Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Route Priorities with Crypto Maps for duplicate destination networks, failover VPN

Posted on 2007-12-04
Medium Priority
Last Modified: 2012-05-05
Here is the scenario. We have a hub and spoke point-to-point T1 infrastructure to our remote offices, obviously converging at our HQ. We have brought in DSL connections to each remote office as well, and plan to offload HTTP traffic through the DSL. We also want to use this DSL connection for a Site-to-Site VPN back to HQ if/when the T1 fails.

We are using Cisco 2600-series routers for the T1 links. We want to purchase Cisco 871 routers for the remote offices to provide firewall/vpn services.

Our Cisco routers hosting the T1 connections talk to each other through EIGRP. We plan on using route redistribution for RIP so the Cisco 871 (default IOS doesn't do EIGRP) can get these routes when the T1 is up and route the appropriate traffic over it. When the T1 fails, the routes will dissappear from the RIP advertisements and the Cisco 871 will stop sending corporate traffic to the 2600 router and hopefully start to use its Crypto map to send that traffic. We want the VPN to be 100% idle until the T1 goes down, in fact, it would be best if the VPN never even dialed until it was needed.

Here is the question, when a crypto map exists for a certain destination network in a Cisco device, is it smart enough to NOT use the crypto map for that network when it is also receiving routes from a dynamic routing protocol for the same network? Can you set administrative distances on crypto traffic?
Question by:Lweighall
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 79

Expert Comment

ID: 20407582
> when a crypto map exists for a certain destination network in a Cisco device, is it smart enough to NOT use the crypto map for that network
Actually, yes. There is no heartbeat or keepalive. The tunnel is never active unless and until there is actual traffic that meets the interesting traffic as you have defined by access-list.
Your plan is solid. You don't need to set administrative distances on crypto traffic because it will simply use the default route as long as there is no other learned route more specific.

Author Comment

ID: 20408037
Thank you for your response.

Just to be clear I'd like to throw a more direct question at you. On the same Cisco device there exists a crypto map/ACL for the network, but it also has a route in its table for the through a router on its subnet, it will always prefer the route in the table learned from the other router over its own Crypto ACL? If not, can I set it to?

Sorry for the redundancy here, I just want to be crystal clear.

LVL 79

Accepted Solution

lrmoore earned 2000 total points
ID: 20408158
Yes, it will always prefer the more explicit route. Routes are always chosen by best match, not first match.

Author Closing Comment

ID: 31412705
Thank you.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question