simple routing over backup connection

See the attached picture for details. I have a main office and DR office, both have a connection to my datacenter via a VPN device. I have a static route on my main router that points datacenter traffic to my firewall.

In order to test my backup connection I pull the plug on the main VPN device and add a static route on the backup router. This works well.

Is there any way to set this up so there is some type of automatic failover? Would floating static routes work? If I pull the plug on the main VPN device would my main router see that connection as down and use another static route? My understanding is that the floating route will be used if the interface itself is down. Any help would be appreciated, thanks.
RouterVPN.png
cb_itAsked:
Who is Participating?
 
ffleismaSenior Network EngineerCommented:
!(at MAIN)
ip route 192.168.10.100 255.255.255.0 10.100.156.3
ip route 192.168.10.100 255.255.255.0 DR-WAN-IP 10

!(at DR)
ip route 192.168.10.100 255.255.255.0 10.100.155.3
ip route 192.168.10.100 255.255.255.0 MAIN-WAN-IP 10

Open in new window

notice of the floating static route, AD 10 is added, the router will not use this route unless the primary route is gone.
users in MAIN will use MAIN VPN, while DR users will use DR VPN.
primary route will be removed from routing table when next-hop is gone, this can be caused by when interface between router and FW is down.
Unfortunately primary route is still available even if the internet is gone after the firewall. This is because even if internet is gone the router-FW connection is still up. A better solution would be to use a floating static route with IP SLA. This is shown below.
!(at MAIN)
ip route 192.168.10.100 255.255.255.0 10.100.156.3 track 1
ip route 192.168.10.100 255.255.255.0 DR-WAN-IP 10
!
ip sla 1
icmp-echo DATACENTER-INTERNET-IP
timeout 100
frequency 1
!
ip sla schedule 1 start-time now life forever 


!(at DR)
ip route 192.168.10.100 255.255.255.0 10.100.155.3 track 1
ip route 192.168.10.100 255.255.255.0 MAIN-WAN-IP 10
!
ip sla 1
icmp-echo DATACENTER-INTERNET-IP
timeout 100
frequency 1
!
ip sla schedule 1 start-time now life forever 

Open in new window

Line 6, IP SLA is testing for far end IP, this is to ensure that primary route will only be used when it is assured that far-end is reachable
Line 6, this can also be the far-end server IP, 192.168.10.100

Hope this help, let me know if you have further questions be glad to help out.
0
 
Otto_NCommented:
Very comprehensive answer from ffleisma, not much to add.  Just one thing - the IP you use to test Internet connectivity (line 6 & 18) must be able to respond to ICMP Echos (pings) from the Cisco router.  You might need to add some firewall rules (locally, and at the data center) for that.
0
 
cb_itAuthor Commented:
Thank you both for the replies. ffleisma thank you for the detailed explanation with examples. I was fairly certain that I could do that but was not 100% sure how to set it up exactly. There is one problem. I would like for everyone to use the primary vpn all the times, and only use the backup during a test. I think my datacenter may also have some restrictions in that I can only use the backup when the primary is down. Is there any way to accomplish this? Thanks so much for all of the help.
0
 
ffleismaSenior Network EngineerCommented:
The DR static route will just change to point to MAIN instead of the FW.
!(at DR)
ip route 192.168.10.100 255.255.255.0 MAIN-WAN-IP track 1
ip route 192.168.10.100 255.255.255.0 10.100.155.3 10
!
ip sla 1
icmp-echo DATACENTER-INTERNET-IP
timeout 100
frequency 1
!
ip sla schedule 1 start-time now life forever 

Open in new window

for this case, the DR will now use the MAIN as well as long as MAIN IP SLA destination is reachable.
0
 
cb_itAuthor Commented:
Yeah, that seems simple enough, thank you again. I will test this out very soon and report back.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.