You will need to configure

sreeraj.murali · ‎12-02-2016

Hi,

I am having GRE VPN Tunnel to US. At India,we have 2 Internet Circuit and hence running 2 tunnel to same US end point. I am able to achieve the HA for GRE VPN tunnel connectivity using EIGRP DELAY metric. But since, I am having a default route for the local Internet on the LAN Switch. There is difficulty in achieve the redundancy for local Internet connectivity. Please suggest, how to achieve this redundancy for local Internet Connectivity, when one of the Internet Circuit fails.

Attaching the rough network topology. Please suggest.

Junaid Shah · ‎12-02-2016

Run HSRP between routers and use default-gateway on LAN switch rather than default route.

So the primary router will have default route pointing to internet and then secondary default route pointing to second HSRP router local IP with high metric and then on secondary HSRP router you will also have default router pointing to ISP on that router but with metric higher than both primary HSRP router default routes

Junaid Shah · ‎12-02-2016

By metric above I meant Administrative distance and then you have to track it with IP SLA as well

Please rate helpful posts

sreeraj.murali · ‎12-04-2016

Thank you Junaid and tsheltonuk.

I have already achieved the failover for GRE Tunnel using EIGRP delay metric. Hope the HSRP works here as well, for achieving the failover for local Internet.

I am sharing the configuration for LAN Switch, VPN Router 1 and VPN Router 2. Could you please help with the hsrp configuration to achieve the Internet failover, without disturbing existing GRE Tunnel failover config.

sreeraj.murali · ‎12-04-2016

Also, I noticed that, the secondary Router have only 2 physical interface, which is already used. Can we use the loopback interface to track the neighbor for HSRP ?

tsheltonuk · ‎12-05-2016

Hi

I would use something like the config attached. This will basically cause the secondary router to kick in if the primary router cannot ping the other end of the tunnel at NY.

HTH

Tom

Junaid Shah · ‎12-05-2016

That's right you will also have to use IP SLA on routers for tracking so that if primary route goes down then the traffic should be shifted to secondary link

Junaid Shah · ‎12-05-2016

You will need to configure LAN Interface as trunk and then configure sub interfaces on VPN router and track HSRP on that so GI 0/0 LAN interface will be trunk on switch side and on router side it will be no routing port

VPN Router1:

interface GigabitEthernet0/0
 no ip address
 negotiation auto

interface GigabitEthernet0/0.5
 encapsulation dot1Q 5
 ip address 172.20.4.5 255.255.254.0
 ip helper-address (DHCP Server)
 ip nat inside
 standby 5 ip 172.20.4.1
 standby 5 priority 110
 standby 5 preempt delay minimum 60
 
 ip route 0.0.0.0 0.0.0.0 172.20.4.2 10 

Pretty much same config for VPN Router 2 except for ip address change on sub interface and HSRP priority will be low 90

LAN Switch

interface (whatever number)

description Trunk to VPN Router Gi0/0
 switchport mode trunk

ip default-gateway 172.20.4.1

I noticed that you are running EIGRP on LAN switch, is that an L3 LAN ? Above config is for L2 LAN, if connection between routers and LAN is via L3 and if you want to keep it that way then you will have to change metrics on routers so that VPN router1 is more preferable and VPN router2 is less


Please rate helpful posts. Thanks

tsheltonuk · ‎12-02-2016

Hi Sreeraj,

I agree to a point with Junaid's comments about using HSRP. However one thing to add is that when you are tracking an IP route tied to an SLA, you will need to add the route you are tracking as a static route on the primary router otherwise the IP SLA will never fail and therefore HSRP will not failover.

HTH

Regards

Tom

Backup Internet Connectivity