Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
617
Views
0
Helpful
1
Replies

Cisco 4000 series possibility of using 2 internet links

amoth00011
Level 1
Level 1

‎02-19-2020 01:44 AM

Hi,

 

We have one 4331 cisco vpn router at a site, we are looking for a back up link to be installed from a different ISP provider, so we will have primary and back up internet links from 2 different providers. Can we configure both of these links on the existing 4331 router? Or is additional features needed such as a network card?

 

Usually in this case I would just order 2 routers as a dual set up with fail over. But I am just wondering if it is in fact possible to perform on one router?

 

Thanks in advance

0 Helpful
1 Reply 1

ngkin2010
Level 7
Level 7

‎02-19-2020 03:44 AM - edited ‎02-19-2020 03:49 AM

Hi,

Look like your using the ISP link to build the remote site VPN? And would like to study if you could utilize both ISP links to have a resilience purpose.

Indeed, if you have 2 WAN links, but centralized in 1 router. You still got the single point of failure at your router (even through you are paying for two of WAN links), you should evaluate if you / your company accept the risk or not.

First check if you router 4331 have enough Ethernet port to pick up, or actually you could implement "router on a stick" if you have no enough interfaces;

I assume both ISP links should use the different public IP address space, and you could consider to build 2 VPN tunnel over each ISP to your remote site. So that, the traffic passing through the 1st tunnel will utilize 1st ISP, and vice versa. After that, you may configure IP/SLA or running dynamic routing protocol to control the data traffic flowing to which tunnel. (e.g. when 1st tunnel is down, data should flowing through 2nd tunnel).

That's the idea, and below is the configuration reference for router choosing different ISP to build the VPN:

Assume:
IP address of Your router's ISP A: A.A.A.A (ISP router/gateway: A.A.A.254)
IP address of your router's ISP B: B.B.B.B (ISP router/gateway: B.B.B.254)
remote site VPN gateway: C.C.C.C


ip access-list extended VPN_over_ISP_A
permit icmp A.A.A.A 0.0.0.0 C.C.C.C 0.0.0.0
permit esp A.A.A.A 0.0.0.0 C.C.C.C 0.0.0.0
permit udp A.A.A.A 0.0.0.0 C.C.C.C 0.0.0.0 eq 500
permit udp A.A.A.A 0.0.0.0 eq 500 C.C.C.C 0.0.0.0

ip access-list extended VPN_over_ISP_B
permit icmp B.B.B.B 0.0.0.0 C.C.C.C 0.0.0.0
permit esp B.B.B.B 0.0.0.0 C.C.C.C 0.0.0.0
permit udp B.B.B.B 0.0.0.0 C.C.C.C 0.0.0.0 eq 500
permit udp B.B.B.B 0.0.0.0 eq 500 C.C.C.C 0.0.0.0


route-map LOCAL_POLICY 10 permit
match ip address VPN_over_ISP_A
set ip next-hop A.A.A.254
route-map LOCAL_POLICY 20 permit
match ip address VPN_over_ISP_B
set ip next-hop B.B.B.254
route-map LOCAL_POLICY 30 permit

ip local policy route-map LOCAL_POLICY

crypto isakmp policy 10
enc aes 128
group 14
hash sha1

crypto isakmp key PSK_PASSCODE address C.C.C.C

crypto ipsec transform-set VPN_PHASE2 esp-aes hmac-sha1
mode tunnel

crypto ipsec profile VPN_PROFILE
transform-set VPN_PHASE2

interface tunnel 1
tunnel protection VPN_PHASE2
tunnel source Gi0/1 (e.g. ISP A)
tunnel destination C.C.C.C
tunnel mode ipsec ipv4
<other VPN config is omitted>

interface tunnel 2
tunnel protection VPN_PHASE2
tunnel source Gi0/2 (e.g. ISP B)
tunnel destination C.C.C.C
tunnel mode ipsec ipv4
<other VPN config is omitted>

  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card