First, let me state that I'm not a CISCO Hands on Expert. I am trying to architect what appears to be a means for dealing with a common scenario. I am in need of some assistance in helping guide me a bit.
We have several small branch offices that have a router with private point-to-point connectivity as well as an internet router that provides internet access.
our goal is to attempt to create an IPSEC VPN (Site-to-Site) back to a corporate ASA-5510 at our data center using the INTERNET medium to access our private network. We also want to use the private point-to-point connection to connect as a last resort should the primary (IPSEC VPN) fail.
So we've got a 2800 series router and have setup a static Site-to-Site VPN to our ASA-5510 at the corporate router.
At the client site, this 2800 series router uses the Internet Medium (DSL)as the primary medium.
The 2800 has multiple WAN ports and we've hooked up that router and configured a private Point-to-Point address on it.
SO the question comes down to how to setup routing to use the VPN route FIRST as the primary route, and then use the Point to Point as the backup route.
I was thinking somehow that EIGRP is the answer, but i'm not sure.
So i need some guidance. What technologies or protocols can you folks guide me to that helps me accomplish this.
This is a single router with multiple WAN ports. I was looking at HSRP, but i don't have another router in play at the client site.
What i'm trying to establish is a routing table / protocal that re-routes traffic should the VPN go down over the OTHER Fast Ethernet WAN interface.
I'm worried about bringing up EIGRP because I don't want to cause routing loops inadvertently as this is not my area of "hands on" expertise.
I don't even know if this is the right protocol (EIGRP) to do the job.
The goal isn't to provide redundant ROUTERS, but redundant ROUTES to the destination (our corporate data center).
Any guidance, terms, insights into appropriate protocols, links, would be greatly appreciated.
To me, this seems so trivial. but i'm not familiar enough from a hands on basis to make this happen.
i appreciate any and all guidance you are willing to provide.
A previous Cisco COntractor set up the tunnel using a crypto map.
I was trying to read up a little on using GRE, and we do have EIGRP setup on much of our private network.
Our ASA-5510 with the IPS module is about six months old. we had a VAR install and configure it, then had one of their techs bring up our first "hub and spoke" IPSEC VPN from an 1811 at a branch office. I'm positive that config is using CRYPTO MAP.
Now I have a different 1811 at a site that i want to put in redundant interfaces on. This site has a (SLOW) frame relay network that connects directly to our corporate data center. But this site also has a high-speed internet connection.
So we want to use an IPSEC VPN over the higher speed data medium for better performance while leaving the slow (but cheap) Point to Point connection as a fail over route should the VPN go down.
(in the future, we will probably put in 2800 routers at the client site with a 3G card as a backup route, but this is just a concept at this point and may not fly as Verizon/AT&T have highway robbery plans for cellphone data plans.)
Anyways, i hope the info i've provided gives some greater insight.
so do you think at this point that an IPSEC with GRE is the right way to go?
Honestly, not being a pure cisco hands on guy, i would've thought that routing redundancy within a router would have been a bit simpler, but this is a learning experience for me.
it seems like EIGRP/GRE may be the right answer. i would have thought that redundant routing would be a very common configuration. but like i said, i'm not quite a cisco "hands on" guru.
Thanks for the update. The ASA doesn't support GRE so you can't take that way which makes the solution more complicated.
On the hub site where you have the ASA and the frame-relay router, you need a routing protocol so other routers could choose between the route announce from the FR router and the route announce from the ASA.
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...