Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1269
Views
2
Helpful
12
Replies

Active Active site to site VPN tunnel with asymmetric routing

Aaida
Level 1
Level 1

‎06-13-2023 07:52 AM

Please provide solution for below requirement: attached diagram for this scenario please refer .

Aaida_1-1686667791699.png

 

 We need to implement site to site vpn with 3rd party. both of us having two peer IP. our primary peer is connecting to their primary peer, and our secondary peer is connected to their secondary peer. Also both tunnel should be active at a time. there are two 3rd party servers are there in use. One is in DC 1 and other is in DC 2. Hence when our user want to connect with A.A.A.A servers it should flow trough tunnel A. like wise when user connecting to B.B.B.B it should take tunnel B. Also traffic should fail over properly when one goes down. what is the best possible way to achieve this.

tunnel version: ikev2

Questions: 

  1. Which is the most appropriate tunnel mode? policy based or route based VPN, else the above requirement can be full filled with either of this .
  2. What should be the routing strategy. we are thinking of making the 3rd party servers part of BGP , and make use of BGP prepend attribute to do asymmetric routing .is that a good solution.
  3. Are we able to do auto failover with this set up.
  4. is it possible to try this set up in LAB and get a sample configuration as we don't have a lab environment.
Labels:
Preview file
70 KB
12 Replies 12

M02@rt37
VIP
VIP

‎06-13-2023 07:58 AM

Hello @Aaida,

Thanks for sharing the HLD.

Route-Based VPN Route-based VPN is generally more suitable for complex scenarios like yours, where you need granular control over the routing of specific traffic. It allows you to create multiple tunnels between the peers and control the routing based on various parameters.

BGP with AS-Prepend Using BGP is a good approach for dynamic routing and achieving failover. You can configure the 3rd party servers to participate in BGP and use AS-Prepend to influence the routing decisions. By prepending your AS number multiple times to the announcements, you can make one tunnel the preferred path for traffic to A.A.A.A servers and the other tunnel the preferred path for traffic to B.B.B.B servers. With the combination of route-based VPN and BGP, you can achieve automatic failover. BGP will continuously monitor the reachability of the 3rd party servers, and in case one tunnel or server goes down, BGP will adjust the routing accordingly. This way, traffic will automatically flow through the available active tunnel.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

Aaida
Level 1
Level 1

‎06-13-2023 08:06 AM

Thank you, it is help full, so to be clear.

The mode should be route based VPN . Also auto failover can be achieved just by creating BGP prepended configuration. Please let me know any other key config required achieve my goals.

0 Helpful

MHM Cisco World
VIP
VIP

‎06-13-2023 08:26 AM

Aaida_1-1686667791699.png

0 Helpful

Aaida
Level 1
Level 1

‎06-13-2023 09:24 AM

Hi @MHM Cisco World , Is there any issue with routing separately , with out passing through primary for server B.B.B.B

0 Helpful

MHM Cisco World
VIP
VIP
In response to Aaida

‎06-14-2023 04:41 AM - edited ‎06-14-2023 04:42 AM

I dont get your last reply totally 
but 
the red line I add to your topology need for redirect traffic from one router to other 
so are there any interconnect between routers?

0 Helpful

Aaida
Level 1
Level 1
In response to MHM Cisco World

‎06-14-2023 06:36 AM

yes those are interconnected. but we dont want want to send traffic for server B to router A1 first and then router B1. We want to send server A traffic to Server router A1 and Sever B traffic to router B1 directly

0 Helpful

MHM Cisco World
VIP
VIP
In response to Aaida

‎06-14-2023 06:49 AM

Aaida_1-1686667791699.png
no need to send, the redirect only happened on client side 

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎06-14-2023 06:52 AM

I will share lab with you the config how should be 

0 Helpful

Aaida
Level 1
Level 1
In response to MHM Cisco World

‎06-14-2023 07:07 AM

that will help , thank you so much

0 Helpful

Kanan Huseynli
VIP
VIP

‎06-14-2023 01:18 AM

Hi,

the main question, where is gateway for the subnet? How do you plan to route towards DC1 or DC2 till the traffic reaches routers. Are router A1/B1 the same device?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful

Aaida
Level 1
Level 1
In response to Kanan Huseynli

‎06-14-2023 03:45 AM

Hi @Kanan Huseynli , both a1 and b1 are separate devices, if we advertise server A in router A and server B in Router B BGP , it will propagate to other routers. in this way corresponding traffic will reach corresponding router. using BGP prepend we can prioritize route and this will help for auto failover.

0 Helpful

Kanan Huseynli
VIP
VIP
In response to Aaida

‎06-14-2023 02:54 PM

As-path prepend and also any other routing manipulation has meaning when you advertise the same route.

You advertises different routes / prefixes  , don't you? If you advertise different routes, you should have different mechanism to reach DC servers. And i general how users try to reach remote server? By hostname (DNS) or by IP in URL or what?

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card