cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1018
Views
0
Helpful
4
Replies

Default Routes / Load Balance / VPN Users

CsiCiscoAdmin
Level 1
Level 1

Hello everyone, my first question here ...

I have a 2801 router (IOS 15.1) with one WIC card and one Ethernet card and both are connected to their own ISP's. The WIC card is connected to a 1.5 MB T1 and the Ethernet card is connected to 4 Bonded 1.5 T1's for a 6 MB circuit. My goal in this setup is to have my internal LAN employees use the 6 MB interface for Internet browsing by using metrics on my (2) default gateways. I will have the 1.5 MB interface with a higher metric.

My trouble comes in when my VPN users connect to the LAN via the 1.5 MB interface. How can, or will, my 2801 know that traffic coming in the 1.5 MB interface needs to go back out that same 1.5 MB interface? I do not believe the VPN clients will work if the traffic goes back out the 6 MB interface because of the metric setup. Any suggestions or recommendations? In the end I will move my VPN users to the bigger pipe but even when I do I will want to make sure that all of the traffic of the VPN session always goes over the same interface it was initiated on.  Can this work or is their a better way?

1 Accepted Solution

Accepted Solutions

If your static routes are configured appropriately, per pool, then the clients should follow the appropriate path for which they came in on.

In your scenario, if the 6Mb circuit fails, the static route for the 6Mb pool is no longer valid (assuming the interface drops - if it's a problem upstream and the interface remains up, then that's another issue).  So, VPN clients will utilize the 1.5Mb circuit, as you eluded to.

Unfortunately, if the 6Mb circuit fails, users would have to reestablish their VPN session with the router (since the 1.5Mb circuit has a different IP).

You could create a DNS round-robin host, however, sometimes it would prefer the 1.5Mb over the 6Mb, so that won't help you much.  I don't know of a way to set a weight to a DNS A record, unless your DNS hosting provider has some tools.

View solution in original post

4 Replies 4

cflory
Level 1
Level 1

Since you're specifying two default routes on the same router, you may get some asymmetric routing, as it relates to VPN traffic.  Is there a pool of addresses you're assigning to your VPN clients?  If so, you could just add a static route to those clients via the 1.5 circuit, and you won't have to worry about it routing over the 6Mb circuit.

However, if you're ultimately wanting to use both circuits to provide dual paths for your VPN clients, there will be a problem as each circuit will have a different IP address, and IPSec will take issue with that.

You could assign a pool of addresses per circuit, in your VPN configuration, and just add the appropriate routes for the correct path.  So, if you get VPN clients on the 1.5 circuit, you get a pool of addresses to work from, and a subsequent static route on the router for that pool.  Same with the 6Mb circuit.

...If I'm understanding you correctly.

HTH!

-Chris

Chris,

Thanks for the reply. I understand your advice and believe it will work, however, that can only work after the tunnel building is completed? Does that sound correct? How will I make sure the packets for building the tunnel will follow the same interface?

Here's something else that I thought may work for me. Let me know if you see a hole in it (besides inconvenience). If I bring my VPN users in over to the 6 MB pipe, guaranteeing the traffic will go back out the same interface because of the metric. If the 6 MB circuit fails the traffic will go out the 1.5 MB pipe by default because the other route is down.  Then VPN users will have to use the "backup VPN" connection at the client side (1.5 MB) they will have traffic going back to them because there is only one outbound route at that time. When the 6 MB comes back they will have to reconnect to the primary link again.

If your static routes are configured appropriately, per pool, then the clients should follow the appropriate path for which they came in on.

In your scenario, if the 6Mb circuit fails, the static route for the 6Mb pool is no longer valid (assuming the interface drops - if it's a problem upstream and the interface remains up, then that's another issue).  So, VPN clients will utilize the 1.5Mb circuit, as you eluded to.

Unfortunately, if the 6Mb circuit fails, users would have to reestablish their VPN session with the router (since the 1.5Mb circuit has a different IP).

You could create a DNS round-robin host, however, sometimes it would prefer the 1.5Mb over the 6Mb, so that won't help you much.  I don't know of a way to set a weight to a DNS A record, unless your DNS hosting provider has some tools.

Chris,

Apologize for the delay in responding, been busy. I ended up sending all traffic over the 6Mb circuit for now. However I will take your suggestion and create two separate Crypto Maps and two IP pools to separate the VPN traffic per circuit. I’ll use the 6Mb as primary and 1.5Mb as secondary during a failed 6Mb line. I currently have a stable setup on the 6Mb side and will slowly separate traffic per protocol outbound over the 1.5 Mb, like audio and such. I greatly appreciate the conversation.

Review Cisco Networking for a $25 gift card