Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3526
Views
0
Helpful
3
Replies

Backup Routing via ASA Site-to-Site VPN with RRI

jpeterson6
Level 2
Level 2

‎10-24-2011 01:39 PM - edited ‎03-04-2019 02:02 PM

Hello,

I'm in need of assistance in planning a new backup routing scenario between two WAN sites (Site A and Site B). I've attached an image with the basic topology of both sites.

The plan is that the primary link will be through the Leased Line. This is a Layer 3 connection. Should the link go down, all traffic from Site B will need to get to Site A via VPN between ASA1 and ASA2 (on the diagram). EIGRP is used through the network.

I figure I can set up RRI on ASA1, so that a route will be injected into EIGRP and be advertised to the router in Site A, with the goal being that traffic can be directed to the ASA instead of the Leased Line (from the router POV). I think I have an idea on how to do that from this document:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00809d07de.shtml

I'm having trouble wrapping my head around what to do in Site B, though. Any ideas or suggestions?

Also, I'm completely new to RRI; if the main link to the Leased Line comes back online after RRI does its thing.. will the injected route go away or will I have to manually intervene to get traffic routed properly again?

Thanks ahead of time for any insight into this.

Regards,

Jeff

Labels:
Preview file
22 KB
0 Helpful
3 Replies 3

Kishore Chennupati
Level 7
Level 7

‎10-24-2011 06:10 PM

Hi Jeff,

Just my thoughts on this. RRI is mainly used in Easy VPN server deployument for mobile users. In your case the setp wil be a  LAN-LAN (site-site) VPN tunnel. So simply using encryption domains should be good enuff between the ASA's.

For eg: lets assume you have 10.1.1.0/24 at Site B and 192.168.1.0/24 at Site A. So create a LAN-LAN tunnel between the ASA using them in the encryptn domain.

On the backuop router put a static route to 192.168.1.0/24 and next hop as the ASA and redistribute that into EIGRP with a bigger metric.

      router eigp 10

      redistribute static metric   and all

let me explain you why.

lets say you you need to get to a subnet 192.168.1.0/24 which is at Site A from Site B.

Now,once your primary link(HSRP active) goes down or the subnet is not reachable via primary link then the backup router(now becomes HSRP active) at SiteB will have the static route to it via the VPN.  Once your primary link comes back up eigrp on prmiary router  will learn this from leased line and also the backup router but because we have made the metric bigger on the back up router. The primary router will prefer the leased line.

May I suggest another  way of  setting up what you wanted to achieve whichs is easier and more preferred .

1 Create a GRE Tunnel between the router in site A to the backup Router in Site B. Also you will be running IPsec as well to encrypt traffic.

2. Run EIGRP on the Tunnel interfaces and also include your LAN into it as well. This will work as a point to point tunnel and you will have your layer 3 routing over it.

Choice is yours . let  me know if you need more info on this.I can help you set up

HTH

Regards

Kishore

Please rate if helpful

0 Helpful

jpeterson6
Level 2
Level 2
In response to Kishore Chennupati

‎10-25-2011 08:56 AM

Hmm, those don't sound like bad suggestions.

I forgot a key detail though that would be important and probably prevent your GRE tunnel suggestion from working: We unfortunately only have an ipbase license on the Site A router, so it is stuck in EIGRP STUB mode. It's a 3750X and it costs way too much money to upgrade to ipservices at this time so I'm trying to find a solution that will work without moving devices around (we have an ipservices router at another Site (not in the diagram).

Having said that, I'm pretty sure your first suggestion will still work. What if the primary HSRP router in site B is up but the link itself goes down (ISP issue)? Will the floating static route still become the active route through the 'backup' router, and essentially through the VPN?

I'm also assuming you are suggesting I do something similar to Site A (floating static?)

0 Helpful

Kishore Chennupati
Level 7
Level 7
In response to jpeterson6

‎10-25-2011 01:36 PM 


 What if the primary HSRP router in site B is up but the link itself goes down (ISP issue)? Will the floating static route still become the active route through the 'backup' router, and essentially through the VPN?
I'm also assuming you are suggesting I do something similar to Site A (floating static?)

You use something called HSRP object tracking where you track your WAN interface. When that goes down the HSRP will detect the failure and failover to the backup router and that will become Active Router. Once the interface comes backup then the HSRP will preempt and the primary router will become Active router again.

Please see below link on HSRP tracking and preemption

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8c.shtml

HTH

Regards

Kishore

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card