Showing results for 
Search instead for 
Did you mean: 

Ask the VIP: Network Path Redundancy Design

Community Manager
Community Manager

Marwan Al-shawi

Cisco Support Community Ask the VIP conversation.

Learn about Network Path Redundancy Design from Cisco Designated VIP Marwan Al-shawi.

Marwan Al-shawi is a senior network engineer and technical consultant with Dimension Data Australia, a Cisco Global alliance partner that is part of the largest telecommunications company in Japan and Asia. He has also worked as a network architect with IBM Australia, global technology services, and other Cisco partners and IT integrators. He holds a master of science degree in internetworking from the University of Technology, Sydney, and holds Cisco certifications including CCNP, CCSP, CCDP, Cisco Unified Computing Technology Support Specialist, and CCDE (written).    

Remember to use the rating system to let Marwan know if you have received an adequate response. 


Marwan might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Network Infrastructure sub-community discussion forum shortly after the event. This event lasts through May 4 , 2012. Visit this forum often to view responses to your questions and the questions of other community members.

21 Replies 21

Hello Marwan,

I have a HQ site connected to 50 remote sites over MPLS ISP with any - any routing connectivity, each has its own internet connection

what is the best way to use the internet link as a back up path in the case that the MPLS/ISP link fails ?

Hi Sebastian,

as long as you have local Internet connection at each site then the simplest way to connect all of the sites together over the Internet with minimal configurations overhead, secure and no complexity is by using DMVPN where a single tunnel only in each of the HQ and remote site is required ( no need for complex full mesh tunnels per site ! )

DMVPN provide you the ability to have a hub and spoke topology, where the HQ site will act as the DMVPN hub and the remote sites like spokes, in addition you can run routing over DMVPN tunnels and by using routing you can control the path selection where the MPLS/ISP path is more preferred than the DMVPN using IGP such as EIGRP

once the MPLS link failed this link can take over and also it can give you direct spoke to spoke communications if requried

please check out the below links for more ideas and details of how it can be designed


make sure the edge devices can support DMVPN ( Cisco routers do but firewalls don't  )



Hi Marwan,

I would like to know what is the technical difference between VSS and vPC to be used in a Data Center Distribution?

Thank you for your prompt response,


Hi Irina,

Although VSS and vPC both can provide similar logical topology where no dependencies on STP,  both virtualize ( cluster ) two physical switch to appear as one switch and all links from control plane point of view are in forwarding over both switch

however from control plane point of view vPC differ from VSS as with vPC each physical switch use its own control plane while with VSS control planes works in active standby mode

also with VSS you can manage both VSS pair switch via one management interface using the active VSS peer while with vPC each vPC peer managed independantly

from design point of view both can be used in the Data center distribution and the technology selection is dependant on the network requirements and hardware needs for example if there is a need for high performance system with high 10G links density then vPC is the better choice with this redundant and scalable design using Nexus Switch that can provide high performance system with high density of 10G ports that can be design with vPC to be all in forwarding state and no STP blocking

Thank you for your answer. Marwan. Her is another question:

How i can utilize two internet links in the same router to send http/htps over one link and the rest of the traffic over the other link and in case of any link fails it will failover to the remaining one ? is there any advantage to use cisco  ASR 1000 in this case?

Thank you very much for your promt response


Level 1
Level 1

Hi Marwan,

Imagine a world where cloud services become the key enabler for business's and the criticality of access to these services becomes paramount (we are almost getting to that point ).

Is IP SLA link tracking the best method to use for critical failover of Internet access between multiple sites (primary and secondary data centre's)? Will it work?

I'm aware of other more complex solutions but am thinking of keeping it simple...



Hi Marwan:

   Are you whether CISCO-PORT-CHANNEL mib is completely supported on  Nexus 5K/7K ?  I  am trying to retrieve portChannel table info through MIB and not getting any data ?



