Solved

Creating Redundant links from Hub router to spoke routers

Posted on 2013-11-21
12
302 Views
Last Modified: 2013-12-09
Hi EE,

I'm in the process of setting up redundant links from main office (hub) to two branch offices (stubs).

I'm in the planning stage and would like to have a very good plan before I start doing anything with the objective that I have redundant links and no fail over as long as at least one ISP is still up. The only time I expect downtime is if both ISPs go down or some other issues like both links go down.

I want to set up vpn tunnels to the spoke routers. I'll use ISP1 as primary and ISP2 as backup.

The idea is that if a tunnel fails because link to ISP1 fails, the backup tunnel should be build and come alive and downtime is minimal.

On the spoke router, there is only one endpoint however on the hub are the two endpoints for both ISPs which means I have 2 public ip addresses.

I've heard of vti, dmvpn, hsrp, object tracking, dynamic routing protocols and a bit overwhelm with the information and want some directions to get it right.

Suggestions, directions and help much appreciated.

Thanks
topology.PNG
0
Comment
Question by:Daera
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
12 Comments
 
LVL 12

Expert Comment

by:Infamus
ID: 39666239
You can use BGP on the routers but assuming those are managed by the ISP's.

If then, you can use two default gateways which is managed by you and pretty simple.

ISP1: 10.1.1.1
ISP2: 10.2.2.1

ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 0.0.0.0 0.0.0.0 10.2.2.1 100

When you do sh ip route, the ISP2 route doesn't show up untill ISP1 link goes down.
0
 
LVL 12

Accepted Solution

by:
Infamus earned 500 total points
ID: 39666392
Here's the one using ip sla with tracking.

config t
ip sla monitor 1
type echo protocol ipIcmpEcho 10.1.1.1 (any pingable IP)
timeout 5000
frequency 10
exit

ip sla schedule 1 start-time now life forever

track 1 rtr 1

ip route 0.0.0.0 0.0.0.0 10.1.1.1 track 1
ip route 0.0.0.0 0.0.0.0 10.2.2.1 10


exit

Anyone is welcome to add/correct if I'm missing/wrong.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39666538
Some IOS has different commands.

config t
ip sla 1
icmp-echo 10.1.1.1

the rest should be the same


I just used ISP1 ip to ping just for an example but any pingable internet IP should be fine.
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 

Author Comment

by:Daera
ID: 39667014
Thanks, Routers will be managed by me. Any samples of vpn/dmvpn, vti configs. Especially if there is only one end ingress/egress from the spoke routers for two vpn tunnels?


Thanks
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39667076
Here's a video of creating site to site IPSec VPN.

http://www.youtube.com/watch?v=60N9T4tFMN0

SLA Object tracking should take care of the failover part.
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39667322
0
 

Author Comment

by:Daera
ID: 39668400
Thanks Infamus, any configs related to vti vpn?
0
 
LVL 12

Expert Comment

by:Infamus
ID: 39668631
0
 

Author Comment

by:Daera
ID: 39672170
Thanks for the link.  I've simulated a site2site ipsec vpn using static routes.

Now I'd like to try fail-over scenario using vti tunnels using a dynamic routing.

I've attached diagram fyi. My primary link is yellow and the secondary link is green. Green will only come alive when the link on 1.1.1.2 fails.
top2.PNG
0
 

Author Comment

by:Daera
ID: 39673409
Played around with the simulation and can vpn to US router just fine.

When both links are up, I can VPN. When one of the link is up, I can VPN so that is good.

What I want to do now is to be able to track the primary link so that when it goes down the backup link kicks in.

When the primary comes back it kicks in and backup is demoted.

Any directions on how to achieve this most appreciated.

Thanks




Configs of set up is below



----------AUS ROuter-----------

crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key 6 cisco address 2.2.2.2
crypto isakmp key 6 cisco address 3.3.3.2
crypto isakmp keepalive 10
crypto isakmp profile 10
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
 set transform-set TSET

interface Tunnel0
 description "PRIMARY TUN TO SPOKE1"
 ip address 192.168.9.1 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 2.2.2.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Tunnel1
 description "PRIMARY TUN TO SPOKE2"
 ip address 192.168.9.5 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 3.3.3.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Tunnel2
 description "BACKUP TUN TO SPOKE1"
 ip address 192.168.9.9 255.255.255.252
 tunnel source FastEthernet0/1
 tunnel destination 2.2.2.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI

interface FastEthernet0/0
 description "PRIMARY LINK TO WAN"
 ip address 1.1.1.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description "BACKUP LINK TO WAN"
 ip address 4.4.4.2 255.255.255.252
 duplex auto
 speed auto


router rip
 version 2
 network 192.168.0.0
 network 192.168.1.0
 network 192.168.2.0
 network 192.168.9.0

ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 4.4.4.1



-------------- US router-----------

crypto isakmp policy 10
 authentication pre-share
 group 2
crypto isakmp key 6 cisco address 1.1.1.2
crypto isakmp key 6 cisco address 4.4.4.2
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TSET esp-3des esp-sha-hmac
!
crypto ipsec profile VTI
 set transform-set TSET

interface Tunnel0
 description "PRIMARY LINK"
 ip address 192.168.9.2 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 1.1.1.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI
!
interface Tunnel1
 description "SECONDARY LINK"
 ip address 192.168.9.10 255.255.255.252
 tunnel source FastEthernet0/0
 tunnel destination 4.4.4.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VTI


router rip
 version 2
 network 10.0.0.0
 network 192.168.9.0
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 2.2.2.1
0
 
LVL 12

Assisted Solution

by:Infamus
Infamus earned 500 total points
ID: 39673752
On AUS router:

config t
ip sla 1
icmp-echo 4.2.2.1
timeout 5000
frequency 10
exit

ip sla schedule 1 start-time now life forever

track 1 rtr 1

ip route 0.0.0.0 0.0.0.0 1.1.1.1 track 1
ip route 0.0.0.0 0.0.0.0 4.4.4.1 10

exit

From US and CHN, I only see one link on the router, is the diagram correct?
0
 

Author Comment

by:Daera
ID: 39680143
Yes the diagram is correct, hence the need to use vti, so that I can have two tunnels (primary and sec ) going from one WAN interface to AUS.

Thanks, I will try it.

on a side note.
Can a WAN interface configured for ipsec vpn with crypto map be used as a tunnel source in a VTI interface?
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Receiving wifi on an underground station 22 174
Network setup between buildings 4 82
Strange router problem - can't access hotmail.com 14 109
Netgear Router 5 G 11 52
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If you are thinking of adopting cloud services, or just curious as to what ‘the cloud’ can offer then the leader according to Gartner for Infrastructure as a Service (IaaS) is Amazon Web Services (AWS).  When I started using AWS I was completely new…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question