Path selection between VPN and eigrp routing

Hi Expert
I met a situation. In order to simplify it, I imitate it with the following diagram

aaa
there is a vpn tunnel between Pix1 and Pix3. R4 has two paths to reach R5. One is the vpn and another is through R6. The result is the traffic goes through R6(R5, R6 and R4 are configured with eigrp) and the vpn is just backup.

The question is how to configure the balance in order that the traffic goes through the vpn and R6 is used as backup ? As we know, AD, metric and cost etc decide the path selection. in this situation, what factor affect the path selection ? thank you.
EESkyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
You can create unequal load balance by change variance with command:
r1(config)#router eigrp x
r1(config-router)#variance y

But in order for EIGRP to use VPN link as load balance that route must be in topology table.

To enter topology table (and not to enter routing table) as feasible successor route must satisfy few rules.
1. feasible successor route must have cost bigger that successor route cost
2. advertised distance of feasible successor route must be less than feasible distance cost of successor route

Cost calculation formulaBy manipulating bandwidth and delay you can set route cost advertised and feasible distance to desired value to enter EIGRP topology table

How route to enter topology table simplification
R1#show ip eigrp topology

P10.0.0.0/8, 1 successors, FD is 2707456
        via33.168.30.2 (2707456/2195456), Eth1/0
        via192.168.1.2 (3507456/2495456), Eth1/1

cost of green route (2707456) < cost of yellow route (3507456)
cost of blue route (2495456) < cost of green route (2707456)

if cost of green route = cost of yellow route - both routes go to routing table and automatically starts equal cost balance

To determine variance  value formula is
FD of feasible successor / FD of successor = y (ceiling rounding)
in this example
2907456/2707456 = 1.295 so variance (rounded it is 2) would do the trick for unequal load balance

But, as much as I know, firewalls don't appreciate things like this (but that was not your question). :)

PS
Whatever route data need to travel to load balance, or to be primary/backup route basic principle is the same.
0
EESkyAuthor Commented:
Thank you for your reply. but i do not think so. the problem is this vpn does not allow eigrp go through.
0
JustInCaseCommented:
I don't know your exact configuration, and I wrote answer as it was wrote (at least how I understand question). VPN tunnels are capable of support EIGRP with encapsulation of IP packets with encapsulated GRE packets. I thought that's how your VPN  tunnel is created. This pointed me in that direction
The question is how to configure the balance
:)

For EIGRP to work over VPN create GRE tunnel on both sides, encapsulate data in a  GRE packet and then GRE packets encapulated in IP packets insert into VPN. GRE tunnel is capable of encapsulating  L3 protocols.

You can set static routes (AD 1 - that will beats AD of EIGRP) to forward traffic in needed direction, also if you configure EIGRP over tunnel and set summary routes (AD 5) for tunnel routes, that will beat AD of non summarized routs over R4-R5-R6. If you go with static routes - create static routes with tracking object,  so router can forward traffic through backup route if primary route becomes unavailable .

I hope this is what you need, since I still have no clear idea what your needs are.
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

EESkyAuthor Commented:
Sorry, I think i did not express it clear and in detail.
R5 has default route toward Pix1 and R4 has difault route toward Pix3. Pix1 and Pix3 have a l2l tunnel. In the topology, the traffic goes through R5-R6-R4 and the vpn is used as backup. It looks like the AD of eigrp does not take effect in path selection.
0
JustInCaseCommented:
AD takes part at route selection, but there's a rule that comes in place before AD - more specific route (Prefix length). If there is more specific route it is always used. Default route is used only when there's no more specific route to destination (gateway of last resort is always least specific route).
When there are two paths of the same specificity - then AD comes to place.

Let's say if you need to forward traffic to 192.168.0.0/24 through pix static route will do the trick
ip route 192.168.0.0 255.255.255.0 x.x.x.x (IP address of the tunnel on other side of tunnel)
but if you set another route
ip route 192.168.0.2 255.255.255.255 y.y.y.y (R6 ip address of e1/0)
all traffic to 192.168.0.0/24 will be forwarded through pix except traffic to 192.168.0.2, cause it is more specific route.

Route Selection in Cisco Routers
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EESkyAuthor Commented:
Thank you! You are right
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.