Creating Redundant links from Hub router to spoke routers
Hi EE,
I'm in the process of setting up redundant links from main office (hub) to two branch offices (stubs).
I'm in the planning stage and would like to have a very good plan before I start doing anything with the objective that I have redundant links and no fail over as long as at least one ISP is still up. The only time I expect downtime is if both ISPs go down or some other issues like both links go down.
I want to set up vpn tunnels to the spoke routers. I'll use ISP1 as primary and ISP2 as backup.
The idea is that if a tunnel fails because link to ISP1 fails, the backup tunnel should be build and come alive and downtime is minimal.
On the spoke router, there is only one endpoint however on the hub are the two endpoints for both ISPs which means I have 2 public ip addresses.
I've heard of vti, dmvpn, hsrp, object tracking, dynamic routing protocols and a bit overwhelm with the information and want some directions to get it right.
Suggestions, directions and help much appreciated.
Thanks
topology.PNG
I'm in the process of setting up redundant links from main office (hub) to two branch offices (stubs).
I'm in the planning stage and would like to have a very good plan before I start doing anything with the objective that I have redundant links and no fail over as long as at least one ISP is still up. The only time I expect downtime is if both ISPs go down or some other issues like both links go down.
I want to set up vpn tunnels to the spoke routers. I'll use ISP1 as primary and ISP2 as backup.
The idea is that if a tunnel fails because link to ISP1 fails, the backup tunnel should be build and come alive and downtime is minimal.
On the spoke router, there is only one endpoint however on the hub are the two endpoints for both ISPs which means I have 2 public ip addresses.
I've heard of vti, dmvpn, hsrp, object tracking, dynamic routing protocols and a bit overwhelm with the information and want some directions to get it right.
Suggestions, directions and help much appreciated.
Thanks
topology.PNG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Some IOS has different commands.
config t
ip sla 1
icmp-echo 10.1.1.1
the rest should be the same
I just used ISP1 ip to ping just for an example but any pingable internet IP should be fine.
config t
ip sla 1
icmp-echo 10.1.1.1
the rest should be the same
I just used ISP1 ip to ping just for an example but any pingable internet IP should be fine.
ASKER
Thanks, Routers will be managed by me. Any samples of vpn/dmvpn, vti configs. Especially if there is only one end ingress/egress from the spoke routers for two vpn tunnels?
Thanks
Thanks
Here's a video of creating site to site IPSec VPN.
http://www.youtube.com/watch?v=60N9T4tFMN0
SLA Object tracking should take care of the failover part.
http://www.youtube.com/watch?v=60N9T4tFMN0
SLA Object tracking should take care of the failover part.
Also, here is very simple BGP configuration using HSRP.
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080093f2c.shtml
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080093f2c.shtml
ASKER
Thanks Infamus, any configs related to vti vpn?
ASKER
Thanks for the link. I've simulated a site2site ipsec vpn using static routes.
Now I'd like to try fail-over scenario using vti tunnels using a dynamic routing.
I've attached diagram fyi. My primary link is yellow and the secondary link is green. Green will only come alive when the link on 1.1.1.2 fails.
top2.PNG
Now I'd like to try fail-over scenario using vti tunnels using a dynamic routing.
I've attached diagram fyi. My primary link is yellow and the secondary link is green. Green will only come alive when the link on 1.1.1.2 fails.
top2.PNG
ASKER
Played around with the simulation and can vpn to US router just fine.
When both links are up, I can VPN. When one of the link is up, I can VPN so that is good.
What I want to do now is to be able to track the primary link so that when it goes down the backup link kicks in.
When the primary comes back it kicks in and backup is demoted.
Any directions on how to achieve this most appreciated.
Thanks
Configs of set up is below
----------AUS ROuter-----------
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key 6 cisco address 2.2.2.2
crypto isakmp key 6 cisco address 3.3.3.2
crypto isakmp keepalive 10
crypto isakmp profile 10
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
interface Tunnel0
description "PRIMARY TUN TO SPOKE1"
ip address 192.168.9.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Tunnel1
description "PRIMARY TUN TO SPOKE2"
ip address 192.168.9.5 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 3.3.3.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Tunnel2
description "BACKUP TUN TO SPOKE1"
ip address 192.168.9.9 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
interface FastEthernet0/0
description "PRIMARY LINK TO WAN"
ip address 1.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
description "BACKUP LINK TO WAN"
ip address 4.4.4.2 255.255.255.252
duplex auto
speed auto
router rip
version 2
network 192.168.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.9.0
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 4.4.4.1
-------------- US router-----------
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key 6 cisco address 1.1.1.2
crypto isakmp key 6 cisco address 4.4.4.2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
interface Tunnel0
description "PRIMARY LINK"
ip address 192.168.9.2 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 1.1.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Tunnel1
description "SECONDARY LINK"
ip address 192.168.9.10 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 4.4.4.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
router rip
version 2
network 10.0.0.0
network 192.168.9.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.2.2.1
When both links are up, I can VPN. When one of the link is up, I can VPN so that is good.
What I want to do now is to be able to track the primary link so that when it goes down the backup link kicks in.
When the primary comes back it kicks in and backup is demoted.
Any directions on how to achieve this most appreciated.
Thanks
Configs of set up is below
----------AUS ROuter-----------
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key 6 cisco address 2.2.2.2
crypto isakmp key 6 cisco address 3.3.3.2
crypto isakmp keepalive 10
crypto isakmp profile 10
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
interface Tunnel0
description "PRIMARY TUN TO SPOKE1"
ip address 192.168.9.1 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Tunnel1
description "PRIMARY TUN TO SPOKE2"
ip address 192.168.9.5 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 3.3.3.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Tunnel2
description "BACKUP TUN TO SPOKE1"
ip address 192.168.9.9 255.255.255.252
tunnel source FastEthernet0/1
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
interface FastEthernet0/0
description "PRIMARY LINK TO WAN"
ip address 1.1.1.2 255.255.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
description "BACKUP LINK TO WAN"
ip address 4.4.4.2 255.255.255.252
duplex auto
speed auto
router rip
version 2
network 192.168.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.9.0
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 4.4.4.1
-------------- US router-----------
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp key 6 cisco address 1.1.1.2
crypto isakmp key 6 cisco address 4.4.4.2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
set transform-set TSET
interface Tunnel0
description "PRIMARY LINK"
ip address 192.168.9.2 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 1.1.1.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
!
interface Tunnel1
description "SECONDARY LINK"
ip address 192.168.9.10 255.255.255.252
tunnel source FastEthernet0/0
tunnel destination 4.4.4.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
router rip
version 2
network 10.0.0.0
network 192.168.9.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.2.2.1
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes the diagram is correct, hence the need to use vti, so that I can have two tunnels (primary and sec ) going from one WAN interface to AUS.
Thanks, I will try it.
on a side note.
Can a WAN interface configured for ipsec vpn with crypto map be used as a tunnel source in a VTI interface?
Thanks, I will try it.
on a side note.
Can a WAN interface configured for ipsec vpn with crypto map be used as a tunnel source in a VTI interface?
If then, you can use two default gateways which is managed by you and pretty simple.
ISP1: 10.1.1.1
ISP2: 10.2.2.1
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 0.0.0.0 0.0.0.0 10.2.2.1 100
When you do sh ip route, the ISP2 route doesn't show up untill ISP1 link goes down.