Showing results for 
Search instead for 
Did you mean: 


851 VPN + 2911 Metro E + 3rd Party

I have a somewhat unique situation at a new customer site that I am looking at deploying.  First, the basic topology:

  • Core Data Center has an ASA 5510 connecting to the internet, and acting as a site-to-site VPN endpoint.
  • Core Data Center has a 2911 ISR connecting to a Metro Ethernet private line to customer site.  G0/0 (LAN) is
  • Customer site has an 851 router, connecting to the internet, and acting as the remote site-to-site VPN endpoint.  VLAN 1 on this router is
    • This router also connects to a 3rd party juniper router that I do not manage.  The LAN on this router is  Thier interface that connects to our 851 is
  • Customer site has an 2911 ISR connecting to a Metro Ethernet private line to core data center. G0/0 (LAN) is, G0/1 is the "WAN" interface, and G0/2 is open.
  • The 2911 routers run eigrp.

With that said, I need to accomplish two things:

  • The 2911/ Metro Ethernet will be our main WAN connection between the site and data center.  The 851 with VPN will need to function as a backup in the event that the Metro E circuit fails. 
  • Users behind the 2911 at the site need to be able to access the 3rd party data center network at  This network is on the far end of a VPN tunnel that the juniper router ( terminates. 

This is all complicated by the fact that the third party network is not managed by me, and thier network team is not very well versed in firewalls (they generally contract yet another third party to perform changes).

So to start, I have simply connected G0/2 on our 2911 to an open port on our 851.  G0/2 was given an IP of  I can successfully ping between the two devices, but I lose remote connectivity to the 851 from the data center.  I presume this is because eigrp is advertising the network across the Metro E, and the response from the 851 is to statically route across the VPN tunnel.  The 851 does not support eigrp.

Should I place a static route on the 851 of, followed by adding a higher metric route for the VPN tunnel?  This should force the router to use the 2911 as it's gateway to our data center network.  I would do the reverse on the 2911, adding a higher metric static route to our core data center to use the 851 router. 

For the second requirment, I would presume I need to route traffic for and through, and instruct the 3rd party team to allow traffic from through thier VPN tunnel/ firewall.

This is a messy one, and a lack of eigrp support, and two VPN tunnels involved, on the 851 complicates things for me.

Everyone's tags (5)

Re: 851 VPN + 2911 Metro E + 3rd Party

I've created a quick Visio diagramming my topology.  Hopefully it helps in understanding.  The Solid Green line is the new conenction between the 2911 and 851 at the site.  The dashed green line shows the two networks that must be able to communicate between the site and the 3rd party's data center.

Hall of Fame Guru

851 VPN + 2911 Metro E + 3rd Party


Can you post as a jpg as not all of use have a visio.

It's not entirely clear from your description what the source IP networks are that need access to both the DC and the remote site VPN.

On a more general note if you are using statics then an indirect failure link will not remove the static so the backup VPN may not be used. Solutions -

1) use RIP between the 2911 and the 851 (i believe the 851 supports RIP) and redistribute from EIGRP into RIP. You have a default route pointing to the VPN link but advertise the more specific routes into RIP and so if both links are up it will choose the Metro E link. RIP however can be slow to converge.

2) use IP SLA (if supported on your 851) to track the reachability of the DC via the preferred route. If you want to check if IP SLA is supported -

851(config)# ip sla ?



Re: 851 VPN + 2911 Metro E + 3rd Party

Here's the JPG of the visio diagram.  Thanks in advance for any help.

Hall of Fame Guru

851 VPN + 2911 Metro E + 3rd Party


Apologies, i missed your last post.

Can you just clarify in specific terms -

1) a full list of which IP subnets need access to which IP subnets

2) for each of 1) which path you want them to take including any failover path

It may just be me but i am just struggling to see exactly what needs access to what.


CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards