Solved

Cisco 3750 Two Sites WAN failover using point to point Links

Posted on 2014-03-28
25
1,262 Views
Last Modified: 2014-04-04
Hello Experts
as shown on PDF diagram.
I got two office locations, Site A and Site B both sites have internet leased lines .
now I have a point to point line between both sites 100 mbps link.

i would like to use point to point link as below.

If WAN at Site A goes down then all Internet related traffic at Site A should go out via point to point line and get to internet world via SITE B WAN.

vice versa if WAN at SITE B goes down then all internet traffic from Site B should go out via point to point line to internet via SITE A's WAN.


along with above. all LAN local traffice between from both sites to each other should use point to point line,

Now if point to point line fails then all LAN Local traffic between both sites can go via IPSEC VPN Tunnels configured at Watcguard Firewalls .

both cisco 3750 switches are with IP Base license

could you guys please suggest best possible way of archiving above. i mean configurations needed at both cisco switches.


Many Thanks.

Harry
SITE-A-SITE-B.pdf
0
Comment
Question by:H-Singh
  • 13
  • 12
25 Comments
 
LVL 1

Expert Comment

by:TCP_179
Comment Utility
You need to use a couple routers... if you want to save some money buy a couple Cisco 3725 routers with 256MB Ram and 64MB Flash with Advanced Enterprise Services 12.4T
0
 
LVL 1

Expert Comment

by:TCP_179
Comment Utility
What kind of point to point are we talking about, what type of WAN service?
0
 
LVL 1

Expert Comment

by:TCP_179
Comment Utility
Basically you will have a default route at each site pointing out to the internet, with another default route with a less preferable Administrative Distance (Numerically higher) pointing to the point-to-point link, and track the default routes with an IPSLA...

You would want to use an IPSec over GRE tunnel for WAN redundancy over the internet link... it's all accomplished easily (for me) but again you need those routers... I highly recommend the 3725 router with the specs I mentioned above.  It's all you need for a small business.
0
 
LVL 1

Expert Comment

by:TCP_179
Comment Utility
Then of course you will have your NAT configuration with a NAT exemption for traffic traveling over the tunnel or destined to any one of your LAN subnets.
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
WAN at both ends are BT Fibre Leased Lines 50 MBPS connected to my watcghuard XTM firewalls.

Point to Point again plug and play with RJ45 at both ends.

are you 100% sure that I need more hardware to archive what i want. as I was advised by Cisco sales guys that this is only hardware i need 3750 switches at both ends to do all the routing and failover of traffic.
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
IPSECs  tunnels allready working via Watchguard Firewalls.
0
 
LVL 1

Expert Comment

by:TCP_179
Comment Utility
Okay good, why don't you post your Watchguard and 3750 configurations and I'll happily write the configurations for you.
0
 
LVL 1

Expert Comment

by:TCP_179
Comment Utility
Your hardware is fine, I didn't know the watchguard devices were firewalls and had IPsec tunnels configured... however do you know if the firewalls have GRE tunnels configured as well, or if the type of IPsec the watchguard firewalls are using support multicast?
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
this is config on cisco 3750 SITE B which is my HQ main site.
cisco 3750 at SITE A is not installed yet as its brand new on my desk but i will be doing similar config like HQ cisco but with less VLANs for local subnets for desktops/servers etc.

------------------------------------
no aaa new-model
clock timezone GMT 0 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
switch 1 provision ws-c3750x-24
system mtu routing 1500
ip routing
!
spanning-tree mode pvst
spanning-tree extend system-id
!
!
vlan internal allocation policy ascending
!

