• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 308
  • Last Modified:

Creating Redundant links from Hub router to spoke routers

Hi EE,

I'm in the process of setting up redundant links from main office (hub) to two branch offices (stubs).

I'm in the planning stage and would like to have a very good plan before I start doing anything with the objective that I have redundant links and no fail over as long as at least one ISP is still up. The only time I expect downtime is if both ISPs go down or some other issues like both links go down.

I want to set up vpn tunnels to the spoke routers. I'll use ISP1 as primary and ISP2 as backup.

The idea is that if a tunnel fails because link to ISP1 fails, the backup tunnel should be build and come alive and downtime is minimal.

On the spoke router, there is only one endpoint however on the hub are the two endpoints for both ISPs which means I have 2 public ip addresses.

I've heard of vti, dmvpn, hsrp, object tracking, dynamic routing protocols and a bit overwhelm with the information and want some directions to get it right.

Suggestions, directions and help much appreciated.

Thanks
topology.PNG
0
Daera
Asked:
Daera
  • 7
  • 5
2 Solutions
 
InfamusCommented:
You can use BGP on the routers but assuming those are managed by the ISP's.

If then, you can use two default gateways which is managed by you and pretty simple.

ISP1: 10.1.1.1
ISP2: 10.2.2.1

ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 0.0.0.0 0.0.0.0 10.2.2.1 100

When you do sh ip route, the ISP2 route doesn't show up untill ISP1 link goes down.
0
 
InfamusCommented:
Here's the one using ip sla with tracking.

config t
ip sla monitor 1
type echo protocol ipIcmpEcho 10.1.1.1 (any pingable IP)
timeout 5000
frequency 10
exit

ip sla schedule 1 start-time now life forever

track 1 rtr 1

ip route 0.0.0.0 0.0.0.0 10.1.1.1 track 1
ip route 0.0.0.0 0.0.0.0 10.2.2.1 10


exit

Anyone is welcome to add/correct if I'm missing/wrong.
0
 
InfamusCommented:
Some IOS has different commands.

config t
ip sla 1
icmp-echo 10.1.1.1

the rest should be the same


I just used ISP1 ip to ping just for an example but any pingable internet IP should be fine.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
DaeraAuthor Commented:
Thanks, Routers will be managed by me. Any samples of vpn/dmvpn, vti configs. Especially if there is only one end ingress/egress from the spoke routers for two vpn tunnels?


Thanks
0
 
InfamusCommented:
Here's a video of creating site to site IPSec VPN.

http://www.youtube.com/watch?v=60N9T4tFMN0

SLA Object tracking should take care of the failover part.
0
 
InfamusCommented:
0
 
DaeraAuthor Commented:
Thanks Infamus, any configs related to vti vpn?
0
 
DaeraAuthor Commented:
Thanks for the link.  I've simulated a site2site ipsec vpn using static routes.

Now I'd like to try fail-over scenario using vti tunnels using a dynamic routing.

I've attached diagram fyi. My primary link is yellow and the secondary link is green. Green will only come alive when the link on 1.1.1.2 fails.
top2.PNG
0
 
DaeraAuthor Commented:
Played around with the simulation and can vpn to US router just fine.

When both links are up, I can VPN. When one of the link is up, I can VPN so that is good.

What I want to do now is to be able to track the primary link so that when it goes down the backup link kicks in.

When the primary comes back it kicks in and backup is demoted.

Any directions on how to achieve this most appreciated.

Thanks




Configs of set up is below



----------AUS ROuter-----------

crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key 6 cisco address 2.2.2.2
crypto isakmp key 6 cisco address 3.3.3.2
crypto isakmp keepalive 10
crypto isakmp profile 10
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
 set transform-set TSET

interface Tunnel0
 description "PRIMARY TUN TO SPOKE1"
 ip address 192.168.9.1 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 2.2.2.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Tunnel1
 description "PRIMARY TUN TO SPOKE2"
 ip address 192.168.9.5 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 3.3.3.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Tunnel2
 description "BACKUP TUN TO SPOKE1"
 ip address 192.168.9.9 255.255.255.252
 tunnel source FastEthernet0/1
 tunnel destination 2.2.2.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI

interface FastEthernet0/0
 description "PRIMARY LINK TO WAN"
 ip address 1.1.1.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description "BACKUP LINK TO WAN"
 ip address 4.4.4.2 255.255.255.252
 duplex auto
 speed auto


router rip
 version 2
 network 192.168.0.0
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.9.0

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 4.4.4.1



-------------- US router-----------

crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key 6 cisco address 1.1.1.2
crypto isakmp key 6 cisco address 4.4.4.2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
 set transform-set TSET

interface Tunnel0
 description "PRIMARY LINK"
 ip address 192.168.9.2 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 1.1.1.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Tunnel1
 description "SECONDARY LINK"
 ip address 192.168.9.10 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 4.4.4.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI


router rip
 version 2
 network 10.0.0.0
 network 192.168.9.0
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.2.2.1
0
 
InfamusCommented:
On AUS router:

config t
ip sla 1
icmp-echo 4.2.2.1
timeout 5000
frequency 10
exit

ip sla schedule 1 start-time now life forever

track 1 rtr 1

ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 1
ip route 0.0.0.0 0.0.0.0 4.4.4.1 10

exit

From US and CHN, I only see one link on the router, is the diagram correct?
0
 
DaeraAuthor Commented:
Yes the diagram is correct, hence the need to use vti, so that I can have two tunnels (primary and sec ) going from one WAN interface to AUS.

Thanks, I will try it.

on a side note.
Can a WAN interface configured for ipsec vpn with crypto map be used as a tunnel source in a VTI interface?
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now