Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Path selection between VPN and eigrp routing

Posted on 2014-11-02
6
Medium Priority
?
279 Views
Last Modified: 2014-11-08
Hi Expert
I met a situation. In order to simplify it, I imitate it with the following diagram

aaa
there is a vpn tunnel between Pix1 and Pix3. R4 has two paths to reach R5. One is the vpn and another is through R6. The result is the traffic goes through R6(R5, R6 and R4 are configured with eigrp) and the vpn is just backup.

The question is how to configure the balance in order that the traffic goes through the vpn and R6 is used as backup ? As we know, AD, metric and cost etc decide the path selection. in this situation, what factor affect the path selection ? thank you.
0
Comment
Question by:EESky
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 31

Expert Comment

by:Predrag
ID: 40418958
You can create unequal load balance by change variance with command:
r1(config)#router eigrp x
r1(config-router)#variance y

But in order for EIGRP to use VPN link as load balance that route must be in topology table.

To enter topology table (and not to enter routing table) as feasible successor route must satisfy few rules.
1. feasible successor route must have cost bigger that successor route cost
2. advertised distance of feasible successor route must be less than feasible distance cost of successor route

Cost calculation formulaBy manipulating bandwidth and delay you can set route cost advertised and feasible distance to desired value to enter EIGRP topology table

How route to enter topology table simplification
R1#show ip eigrp topology

P10.0.0.0/8, 1 successors, FD is 2707456
        via33.168.30.2 (2707456/2195456), Eth1/0
        via192.168.1.2 (3507456/2495456), Eth1/1

cost of green route (2707456) < cost of yellow route (3507456)
cost of blue route (2495456) < cost of green route (2707456)

if cost of green route = cost of yellow route - both routes go to routing table and automatically starts equal cost balance

To determine variance  value formula is
FD of feasible successor / FD of successor = y (ceiling rounding)
in this example
2907456/2707456 = 1.295 so variance (rounded it is 2) would do the trick for unequal load balance

But, as much as I know, firewalls don't appreciate things like this (but that was not your question). :)

PS
Whatever route data need to travel to load balance, or to be primary/backup route basic principle is the same.
0
 

Author Comment

by:EESky
ID: 40420817
Thank you for your reply. but i do not think so. the problem is this vpn does not allow eigrp go through.
0
 
LVL 31

Expert Comment

by:Predrag
ID: 40420947
I don't know your exact configuration, and I wrote answer as it was wrote (at least how I understand question). VPN tunnels are capable of support EIGRP with encapsulation of IP packets with encapsulated GRE packets. I thought that's how your VPN  tunnel is created. This pointed me in that direction
The question is how to configure the balance
:)

For EIGRP to work over VPN create GRE tunnel on both sides, encapsulate data in a  GRE packet and then GRE packets encapulated in IP packets insert into VPN. GRE tunnel is capable of encapsulating  L3 protocols.

You can set static routes (AD 1 - that will beats AD of EIGRP) to forward traffic in needed direction, also if you configure EIGRP over tunnel and set summary routes (AD 5) for tunnel routes, that will beat AD of non summarized routs over R4-R5-R6. If you go with static routes - create static routes with tracking object,  so router can forward traffic through backup route if primary route becomes unavailable .

I hope this is what you need, since I still have no clear idea what your needs are.
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 

Author Comment

by:EESky
ID: 40423252
Sorry, I think i did not express it clear and in detail.
R5 has default route toward Pix1 and R4 has difault route toward Pix3. Pix1 and Pix3 have a l2l tunnel. In the topology, the traffic goes through R5-R6-R4 and the vpn is used as backup. It looks like the AD of eigrp does not take effect in path selection.
0
 
LVL 31

Accepted Solution

by:
Predrag earned 2000 total points
ID: 40423325
AD takes part at route selection, but there's a rule that comes in place before AD - more specific route (Prefix length). If there is more specific route it is always used. Default route is used only when there's no more specific route to destination (gateway of last resort is always least specific route).
When there are two paths of the same specificity - then AD comes to place.

Let's say if you need to forward traffic to 192.168.0.0/24 through pix static route will do the trick
ip route 192.168.0.0 255.255.255.0 x.x.x.x (IP address of the tunnel on other side of tunnel)
but if you set another route
ip route 192.168.0.2 255.255.255.255 y.y.y.y (R6 ip address of e1/0)
all traffic to 192.168.0.0/24 will be forwarded through pix except traffic to 192.168.0.2, cause it is more specific route.

Route Selection in Cisco Routers
0
 

Author Comment

by:EESky
ID: 40430436
Thank you! You are right
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question