interface FastEthernet0
 no ip address
 no ip route-cache
 shutdown
!
interface GigabitEthernet1/0/1
 switchport access vlan 12
 switchport mode access
!
interface GigabitEthernet1/0/2
 switchport access vlan 13
 switchport mode access
!
interface GigabitEthernet1/0/3
 switchport access vlan 13
 switchport mode access
!
interface GigabitEthernet1/0/4
 switchport access vlan 14
 switchport mode access
!
interface GigabitEthernet1/0/5
 switchport access vlan 15
 switchport mode access
!
interface GigabitEthernet1/0/6
!
interface GigabitEthernet1/0/7
!
interface GigabitEthernet1/0/8
!
interface GigabitEthernet1/0/9
!
interface GigabitEthernet1/0/10
!
interface GigabitEthernet1/0/11
!
interface GigabitEthernet1/0/12
!
interface GigabitEthernet1/0/13
!
interface GigabitEthernet1/0/14
!
interface GigabitEthernet1/0/15
!
interface GigabitEthernet1/0/16
!
interface GigabitEthernet1/0/17
!
interface GigabitEthernet1/0/18
!
interface GigabitEthernet1/0/19
!
interface GigabitEthernet1/0/20
!
interface GigabitEthernet1/0/21
!
interface GigabitEthernet1/0/22
!
interface GigabitEthernet1/0/23
!
interface GigabitEthernet1/0/24
 switchport access vlan 999
 switchport mode access
!
interface GigabitEthernet1/1/1
!
interface GigabitEthernet1/1/2
!
interface GigabitEthernet1/1/3
!
interface GigabitEthernet1/1/4
!
interface TenGigabitEthernet1/1/1
!
interface TenGigabitEthernet1/1/2
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan12
 ip address 172.16.12.1 255.255.255.0
 ip helper-address 172.16.12.12
!
interface Vlan13
 ip address 172.16.13.1 255.255.255.0
 ip helper-address 172.16.12.12
!
interface Vlan14
 ip address 172.16.14.1 255.255.255.0
 ip helper-address 172.16.12.12
!
interface Vlan15
 ip address 172.16.15.1 255.255.255.0
 ip helper-address 172.16.12.12
!
interface Vlan999
 ip address 172.16.10.1 255.255.255.0
!
ip http server
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 172.16.10.10
!
!
!
!
line con 0
 login local
line vty 0 4
 login local
 transport input all
 transport output all
line vty 5 15
 login
!
end
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
yes Watchguards support multicast over VPN tunnels. i need to check abt GRE.
so far all traffic between two sites been using VPN tunnels on watchguards as new point to point line we just got this week .

to match with above config. Watchguard at SITE B is with IP toward LAN is 172.16.10.10
which is target of default route on cisco switch for outgoing traffic.

so at SITE A it will be similar config .

thanks
0
 
LVL 1

Expert Comment

by:TCP_179
Comment Utility
okay pretty simple config... so it looks like your firewalls are doing all the NAT and VPN stuff...  

And you mentioned that the firewalls also have the lease line setup on the firewalls as well, so I will need to see the Watchguard firewall config and everything needs to be configured on them, and not the 3750 switches.

The 3750s have all the configuration they need.
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
sorry if am confusing you , but Watchguard will only need to deal with WAN connection setup and then site to site VPN using WAN internet .  NOT Point to point line.
watchguards are overloaded with much more traffic filtering rules so we use cisco 3750s to do all internal routing for local subnets.

and i want to plug point to point line both ends to cisco switches. so they can use both sites as local subnets. and only if point to point line fails then they can send traffic to watchguard for other side subnets and watchguard can forward that via internet vpn tunnels.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 1

Expert Comment

by:TCP_179
Comment Utility
Okay, so let me confirm your current setup with you :)

Firewalls are performing NAT, VPN tunneling over internet, and internet connection...

Leased line will connect directly to the 3750 switches and will handle all the routing, correct?
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
Firewalls are performing NAT, VPN tunnling over internet, Internet connection using WAN Leased Lines which are 50 MBPS on both Sites on image.


point to point  line will need to go to cisco switches its 100MB line between sites on image.
0
 
LVL 1

Expert Comment

by:TCP_179
Comment Utility
The firewall leased lines are internet leased lines though right, it's only WAN due to the fact you are using an IPSec tunnel over the internet.

