Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
5
Helpful
3
Replies

EIGRP, Tunnel - interfaces and HSRP

Go to solution
jsteffensen
Level 1
Level 1

‎08-17-2004 05:59 AM - edited ‎03-02-2019 05:48 PM

Hi Everyone.

We have to Sites, with redundant connections to each other using GRE tunnel over internet.

(different providers and last-mile medium).

We are using EIGRP for dynamic routing updates.

This is configured on Cisco 2600 routers, wich also works as default GW for all server and clients on the LAN side on both Sites.

To do a IPSEC 3DES encryption of the GRE tunnels over internet we are using 2 Pix'es on both sides (one pr ISP).

This is working splendid. When one tunnel is down, packets are routed only through the other tunnel.

Now the new Question is: What happends if one of the two 2600 routers goes down?

Answer: Conectivity is interrupted. And this is not wanted.

Our Question is now: Is it possible to install a second router (2600 or what ever) on each side, create 2 new tunnels on these devices and use HSRP to solve the redundancy on each side?

This would make:

2 x Cisco 2600 on LAN A, With each 2 GRE Tunnels to LAN B

Configured with HSRP on ethernet, and EIGRP to handle network instability.

2 x Cisco 2600 on LAN B, with each 2 GRE Tunnels to LAN A

againg, Configured with HSRP on ethernet, and EIGRP to handle network instability.

EIGRP is configured on all 4 devices, and would handle Routing over the different GRE Tunnels.

Is this the proper design?

If this does not work. What is the proper way of solving it?

(still splitting functionality on routers and Firewalls as today)

(I would have sendt a diagram to ease the designproposal but.......)

Wi would be grateful for any comment and help

Regards

Jarle

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vcjones
Level 5
Level 5
In response to Richard Burts

‎08-17-2004 11:07 AM

If it were my network, I would dump GRE and run BGP as the routing protocol directly across the IPSec tunnels (see the white paper on Redundant IPSec VPNs on my web site). I would then use the same IPSec tunnel to support both routers, reducing complexity in the PIXes.

Don't forget to split the LANs as well, because you'll find that hubs/switches also fail and you don't want a $50 box to be a single point of failure. This may require additional interfaces on the routers, so watch your budget and spend it carefully.

Disclaimer: My suggestions are based on guessing what you are actually trying to achieve and may have no relationship to what you should be doing or what I would recommend if I really knew what your environment was.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎08-17-2004 10:58 AM

If there are two routers on LAN A and each router has two GRE tunnels (a tunnel to each router on LAN B) and two routers on LAN B (each with a GRE tunnel to each router on LAN A) then you should have pretty effective redundancy. There are a couple of suggestions that I would offer:

- use HSRP priority to select one of the routers on each LAN as the active or lead router.

- use an offset list in EIGRP to make the route from the primary to the primary have the best metric, the route from the backup to the backup have the worst metric, and the routes from primary to backup have an intermidiate metric.

With HSRP you frequently want to "track" so the backup can take over if the primary loses its outbound connection. This is a challenge with tunnels, since the tunnel on one end can show up/up even when it can not communicate with the other end. That is why having a dynamic protocol like EIGRP is very helpful in designs like this. If the EIGRP hellos stop then EIGRP will converge and send traffic to the other neighbor.

HTH

Rick

HTH

Rick

Go to solution
vcjones
Level 5
Level 5
In response to Richard Burts

‎08-17-2004 11:07 AM

If it were my network, I would dump GRE and run BGP as the routing protocol directly across the IPSec tunnels (see the white paper on Redundant IPSec VPNs on my web site). I would then use the same IPSec tunnel to support both routers, reducing complexity in the PIXes.

Don't forget to split the LANs as well, because you'll find that hubs/switches also fail and you don't want a $50 box to be a single point of failure. This may require additional interfaces on the routers, so watch your budget and spend it carefully.

Disclaimer: My suggestions are based on guessing what you are actually trying to achieve and may have no relationship to what you should be doing or what I would recommend if I really knew what your environment was.

Good luck and have fun!

Vincent C Jones

www.networkingunlimited.com

0 Helpful

Go to solution
jsteffensen
Level 1
Level 1
In response to Richard Burts

‎08-17-2004 11:32 PM

Hi Rick

Thanx for your input. It was very helpful.

The solution is "nailed" now.

Greetings

Jarle

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents