Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

If leased line link fails,then vpn should come up

I am using 2811 router in 5 locations (say siteA,siteB,siteC,siteD,siteE).

they all are connected through leased line.

i want to know if the leased line fails in 1 location( say in site A) all the other locations (siteB,siteC,siteD,siteE) shoud communication to that location (siteA) through VPN.

And communication beteween siteB to siteC,siteB to siteD,siteB to siteE ,siteC to siteD,siteC to SiteE,siteD to siteE should continue with the existing leased line.

Your help will be highly appreciated.




Re: If leased line link fails,then vpn should come up

Select an internet service provider to connect SiteA to all other sites.

Configure VPN between SiteA and all other sites. Watch the security, put an ACL in the internet facing interface of the router to only allow connection between SiteA internet facing interface IP Address and all otehr sites internet facing interface IP Address.

All sites primary routing should use Leased Line as a gateway with default Administrative Distance of 1.

All sites backup routing should use each sites internet gateway with a higher Administrative Distance than 1 (e.g. 10)

New Member

Re: If leased line link fails,then vpn should come up


IT is a very standard practice to have VPN over internet that will kick in the moment your WAN-link fails.

Firstly as posted in earlier text you need internet connection to all locations. Once you have set up internet connections you can setup site-to-site VPN between locations and then add route to corresponding subnet with higher administrative distance than your current routing protocol.

Second way is to form GRE tunnels between locations over  internet connections encrypt the data before sending it through the GRE tunnel. Beauty of the GRE is you can run the routing protocol on the GRE interfaces, run routing protocol in your network adjust the bandwidth of the links and you are good to go. I can broadly imagine the scenario, all locations will have your existing router with leased lines connectivity. You will need another router at each location to terminate the internet link with advance security IOS to support IPSEC.  On routers with leased line say subnet_A points _to serial 0/0 you need to add another line as subnet_A point to Eth0_Of_ Interne_router  with high admin distance. So when s0/0 is down packet for subnet_A will be forwarded to internet router. The internet router will forward the packet to corresponding location either by GRE or by Site-to-Site VPN whatever you have configured.



rate if possible