The true WAN links are that of the point-to-point line that you recently purchased, and will be connecting them to the 3750s, right?
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
yes firewall leased lines are internet lines. we have loads traffic out from both sites to internet like SIP Calls, online CMS system.

yes point to point line will connect to 3750 so we can link both sites together for local traffic and internet failover.
0
 
LVL 1

Expert Comment

by:TCP_179
Comment Utility
Cool - be back with your config...
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
thanks take your time am calling it night now will check tomorrow , thx again.

Regards
Harry
0
 
LVL 1

Accepted Solution

by:
TCP_179 earned 500 total points
Comment Utility
You will need to fill in the next-hop ip addresses and subnets, shown below in italic font.

  ip sla 1
  icmp-echo 4.2.2.2
  frequency 10
  threshold 5000
  exit
  ip sla schedule 1 start-time now life forever
  track 1 ip sla 1 reachability
  delay down 30
  delay up 30
  exit


  ip sla 2
  icmp-echo next_hop_ip_P2P
  frequency 10
  threshold 5000
  exit
  ip sla schedule 2 life forever start-time now
  track 2 ip sla 2 reachability
  delay down 30
  delay up 30

  exit

  ip route 0.0.0.0 0.0.0.0 next_hop_ip_P2P 10
  ip route 0.0.0.0 0.0.0.0 next_hop_ip_of_firewall track 1

  ip route LAN_Subnet1 Mask next_hop_ip_P2P track 2
  ip route LAN_Subnet2 Mask next_hop_ip_P2P track 2
  ip route LAN_Subnet3 Mask next_hop_ip_P2P track 2
  ip route LAN_Subnet4 Mask next_hop_ip_P2P track 2
  ip route LAN_Subnet1 Mask next_hop_ip_of_firewall 10
  ip route LAN_Subnet2 Mask next_hop_ip_of_firewall 10
  ip route LAN_Subnet3 Mask next_hop_ip_of_firewall 10
  ip route LAN_Subnet4 Mask next_hop_ip_of_firewall 10
0
 
LVL 1

Expert Comment

by:TCP_179
Comment Utility
The only config I didn't include is the config for setting up your P2P interfaces... simply configure them with the ip address and mask for the P2P line.
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
thanks Seems like plan , yea i will do separate vlan for P2P  and put interface in access mode for these vlans on both switches like any other VLANs.

192.168.101.10 for SITE A end
192.168.102.10 for SITE B end

i will be trying this monday. thanks
0
 
LVL 1

Expert Comment

by:TCP_179
Comment Utility
You don't have to put them in a separate VLAN, just configure the physical interfaces as routed interfaces:

int interface
no switchport
ip address ip_address mask
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
i have setup test lab with ADSL at one end and Leased line at another end , even though i don't have 3750 at other end but am testing from one end and fail over works all fine.

many thanks.

i will be doing configs in production enviroment in later this week and confirm results.

Regards

Harry
0
 
LVL 3

Author Comment

by:H-Singh
Comment Utility
Hi
everything works fine by using your config. many thanks.

on other note, how reliable is 4.2.2.2 is or best to use 8.8.8.8 .

or can we delay switch over by trying two different IPs one can go down for any reason. so instead of switchover traffic can we try another ping as well ?

track 1 ip sla 1 reachability
 delay down 30 up 30
ip sla 1
 icmp-echo 4.2.2.2
 frequency 10

are we waiting 30 seconds before swithcover ?  and pinging each 10 ms or did i get it wrong.  I just want to be more confident before placing in live network as we using SIP telephoney and switching over without real failover randomly can cause us much trouble by dropping calls etc.

thanks
0
 
LVL 3

Author Closing Comment

by:H-Singh
Comment Utility
Many Thanks
this worked for me very well, my next step is to get email alerts upon line failures.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now