How to setup a failover VPN line in case the leased line failx

Posted on 2010-09-16
Last Modified: 2012-05-10
Hi all

We're managing a network consisting of 1 HQ and 4 remote sites.  The remote sites are connected via a leased line of 2 Mbps.  The remote sites have got 1 small Cisco router provided by the telco provider which provides the connectivity to the HQ.  The HQ itself has got 2 (or maybe 3) Cisco routers which provide the connectivity to the remote sites.

What we want is an economic failover for the connectivity in case a leased line goes down (which happens too often, although we've got a SLA with the provider).  Anyway, we were thinking of purchasing a separate Internet Line in each site (incl HQ) and a small appliance doing VPN (Astaro, Juniper or that kind of stuff).

The problem would be to tell the network/client that the leased line is down and to route the traffic through the VPN line.

What's the best way to do that?
Question by:NEXPERT-AG
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2

Expert Comment

ID: 33694049
In any case, you shouldn't think about clients making aware that the leased line is down and that the route to the same destination has been changed. Otherwise you have to change the client's default gateway in Site A to the VPN router, but you also have to make Site HQ aware that Site A is not available through leasedline, but now through the VPN router. This is of course also a technically working solution, but I believe that the SLA with your provider is much quicker than the manual change of your network architecture to get it running that way.

Acquire a bunch of routers and implement for example OSPF. A description can be found here:

OSPF is not really easy implement, a trial on error may work out however. In any way: Keep in mind that you probably need access to your 3th party managed cisco devices to set it up for OSPF.


Author Comment

ID: 33695923
Hi Stefan

Thank you for your reply.

I was thinking more of a redundant gateway with two physical devices (each connected to the existing Cisco router and the new SDSL VPN line) which automatically detect if the leased line is down, if so tthen re-route the traffic through the SDSL VPN line.  Once the leased line is up again, re-route the traffic back from the VPN line to the leased line.

The problem with buying a bunch of routers is the money, of course (just too expensive).

What we want is a connection from the remote sites to the headquarter (HQ) even if the expensive leased line should go down.  That's why our approach was to have a separate SDSL line from a different ISP and a cheap VPN appliance on both sites.

We don't want to make any manual changes to the system (e.g. change the default gateway of all PC's, server etc) should the leased line go down.  

Did anyone implement such a scenario?

Expert Comment

ID: 33696904
You can use DMVPN as a solution to your problem. It can work together with dynamic routing protocols. Basically, it is hub and spoke topology. You have central router (HUB) at your HQ and small routers (SPOKES) at your remote sites, all connected to internet. Only requirement is to have static public IP at your HUB router. I have this topology running using Cisco 1800 at HQ and Cisco 876 at 40 remote sites. There is a lot of documentation about DMVPN on . I think that you don't need to buy additional hardware for your remote sites, as even 870 series can run DMVPN, so you can use existing routers on remote sites.

Author Comment

ID: 33700010
Thank you bjove for your input.

But what happens if a Cisco Router in the SPOKES site goes down?  I mean we also would need to have a redundant, physical Cisco Router in every SPOKES site.  I assume that Cisco has got some kind of redundancy feature with a heartbeat connection or so where they check each other if they are up or not?

Do you use DMVPN also just for redundancy?

Accepted Solution

bjove earned 500 total points
ID: 33702238
In every remote site I have 2 Cisco 876, and 2 Cisco 1840 in HQ. One Cisco 876 from remote site is connected with serial (leased line) line to one of the 1840s in HQ. Second Cisco 876 from remote site is connected through ADSL internet line to second 1840 in HQ, used as backup link to HQ. I have EIGRP as routing protocol. EIGRP takes care about redundancy. Also for hardware failover on remote site, HSRP is configured on both Cisco 876 routers.

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question