Redundant connections to sites - floating statics and load-balanced

I need to set up a redundant connection between sites starting with 2 and eventually moving to 4.

The environment is using OSPF.

There are private T-1s between the sites currently. What we're trying to do is:
1. If the private T-1 goes down we want to have traffic route through the PIX across the our internet circuits, via IPSEC to the affect site and vice versa. I realize setting up a floating static route would essentially accomplish this goal, but let's talk about a caveat.
The caveat is, what if the router goes down instead of the private T-1? Do I have to add the same floating static route to our redundant core switches? the core switches are running HSRP, also.........


2. Configuring the router and the PIX IPSEC connection across the internet - load-balancing.

I'd like to see some examples of both. Also, keeping in mind the fact that the configuration has to be able to be host more than just the 2 sites. Basically making the 4 sites fully meshed to each other.

Who is Participating?
lrmooreConnect With a Mentor Commented:
I've done something very similar where both the Internet in front of the PIX and the WAN behind the PIX were failover/backups for each other. This is not a trivial task that we can walk you through in a forum like this, but here's the Basic scenario:

 Internet router --> advertises default route to PIX using OSPF area 0
  PIX --> has Lan-Lan VPN tunnel configured to remote peer
  PIX --> advertises default route to internal router using OSPF area 1
 Internal/WAN router learns default route from PIX, learns remote subnet from WAN via OSPF area 1
 Internal/WAN router has floating static default pointing to the other WAN router with higher cost than OSPF.
 Redundant core switches sit in the middle between the PIX and the WAN router and learn the right default gateway.
If internet link is down, all traffic flows across the WAN
If WAN link is down, all traffic flow out the PIX and through the VPN tunnel.
If you have multiple VPN tunnels, you can use Reverse Route Injection via OSPF on the PIX (upgraded to 7.x or 8.x)
Using Policy Based Routing (PBR) you can do more semi-load sharing. You can't do load-balancing between a VPN and the WAN link.
shashiajAuthor Commented:
Let me update #2.
It's not that the Internet and VPN connection to be redundant. The private T-1 & the internet VPN circuit.
shashiajAuthor Commented:
Additionally, is there an example with configs that I could look at regarding your response?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.