I'm in the process of connecting up 2 of our offices. Both sites currently have a 10Mb leased line and a basic ADSL connection for backup. I will be using a Cisco 1812 at each site for the leased lines and a Cisco 877 for the ADSL lines. I will be using Cisco's tunnel interfaces in ipsec mode (rather than GRE mode). I appreciate I could use GRE multipoint interfaces to reduce some of the config, but I've decided ipsec interfaces will be better due to greater control over ospf routing as well as reduced ipsec config. I've attached a diagram of the proposed setup. In this design there will be 4 ipsec tunnels each with a /30 subnet. I will be running OSPF between the routers and will assign the relevant costs to the interfaces to get the desired routing.
Based on the attached diagram is this a sensible design?
Thank you for your comment. At Site B there is no layer 3 switch, hence the reason for using HSRP. I was really only interested in keepalives on the Tunnel interfaces at Site B for the purposes of tracking the interfaces using HSRP.
So based on your comment, if I replace the tunnel interface keepalives with a 'crypto isakmp keepalive 10', the tunnel interfaces will report as being down if the tunel is down? If this is not the case then I suppose I will need to setup object tracking for IP routing.
I forgot to mention in my original post, that the 2 routers will also provide general intternet connectivity for the 2 sites.
Hi, I forgot to mention that these routers will also provide general internet connectivity and not just site to site connectivity. I was aware of the 8Mbps limit on tunnel interfaces, which is more than sufficient for our environment.
On the issue of HSRP at site B, it's really only necessary for site B router, or its LAN interface, failure. Assuming the two site B routers OSPF peer, and they "know" the other router's routes, OSPF will reroute traffic from the primary gateway router to the secondary path. Certainly HSRP tracking can move the gateway to avoid an extra hop, but also assuming the Site B routers LAN interfaces have (much) more bandwidth than the WAN, the extra router hop (during primary path failure) shouldn't be too much of a concern.
In a later post you mention these routers also support the Internet. In that case, you might want to consider making one the primary path for internal traffic and the other the primary path for Internet traffic. This allows you the option to manage internal path bandwidth since, excluding one path's failure, you'll have deterministic available bandwidth for internal usage.
For such a setup, you could continue to use HSRP at site B, and one type of traffic will normally get an extra hop, or if site B routers support it, use GLBP and half of traffic would get an extra hop. Also if device supported, best option might be mHSRP so that traffic would be redirected to best virtual gateway.
BTW, when working with your tunnels, highly recommend, if device supported, the mss adjust command. You'll also want to insure PMTUD is working correctly.
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers. When we try to change the wiring and configuration, we run in to connectivity issues. Attached is a des...
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...