static route, " ip route 0.0.0.0 0.0.0.0 143.10.10.1", not clear how can we have two different static routes on the router?

Best Regards,

Joe

Bronze

Re: Configure redundant VPN connection

To create two static routes you need to uses network addresses

Example

for DC

ip route 192.168.10.0 255.255.255.0 [ip address of R1 DC side]

for DR

ip route 192.168.10.0 255.255.255.0 120 [ip address of R1 DR side]

Then redistribute this static routes into EIGRP or OSPF

Hope this helps

Eugen

New Member

Re: Configure redundant VPN connection

Hello Eugen,

To DC and DR are the same network subnet address, that is the main purpose

to have the redundancy IPSec.

thanks,

Ken

On Sun, Feb 5, 2012 at 6:00 PM, ebarticel <

Bronze

Configure redundant VPN connection

Hi Ken,

If it was me I will have RIP running in that topology, have default routes from remote sites, and have static route configured for DR with AD greater than RIP, say 130, then redistribute that route by RIP, all devices in RIP will know about the back up route, if RIP route to DC fail then RIP will advertise the static route, and when link comes up than RIP will install again the route to DC. I hope this makes sense

Eugen

Re: Configure redundant VPN connection

Hello Joe,

Your explanation about the topology in your first post is entirely different than the one i see in the attached file. Some things you require to consider.

1) Where will you perform the NAT - R1 or ASA firewall?

2) IPSEC/GRE traffic has to be NATted. Make sure to use right IPSEC protocols. AH won't support your scenario. ESP to be used. NAt-Traversal to be enabled for which ESP provides support.

3) This setup could be easily achieved using OSPF or EIGRP. Not sure why you propose to run BGP. This will add complexity. Though you are not bonded - you can freely run BGP.

4) You run iBGP from R3 to remote sites. Can i know how many remote sites you have?  

Re-consider your decision of running a right protocol for your environment. Even OSPF / EIGRP / RIP is capable of doing what you want to achieve with BGP.

Thanks

Vivek     

New Member

Configure redundant VPN connection

Hi Joe

I am working on  smth like that could you provide  diagram?

I think you need Ipsec HA and ip sla maybe hsrp also included

Thanks

2154
Views
0
Helpful
10
Replies
CreatePlease to create content