Re: OER fail over from VPN to BRI

jfreegard · ‎12-30-2005

I am currently working on a project where some business critical / time sensative data is held at the other side of the world hence private wires will be to expenceive. As an alternative we are using a VPN but as a backup I want to be able to dial up with ISDN. The BRI link will be brought up if packet loss goes above x, if latency goes above y or if the VPN goes down.

I only want data destined for that VPN to be redirected and nothing else (there are other VPNs and internet traffic running over the link). Also I only want the ISDN link to be brought up in the event of a failure and not during normall polling. Would OER be suitable for this and if not can you suggest anything.

We are using a PIX 525 6.4 for the VPN and the ISDN router will be bought as required.

spremkumar · ‎01-02-2006

Hi

I feel it will be better if u can introduce a router infront of the PIX F/W and allow the router to take care of routing decision based on the availability of the route to the remote VPN destination.

You can also terminate the links both the primary and the secondary isdn bri on that and configure them up accordingly.

In ur current scenario both of ur links are getting connected to different equipments if it would have been 2 routers then you may think off about either going for HSRP or GLBP between.

But since u have got the main/primary link connected on the PIX F/W i dont this its possible to bring it under HSRP group with a router.

regds

johansens · ‎01-02-2006

You could try this (I haven't tested this, so it may have some errors in it, but you should get the idea!!):

a) Put a router w/ISDN between your LAN and PIX at both ends.

b) Configure "Reliable Static Routing Backup Using Object Tracking", or use PBR with tracking options.

Here's a quick example I made of the static routing-stuff:

The idea is to do as follows:

- Establish a method to let the router check if the VPN-connection is stable (using a tracking object)

- If the tracking object reports it to be unstable, switch to the dialer interface (using the higher administrative distance on a second static route)

- When the VPN-connection is stable, let it run for 3 minutes before we switch back from the dialer interface.

Router A:

!

interface loopback 0

description remote icmp-checks

ip address 172.16.23.6 255.255.255.255

!

interface ethernet0

description The LAN

ip address 10.1.1.1 255.255.255.0

!

interface ethernet1

description To the PIX and Internet

ip address 10.2.2.2 255.255.255.0

!

interface dialer1

ip address 192.168.1.2 255.255.255.252

encapsulation ppp

dialer string 1234567890

dialer-group 1

dialer pool 1

!

ip sla monitor 1

type echo protocol ipIcmpEcho 172.16.23.7

timeout 400

frequency 3

threshold 2

!

ip sla monitor schedule 1 life forever start-time now

track 123 rtr 1 reachability

delay up 180

!

access list 101 permit icmp any host 172.16.23.7 echo

!

route map MY_LOCAL_POLICY permit 10

match ip address 101

set ip next-hop 10.2.2.1

set interface null 0

!

ip local policy route-map MY_LOCAL_POLICY

ip route 0.0.0.0 0.0.0.0 10.2.2.1

ip route 10.3.3.0 255.255.255.0 10.2.2.1 track 123

ip route 10.3.3.0 255.255.255.0 192.168.1.1 254

!

access-list 150 permit ip 10.2.2.0 0.0.0.255 10.3.3.0 0.0.0.255

!

dialer-list 1 protocol ip list 150

!

and do the opposite on Router B (this left as an exercise for you.. ;)

Now it's up to you tuning the tracking-object to achieve the wanted results..

Here's some link for reference:

"Reliable Static Routing Backup Using Object Tracking"

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a00804457cd.html

"PBR Support for Multiple Tracking Options"

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080457bcc.html

Did it help?