Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
783
Views
15
Helpful
6
Replies

Load Balance and High Availability.

riju
Level 1
Level 1

‎07-19-2005 12:45 AM - edited ‎03-09-2019 11:53 AM

I am going to setup VPN in two 2821 with IOS 12.3(14)T1.

I want to setup both the router in Active/Active and do both Load Balance and High Availability with two 2821 routers with one ISP and configure the same VPN setup in both routers.

Is IPSec Load Balance and High Availability possible?

If so how to do it?

Is any othere special hardware/module is need?

Labels:
0 Helpful
6 Replies 6

johansens
Level 4
Level 4

‎07-19-2005 06:41 AM

Hi there,

Unless you treat them as two separate gateways and run two IPSec tunnels to your destinations, you won't get them to work in a "active/active" state. This includes Load Balancing.

There exists a Stateful IPSec HA-solution, but this is only for 3700, 3800, 7200 and 7300 platforms:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper0900aecd80278edf.shtml

Your HW-solution would permit a stateless HSRP-based HA failover solution. This doesn't permit load-balancing or sharing:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml

riju
Level 1
Level 1
In response to johansens

‎07-20-2005 02:59 AM

Hi John

Thankyou very much for the reply. The link was very helpful.

Is there any other way, by which I can do load-balancing with 2821?

0 Helpful

riju
Level 1
Level 1
In response to riju

‎07-20-2005 05:21 AM

The two ISR 2821 is having AIM-VPN/EPII-PLUS module. With this module is it possible to do load-balancing?

0 Helpful

johansens
Level 4
Level 4
In response to riju

‎07-20-2005 09:02 AM

As I answered before, you must treat the routers as two separate routers, so the type of module has no relevance in this case.

Did it help?

johansens
Level 4
Level 4
In response to riju

‎07-20-2005 09:00 AM

My name is Stig... :)

If you are running IOS 12.4 or newer, you can run GLBP on the inside in conjunction with RRI and redistribution into a dynamic routing-protocol. This would allow for load-balancing.

GLBP: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008042fb97.html

RRI: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455af1.html

EIGRP: http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a008045296f.html

If you are running an older IOS version, the only way you will be able to do any load-balancing is by putting a third router inside the VPN-routers. With this you can enable a dynamic routing-protocol between the three routers. Using RRI on the VPN-tunnels and redistribution into the dynamic routing-protocol will then enable you to do load-balancing.

You will have to setup the two 2821 routers as standalone routers without any HSRP/GLBP/VRRP or failover on the outside. The failover will then lie in the fact that your remote sites will have two tunnels, and if one dies, the other is already active.. :)

Remember to run ISAKMP keepalive or DPD to detect any downtime on the tunnels.

http://www.cisco.com/en/US/products/ps6350/products_command_reference_chapter09186a00804a3830.html#wp1178713

Did it help?

riju
Level 1
Level 1
In response to johansens

‎07-21-2005 08:26 PM

Hi Stig,

Thankyou very much.

As I dont have the IOS 12.4 or above, I`ll try to setup the 2nd menthod and test it.

Problem is some of the B.O routers are cisco and some are not cisco.

I have attached the design.

Preview file
8 KB
0 Helpful
Customers Also Viewed These Support Documents