02-19-2020 01:44 AM
Hi,
We have one 4331 cisco vpn router at a site, we are looking for a back up link to be installed from a different ISP provider, so we will have primary and back up internet links from 2 different providers. Can we configure both of these links on the existing 4331 router? Or is additional features needed such as a network card?
Usually in this case I would just order 2 routers as a dual set up with fail over. But I am just wondering if it is in fact possible to perform on one router?
Thanks in advance
02-19-2020 03:44 AM - edited 02-19-2020 03:49 AM
Hi,
Look like your using the ISP link to build the remote site VPN? And would like to study if you could utilize both ISP links to have a resilience purpose.
Indeed, if you have 2 WAN links, but centralized in 1 router. You still got the single point of failure at your router (even through you are paying for two of WAN links), you should evaluate if you / your company accept the risk or not.
First check if you router 4331 have enough Ethernet port to pick up, or actually you could implement "router on a stick" if you have no enough interfaces;
I assume both ISP links should use the different public IP address space, and you could consider to build 2 VPN tunnel over each ISP to your remote site. So that, the traffic passing through the 1st tunnel will utilize 1st ISP, and vice versa. After that, you may configure IP/SLA or running dynamic routing protocol to control the data traffic flowing to which tunnel. (e.g. when 1st tunnel is down, data should flowing through 2nd tunnel).
That's the idea, and below is the configuration reference for router choosing different ISP to build the VPN:
Assume:
IP address of Your router's ISP A: A.A.A.A (ISP router/gateway: A.A.A.254)
IP address of your router's ISP B: B.B.B.B (ISP router/gateway: B.B.B.254)
remote site VPN gateway: C.C.C.C
ip access-list extended VPN_over_ISP_A permit icmp A.A.A.A 0.0.0.0 C.C.C.C 0.0.0.0 permit esp A.A.A.A 0.0.0.0 C.C.C.C 0.0.0.0 permit udp A.A.A.A 0.0.0.0 C.C.C.C 0.0.0.0 eq 500 permit udp A.A.A.A 0.0.0.0 eq 500 C.C.C.C 0.0.0.0 ip access-list extended VPN_over_ISP_B permit icmp B.B.B.B 0.0.0.0 C.C.C.C 0.0.0.0 permit esp B.B.B.B 0.0.0.0 C.C.C.C 0.0.0.0 permit udp B.B.B.B 0.0.0.0 C.C.C.C 0.0.0.0 eq 500 permit udp B.B.B.B 0.0.0.0 eq 500 C.C.C.C 0.0.0.0 route-map LOCAL_POLICY 10 permit match ip address VPN_over_ISP_A set ip next-hop A.A.A.254 route-map LOCAL_POLICY 20 permit match ip address VPN_over_ISP_B set ip next-hop B.B.B.254 route-map LOCAL_POLICY 30 permit ip local policy route-map LOCAL_POLICY crypto isakmp policy 10 enc aes 128 group 14 hash sha1 crypto isakmp key PSK_PASSCODE address C.C.C.C crypto ipsec transform-set VPN_PHASE2 esp-aes hmac-sha1 mode tunnel crypto ipsec profile VPN_PROFILE transform-set VPN_PHASE2 interface tunnel 1 tunnel protection VPN_PHASE2 tunnel source Gi0/1 (e.g. ISP A) tunnel destination C.C.C.C tunnel mode ipsec ipv4 <other VPN config is omitted> interface tunnel 2 tunnel protection VPN_PHASE2 tunnel source Gi0/2 (e.g. ISP B) tunnel destination C.C.C.C tunnel mode ipsec ipv4 <other VPN config is omitted>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide