Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3960
Views
0
Helpful
9
Replies

Site-to-Site VPN Active/failover backup router setup

Go to solution
Kulwindersk1990
Level 1
Level 1

‎09-18-2018 10:01 PM - edited ‎09-18-2018 10:04 PM

Hello,

Can someone help me here....

As per the diagram my primary Site to site is active with ISP1 and we want to keep Active failover with second ISP2, whenever primary goes down so we can use active failover with second ISP2 and my primary router has LAN network.

My question is should i need to keep same configuration or i have to add more LAN networks  to head office site as well as to keep active backup tunnel ?

please help meTunnel .jpg.jpeg

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kulwindersk1990

‎09-23-2018 02:05 PM

I understand the logic of having LAN of 10.200.0.0/27 at the branch. I do not understand the logic of the new 10.300.0.0/27. Where did this come from? What is it supposed to do?

 

In my experience when you want to achieve redundancy with two routers at the branch then both branch routers need to connect to the same LAN (or perhaps to two LANs if there is some reason to want a new LAN at the branch). How can the second router back up the primary router if it is not connected to the same LAN?

 

HTH

 

Rick

HTH

Rick

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-19-2018 12:26 PM

I am not sure that I understand your description of the environment and your requirements. I worked with a customer whose network diagram was fairly similar to yours and perhaps what we implemented for them might work for you. We had two site to site VPNs running from HQ to each remote site with two routers at HQ terminating the VPNs. We ran a routing protocol (in our case it was EIGRP) over the VPNs and set the metric to make one VPN primary and the other VPN backup. Both VPN were up and the routing protocol enforced the primary and backup flow of traffic. No need for additional LAN or anything.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Kulwindersk1990
Level 1
Level 1
In response to Richard Burts

‎09-22-2018 01:25 PM

Thank you very much for your reply....

In my case HQ don't want to run any routing protocol and HQ side both VPNs tunnel are active means primary and backup but my branch side i have to do routing in between primary and backup router ?

 and my primary router has main LAN and inside (internet) after that smart Switch just so my side i just want to keep active backup link as well as primary with my main LAN subnet.

 do i need to routing in between primary and backup routers?

i will appreciate your response... 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kulwindersk1990

‎09-23-2018 05:45 AM

I still am somewhat confused about what you are describing. But your diagram is quite clear about two routers at HQ and two routers at the branch. I do not know how you will achieve active/standby at both ends without some routing exchange between the routers. Perhaps someone else in the community might have a suggestion on how to achieve this?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
natuan
Level 1
Level 1
In response to Kulwindersk1990

‎09-23-2018 06:20 AM

Hi there,

I agree with Rick, you need a routing protocol such as OSPF or static route using higher AD number.
Btw, don't test it in work time. :) :)

Hope this help
0 Helpful

Go to solution
Kulwindersk1990
Level 1
Level 1
In response to natuan

‎09-23-2018 01:21 PM - edited ‎09-23-2018 01:22 PM

Dears, Thank you for your reply.

in my diagram Dubai-Branch side my cisco router 887 with ADSL internet line (ISP-1) has Internet+private network and it is default and primary , in this router i have configure one LAN (Inside) 10.200.0.0/27 to clients and clients are having access through this LAN to HQ LAN .

now they send one more LAN network 10.300.0.0/27 for Active/Backup router (Cisco887) and i get new internet line (ISP-2) for backup and if i have to keep active secondary IPsec-VPN so i have to add new LAN network. 

the problem is i couldn't able to understand how do i configure new LAN network to backup router to my clients side, do i need to do any routing between both routers? because i  don't want to disturb my primary inside network.

i will appreciate your comments on this again.

 

Thank you

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kulwindersk1990

‎09-23-2018 02:05 PM

I understand the logic of having LAN of 10.200.0.0/27 at the branch. I do not understand the logic of the new 10.300.0.0/27. Where did this come from? What is it supposed to do?

 

In my experience when you want to achieve redundancy with two routers at the branch then both branch routers need to connect to the same LAN (or perhaps to two LANs if there is some reason to want a new LAN at the branch). How can the second router back up the primary router if it is not connected to the same LAN?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Kulwindersk1990
Level 1
Level 1
In response to Richard Burts

‎09-23-2018 02:11 PM - edited ‎09-23-2018 02:12 PM

Thank you Dear for reply...

Yes i understand now. yes the meaning of backup router means, Backup router should have same config with same LAN.

one more help please..

If both tunnels want to keep active primary and backup so which routing protocol you will preferred static or dynamic routing ?

Waiting for your suggestion.

Thank you  

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kulwindersk1990

‎09-24-2018 10:57 AM

You want to achieve redundancy so that if the primary fails that the backup will take over. While you might be able to achieve this using static routing it would be quite challenging. I believe that this approach would need to use IP SLA to track the primary route and might need to use EEM to react to a change and to make appropriate config changes. It would be much more simple to use dynamic routing to switch from the primary to the backup.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Kulwindersk1990
Level 1
Level 1
In response to Richard Burts

‎09-24-2018 01:30 PM

Dear,

once it will be done, i will share config file here, if i stuck somewhere

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents