cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
547
Views
0
Helpful
4
Replies

Crypto overiding static route

Fergal Meehan
Level 1
Level 1

Hi,

I have a 1900 router in a remote location with one LAN and two external connections A & B.

Connection A is a wireless point to point back to HQ (layer 2)

Connection B is a DSL running an IPSEC VPN back to HQ (layer 3)

Connection A is the live link running layer 2 so the HQ subnet is spanned out to the remote location.

I want to make the remote site layer 3 and use Connection B as a backup.

But how can I run both connections for redundancy without the crypto taking precedence over wireless point to point which will have a default static route with metric 1 whereas the VPN will be defalt route metric 2.

Is there a command or config to allow the routes to get checked first before the crypto? I hope I have explained this well enough.

Thanks

F

4 Replies 4

Kelvin Willacey
Level 4
Level 4

I can't really picture this. Do the clients at the remote location have the same IP addressing as the clients at the head office? Does the remote location access the Internet through the head office?

In any case using static routes will require you to manually make a change whenever a link fails. It may be best to run a routing protocol over the wireless link or static routes with tracking and have a backup default route that points to the head office over the DSL link.

Lei Tian
Cisco Employee
Cisco Employee

Hi Fergal,

IPSec VPN as backup link is normal setup, this should work fine. Can you post your remote router's config, maybe just something simple.

HTH,
Lei Tian

Sent from Cisco Technical Support iPhone App

Hi Lei Tian,

I have implemented this solution yet but speaking with others apparently crypto does take precedence over a static route.

Is there documentation anywhere to prove this. I proposed the solution to the customer thinking the very same as you stated but now I'm doubtful.

Fergal

Hi Fergal just keep in mind that routing has to take place before you can encrypt, in other words the router has to determine the exit interface for the destination before encryption can be applied, which means if you have a static route that sends traffic over your primary link then that is where the traffic will go. If the primary link is down/disconnected will you be able to send traffic over the backup link whether manually or automatically. My thoughts on how to accomplish that are in my previous post.

I believe there is an order of operation document for routers somewhere, I will see if I can find it.

Review Cisco Networking for a $25 gift card