Below link may help you. Give a read
I saw this link before. My case is different. My remote site has only ISP, how can i setup the SLA to track the peer when it is up or down?
Sorry Joe, I mis-read your query. If you have a GRE tunnel to DC/DR, then you can run dynamic routing protocol to avoid IP SLA hassles. Below are some suggestions :
1) Run a IPSEC over GRE tunnel to your DC & DR routers from branch.
2) Run a dynamic routing protocol like OSPF or EIGRP inside the tunnel.
3) Advertise the routes from your DC / DR. Assume that you have a network (192.168.1.x/24 behind DC/DR) then you can make those routes preferred via DC. Let DR be the backup path.
If you were to run static routing then
1) Have a static floating routes to Dc & DR. DR with a higher metric value.
2) You may need to run IP SLA as static routes doesn't get withdrawn from the routing table automatically.
3) IP SLA parameters
* ICMP-ECHO to a server X.X.X.X in DC.
4) Enable tracking the routes by tracking the static routes to DC only.
5) Have a static route to server X.X.X.X always pointing to DC. This will help you to achieve failback once your primary path comes back online.
NOTE : Make sure server X.X.X.X be a device or loopback IP of a switch/router which is not required to be available after the failover. Because you are pointing a static route to the IP always via DC. So, after failover that IP will not be reachable to you via DR.
Hope this helps. Do let me know incase you have any questions.
Just to add to Vivek's explanation. If you using dynamic routing protocols you need to change the metrics etc to make one prefer over the other. In case of EIGRP increase the delay metric on the Tunnel to the DR and in case of OSPF increase the cost on the tunnel to the DR.
If you using static routes then just increase the AD on the static route to the DR
Thank you Vivek! Attached is the netwrok layout.
In DC and DR, the site to site VPN will be terminated on the router R3. And each remote site has only one ISP connected to the Internet. Some remotes we need to run dynamic protocol, some will run static protocol.
1) If running IPSec over GRE with dynamic protocol, can we run BGP instead of the OSFP and EIGRP? To get the preferred route to DC on the remote site, how can we configure it? weight is better option?
2) In DC, DR, they have MPLS cloud via BGP, Question is...if we run BGP on R3 and transport over ASA, should we run iBGP or eBGP on the R3?
3) If running static route on the remote sites, understand how to setup the metric on the static route to make the DC as prefered route, but we only have one static route, " ip route 0.0.0.0 0.0.0.0 184.108.40.206", not clear how can we have two different static routes on the router?
To create two static routes you need to uses network addresses
ip route 192.168.10.0 255.255.255.0 [ip address of R1 DC side]
ip route 192.168.10.0 255.255.255.0 120 [ip address of R1 DR side]
Then redistribute this static routes into EIGRP or OSPF
Hope this helps
To DC and DR are the same network subnet address, that is the main purpose
to have the redundancy IPSec.
On Sun, Feb 5, 2012 at 6:00 PM, ebarticel <
If it was me I will have RIP running in that topology, have default routes from remote sites, and have static route configured for DR with AD greater than RIP, say 130, then redistribute that route by RIP, all devices in RIP will know about the back up route, if RIP route to DC fail then RIP will advertise the static route, and when link comes up than RIP will install again the route to DC. I hope this makes sense
Your explanation about the topology in your first post is entirely different than the one i see in the attached file. Some things you require to consider.
1) Where will you perform the NAT - R1 or ASA firewall?
2) IPSEC/GRE traffic has to be NATted. Make sure to use right IPSEC protocols. AH won't support your scenario. ESP to be used. NAt-Traversal to be enabled for which ESP provides support.
3) This setup could be easily achieved using OSPF or EIGRP. Not sure why you propose to run BGP. This will add complexity. Though you are not bonded - you can freely run BGP.
4) You run iBGP from R3 to remote sites. Can i know how many remote sites you have?
Re-consider your decision of running a right protocol for your environment. Even OSPF / EIGRP / RIP is capable of doing what you want to achieve with BGP.
I am working on smth like that could you provide diagram?
I think you need Ipsec HA and ip sla maybe hsrp also included