Site to Site HA w/ ISDN Backup

pmoscicki · ‎04-24-2003

We are using Cisco 831 routers at our remote locations to provide site to site VPN connectivity back to our data center (full tunnel). At our data center we have a pair of Cisco 2691 routers running in a High availability configuration using HSRP. All our remote locations terminate their VPN tunnel on the HSRP address of the 2691's in our data center. We are using static crypto maps on both the remote and data center routers. In addition, we are employing reverse route injection (RRI) to facilitate the dynamic route additions (which in turn get redistributed via OSPF to our enterprise core). This design has been implemented and is working as expected.

We are now interested in adding dial backup (via ISDN) functionality to this design. We are planning on using 17XX and 26XX routers at remote locations that require dial backup. Each location would have a ISDN circuit and our data center would have a 3640 with a PRI interface to terminate a PRI circuit. Basically in the event of primary (Ipsec VPN tunnel) “link” failure we want the remote router to dial around the Ipsec cloud and connect directly to the 3640 in our data center. Encryption over this link is NOT a requirement as this is basically a private network connection (ISDN)at that point.

In order to accomplish the DDR I would like to implement this as a typical DDR scenario where we run a routing protocol out to the remote (preferably OSPF) and use floating static routes to point to the BRI interface, at the remote, with a higher cost. I am fully aware that at this point I will need to run GRE over IPSEC in this scenario (due to the broadcast based OSPF, etc.). Once the primary link fails the default route (over the primary link) is withdrawn and the static takes precedence. This would be a “typical” of tradition WAN DDR design.

I have not implemented this design yet because I’m not sure of a couple of things. Notably I’m not sure if this is a good design or if it will actually work since I can’t find any documentation that depicts running GRE/IPSEC and HSRP all at the same time. Can we run GRE and use HSRP as the tunnel endpoint. Does it make sense to even do this? I would like to NOT have to rearchitect my existing sites that are using Cisco 831’s since I have no reason to run GRE out to these sites. I am concerned about the overhead (etc.) of GRE on these routers.I am also a bit concerned about using GRE in the first place. I have read several FAQ’s and articles that mention some issues with fragmentation (specifically the DF bit) and it’s potential impact on applications (Web browsing, etc.). Is there any valid cause for concern in using GRE from a compatability standpoint?

Any help, comments or direction would certainly be more than appreciated.

Thank you,

Paul R. Moscicki

Lead Network Engineer

p.krane · ‎04-30-2003

You are correct, the main issue with GRE tunnels is fragmentation. Here is a url with several workarounds that correct this problem:

http://www.cisco.com/warp/public/105/56.html

Should not be a problem to run HSRP/GRE on the same router.

pmoscicki · ‎05-01-2003

I have attempted to run both HSRP and GRE on the same router with miserable results. Unfortuantely the dynamics of my situation prevent me from doing this. I have an HSRP group defined on my external ethernet interface (fast0/1) and have a crypto map redundancy group defined on this interface. If you try to also associated this crypto map with the tunnel interface the IOS will not allow you to do so. Just more undocumented features I suppose.