Solved

Creating Redundant links from Hub router to spoke routers

Posted on 2013-11-21
12
297 Views
Last Modified: 2013-12-09
Hi EE,

I'm in the process of setting up redundant links from main office (hub) to two branch offices (stubs).

I'm in the planning stage and would like to have a very good plan before I start doing anything with the objective that I have redundant links and no fail over as long as at least one ISP is still up. The only time I expect downtime is if both ISPs go down or some other issues like both links go down.

I want to set up vpn tunnels to the spoke routers. I'll use ISP1 as primary and ISP2 as backup.

The idea is that if a tunnel fails because link to ISP1 fails, the backup tunnel should be build and come alive and downtime is minimal.

On the spoke router, there is only one endpoint however on the hub are the two endpoints for both ISPs which means I have 2 public ip addresses.

I've heard of vti, dmvpn, hsrp, object tracking, dynamic routing protocols and a bit overwhelm with the information and want some directions to get it right.

Suggestions, directions and help much appreciated.

Thanks
topology.PNG
0
Comment
Question by:Daera
  • 7
  • 5
12 Comments
 
LVL 12

Expert Comment

by:Infamus
ID: 39666239
You can use BGP on the routers but assuming those are managed by the ISP's.

If then, you can use two default gateways which is managed by you and pretty simple.

ISP1: 10.1.1.1
ISP2: 10.2.2.1

ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 0.0.0.0 0.0.0.0 10.2.2.1 100

When you do sh ip route, the ISP2 route doesn't show up untill ISP1 link goes down.
0
 
LVL 12

Accepted Solution

by:
Infamus earned 500 total points
ID: 39666392
Here's the one using ip sla with tracking.

config t
ip sla monitor 1
type echo protocol ipIcmpEcho 10.1.1.1 (any pingable IP)
timeout 5000
frequency 10
exit

ip sla schedule 1 start-time now life forever

track 1 rtr 1

ip route 0.0.0.0 0.0.0.0 10.1.1.1 track 1
ip route 0.0.0.0 0.0.0.0 10.2.2.1 10


exit

Anyone is welcome to add/correct if I'm missing/wrong.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39666538
Some IOS has different commands.

config t
ip sla 1
icmp-echo 10.1.1.1

the rest should be the same


I just used ISP1 ip to ping just for an example but any pingable internet IP should be fine.
0
 

Author Comment

by:Daera
ID: 39667014
Thanks, Routers will be managed by me. Any samples of vpn/dmvpn, vti configs. Especially if there is only one end ingress/egress from the spoke routers for two vpn tunnels?


Thanks
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39667076
Here's a video of creating site to site IPSec VPN.

http://www.youtube.com/watch?v=60N9T4tFMN0

SLA Object tracking should take care of the failover part.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39667322
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:Daera
ID: 39668400
Thanks Infamus, any configs related to vti vpn?
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39668631
0
 

Author Comment

by:Daera
ID: 39672170
Thanks for the link.  I've simulated a site2site ipsec vpn using static routes.

Now I'd like to try fail-over scenario using vti tunnels using a dynamic routing.

I've attached diagram fyi. My primary link is yellow and the secondary link is green. Green will only come alive when the link on 1.1.1.2 fails.
top2.PNG
0
 

Author Comment

by:Daera
ID: 39673409
Played around with the simulation and can vpn to US router just fine.

When both links are up, I can VPN. When one of the link is up, I can VPN so that is good.

What I want to do now is to be able to track the primary link so that when it goes down the backup link kicks in.

When the primary comes back it kicks in and backup is demoted.

Any directions on how to achieve this most appreciated.

Thanks




Configs of set up is below



----------AUS ROuter-----------

crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key 6 cisco address 2.2.2.2
crypto isakmp key 6 cisco address 3.3.3.2
crypto isakmp keepalive 10
crypto isakmp profile 10
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
 set transform-set TSET

interface Tunnel0
 description "PRIMARY TUN TO SPOKE1"
 ip address 192.168.9.1 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 2.2.2.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Tunnel1
 description "PRIMARY TUN TO SPOKE2"
 ip address 192.168.9.5 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 3.3.3.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Tunnel2
 description "BACKUP TUN TO SPOKE1"
 ip address 192.168.9.9 255.255.255.252
 tunnel source FastEthernet0/1
 tunnel destination 2.2.2.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI

interface FastEthernet0/0
 description "PRIMARY LINK TO WAN"
 ip address 1.1.1.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description "BACKUP LINK TO WAN"
 ip address 4.4.4.2 255.255.255.252
 duplex auto
 speed auto


router rip
 version 2
 network 192.168.0.0
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.9.0

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 4.4.4.1



-------------- US router-----------

crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key 6 cisco address 1.1.1.2
crypto isakmp key 6 cisco address 4.4.4.2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
 set transform-set TSET

interface Tunnel0
 description "PRIMARY LINK"
 ip address 192.168.9.2 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 1.1.1.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Tunnel1
 description "SECONDARY LINK"
 ip address 192.168.9.10 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 4.4.4.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI


router rip
 version 2
 network 10.0.0.0
 network 192.168.9.0
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.2.2.1
0
 
LVL 12

Assisted Solution

by:Infamus
Infamus earned 500 total points
ID: 39673752
On AUS router:

config t
ip sla 1
icmp-echo 4.2.2.1
timeout 5000
frequency 10
exit

ip sla schedule 1 start-time now life forever

track 1 rtr 1

ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 1
ip route 0.0.0.0 0.0.0.0 4.4.4.1 10

exit

From US and CHN, I only see one link on the router, is the diagram correct?
0
 

Author Comment

by:Daera
ID: 39680143
Yes the diagram is correct, hence the need to use vti, so that I can have two tunnels (primary and sec ) going from one WAN interface to AUS.

Thanks, I will try it.

on a side note.
Can a WAN interface configured for ipsec vpn with crypto map be used as a tunnel source in a VTI interface?
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now