02-04-2010 09:48 AM - edited 03-04-2019 07:24 AM
Hello,
I have a 2800 branch router with two GRE/IPSEC tunnels back to daul headend routers for redundancy, EIGRP is the routing protocol.
I need to setup failover in the event one of the routers fail. I have two default routes back to the tunnels but secondary tunnel with a higher administrative distance.
When the primary tunnel went down, internet traffic was disrupted due to the default route pointing to this tunnel, the floaitng static didn't work as planned. And when the primary tunnel came back, we also experineced some asymmetrical routing which of course impacted VOIP. The remote site s connected via satllite link.
Config on Branch:
interface Tunnel25 -----PRIMARY
description BOG-MARGE
bandwidth 6000
ip address 172.16.254.29 255.255.255.252
no ip unreachables
ip mtu 1476
ip route-cache flow
ip tcp adjust-mss 1388
tunnel source FastEthernet0/1
tunnel destination 172.16.253.2
!
interface Tunnel225 --------SECONDARY
description BOG-AGNES
bandwidth 6000
ip address 172.16.255.15 255.255.255.254
no ip unreachables
ip mtu 1476
ip route-cache flow
ip tcp adjust-mss 1388
delay 600000
tunnel source FastEthernet0/1
tunnel destination 172.16.252.2
ip route 0.0.0.0 0.0.0.0 Tunnel25
ip route 0.0.0.0 0.0.0.0 Tunnel 225 200
!
Feedback is greatly appreciated!
02-04-2010 10:02 AM
Two things I can see here,
1) use tunnel keepalive to bring down the tunnel when the tunnel destination is not reachable.
http://www.cisco.com/en/US/docs/ios/12_2sb/feature/guide/sb_gretk.html
2) use the next hop IP address instead of the tunnel interface.
Regards,
jerry
02-04-2010 10:35 AM
Jerry,
I'm a newbie so please clairfy:
The WAN interface is connected to a Satellite modem, we send all traffic into the GRE tunnel where it exits at main router and then is directed out to internet. So I am not sure if this will work for me.
02-04-2010 11:07 AM
Hi Jenny,
Since both of your Tunnel interfaces are L3 with their own IP address, I am suggesting you to point the static route to the next hop's IP address. It is just a suggestion.
The 1st comments is how to prevent the Tunnel interface from blackholing traffic. If you are using keepalive, and the Tunnel doesn't receive keepalive message from the remote end, it will bring the Tunnel to down/down, instead of blackholing the like you are describing.
Regards,
jerry
02-04-2010 11:08 AM
Thanks again Jerry!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide