Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1066
Views
0
Helpful
4
Replies

851 VPN + 2911 Metro E + 3rd Party

mike.welker
Level 1
Level 1

‎12-24-2013 07:16 AM - edited ‎03-04-2019 09:56 PM

I have a somewhat unique situation at a new customer site that I am looking at deploying.  First, the basic topology:

  • Core Data Center has an ASA 5510 connecting to the internet, and acting as a site-to-site VPN endpoint.
  • Core Data Center has a 2911 ISR connecting to a Metro Ethernet private line to customer site.  G0/0 (LAN) is 10.20.0.0/16
  • Customer site has an 851 router, connecting to the internet, and acting as the remote site-to-site VPN endpoint.  VLAN 1 on this router is 10.192.4.0/24
    • This router also connects to a 3rd party juniper router that I do not manage.  The LAN on this router is 192.168.48.0/24.  Thier interface that connects to our 851 is 10.192.4.254.
  • Customer site has an 2911 ISR connecting to a Metro Ethernet private line to core data center. G0/0 (LAN) is 10.25.0.0/16, G0/1 is the "WAN" interface, and G0/2 is open.
  • The 2911 routers run eigrp.

With that said, I need to accomplish two things:

  • The 2911/ Metro Ethernet will be our main WAN connection between the site and data center.  The 851 with VPN will need to function as a backup in the event that the Metro E circuit fails. 
  • Users behind the 2911 at the site need to be able to access the 3rd party data center network at 192.168.10.0/24.  This network is on the far end of a VPN tunnel that the juniper router (192.168.48.1) terminates. 

This is all complicated by the fact that the third party network is not managed by me, and thier network team is not very well versed in firewalls (they generally contract yet another third party to perform changes).

So to start, I have simply connected G0/2 on our 2911 to an open port on our 851.  G0/2 was given an IP of 10.192.4.2.  I can successfully ping between the two devices, but I lose remote connectivity to the 851 from the data center.  I presume this is because eigrp is advertising the 10.192.4.0 network across the Metro E, and the response from the 851 is to statically route across the VPN tunnel.  The 851 does not support eigrp.

Should I place a static route on the 851 of 10.20.0.0 255.255.0.0 10.192.4.2, followed by adding a higher metric route for the VPN tunnel?  This should force the router to use the 2911 as it's gateway to our data center network.  I would do the reverse on the 2911, adding a higher metric static route to our core data center to use the 851 router. 

For the second requirment, I would presume I need to route traffic for 192.168.48.0/24 and 192.168.10.0/24 through 10.192.4.1, and instruct the 3rd party team to allow traffic from 10.25.0.0 through thier VPN tunnel/ firewall.

This is a messy one, and a lack of eigrp support, and two VPN tunnels involved, on the 851 complicates things for me.

Labels:
0 Helpful
4 Replies 4

mike.welker
Level 1
Level 1

‎12-24-2013 08:39 AM

I've created a quick Visio diagramming my topology.  Hopefully it helps in understanding.  The Solid Green line is the new conenction between the 2911 and 851 at the site.  The dashed green line shows the two networks that must be able to communicate between the site and the 3rd party's data center.

15372992-Drawing1.vsd.zip
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mike.welker

‎12-24-2013 09:46 AM

Michael

Can you post as a jpg as not all of use have a visio.

It's not entirely clear from your description what the source IP networks are that need access to both the DC and the remote site VPN.

On a more general note if you are using statics then an indirect failure link will not remove the static so the backup VPN may not be used. Solutions -

1) use RIP between the 2911 and the 851 (i believe the 851 supports RIP) and redistribute from EIGRP into RIP. You have a default route pointing to the VPN link but advertise the more specific routes into RIP and so if both links are up it will choose the Metro E link. RIP however can be slow to converge.

2) use IP SLA (if supported on your 851) to track the reachability of the DC via the preferred route. If you want to check if IP SLA is supported -

851(config)# ip sla ?

Jon

0 Helpful

mike.welker
Level 1
Level 1
In response to Jon Marshall

‎12-24-2013 12:10 PM

Here's the JPG of the visio diagram.  Thanks in advance for any help.

36 KB
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to mike.welker

‎12-26-2013 06:41 AM

Michael

Apologies, i missed your last post.

Can you just clarify in specific terms -

1) a full list of which IP subnets need access to which IP subnets

2) for each of 1) which path you want them to take including any failover path

It may just be me but i am just struggling to see exactly what needs access to what.

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card