Yes Michael IP SLA can be very useful in this case

Generally speaking Cisco IPSLA can add some intelligence to the routing and path selection where you can track interface state or the existence of a specific route in the routing table and if a condition met you can change or remove a pre confirmed route for example such as static route with ipsla track

However if you have those two internet links connected to two separate edge internet routers then you need to take into considerations of how to align this IP SLA with the route selection/preference from the LAN side as it depends on how the LAN communicate with the edge routers in this case such as using IGP, iBGP or HSRP and in this situation Cisco Performance routing can be useful too PfR


Hope this helps


Hi Chandra

you need to post your question on the relevant forum/sub-forum as its not related to the topic we are discussing here

i recommend you to post it under Data center or Network management sub-forum



Level 1
Level 1

Hi Marwan,

Both MPLS-TE FRR and IP FRR have capability to minimize packet loss. The question is can  I use both of them?

Thank you,


Hi Tu,

MPLS-TE FRR is widely deployed while IP FRR is a new compared to MPLS-TE FRR, IP FRR offers some benefits that you might aware of such as:

- Sub 50 msec convergence without using RSVP-TE.

- Simple operation with minimal configuration;

- Superior LFA scaling without tunnel requirement.

- Incremental deployment with no inter-operability req. There is no change to the standard based IGP protocols

IP FRR capability is internal to a box.

- Applicable to pure IP (IP FRR) and MPLS (LDP FRR) networks

but there is a few documentation about IPFRR as it is less deployed than MPLS-TE FRR, i never been in a situation where i needed both ! however you might have situation where you need both but in general from Design point of view it is not a good practice to have a lot of redundancy and redundancy mechanisms especially both technologies above achieve the same goal, i would say just chose the most suitable one to your network/core and supported in your platforms and always keep it simple and straight without adding additional layer of complexity that make hard to troubleshoot unless you have to due to network or topology limitations

hope this helps

Sarah Staker
Level 1
Level 1

Hi Marwan,

This is our situation: we have an internet router connected to an internet ISP and from the LAN there is a firewall cluster uses default route to this router for internet access, we planing to add a second router using different ISP as a standby/backup router to the current one, what is the best way to do it and do we need iBGP between those two routers if we use eBGP with each ISP?

Thank you for your answer.


Hi Sara,

since you are using a static default route from the FWs to the Internet router, then once you add the new router you can use HSRP without using iBGP or IGP ( keep it simple ) and in this case you can use the same current internal router IP as the HSRP VIP to avoid making any change in the firewall

for active/standby outbound direction HSRP can control this by increasing the HSRP priority on the active router

however HSRP by itself will not failover unless the internal link or router gose down, but by using some advanced IOS features such as object tracking you can track the default route received from the ISP over eBGP in the active router using enhanced object tracking and once this default route disappeares from the routing table ( due to bgp or ISP link failure ) the HSRP can decrement the priority in the active HSRP peer and force failover to the secondary HSRP and in this case HSRP become more network aware and reliable for active/standby Internet access


if you have a public IP range to be advertised over both ISPs/links you can use some bgp polices such as BGP AS-path to make the active router the preferred path for inbound traffic for that IP range to avoid asymmetrical routing situations



Hello Marwan,

My questions involves a design very similiar to your response to Sara. In our implementation there are  2 routers at a spoke site running HSRP. The routers connect to different MPLS providers and have DMVPN tunnels to 2 Hubs (one Hub is a back-up site). Over the DMVPN tunnels we run EIGRP as the routing protocol between Hub and Spoke.

Currently we use EIGRP distribute-lists to try and avoid asymetric routing. The distribute list increases the metric on the HSRP Standby router so that 2-way traffic takes the Active HSRP device.

HSRP is configured to track a route that is being announced by the Primary Hub.  If the route is missing then HSRP will fail to the secondary router which also has an EIGRP peer to the Primary Hub.  We also track based on IPSLA for Latency and Packet loss across the Provider MPLS network to the Primary Hub.

The problem that we encounter with the above design is that if the Active HSRP router changes while EIGRP neighor adjacencies to the Hub are still up on the former Active router then we may encounter asyemtric routing.

So, my question is: "Is there a way to manipulate route metrics based on the state of HSRP?"