cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
2941
Views
0
Helpful
6
Replies
Highlighted
Contributor

Disaster Recovery - Redundant VPN Tunnels

Hello all, thanks in advance for your expertise.

We are setting up a disaster recovery site which will host redundant copies of our servers and critical data in Kansas City.  In the case of a disaster, our headquarters site would be totally gone. 

Currently we have 7 branch offices that communicate to our HQ via VPN tunnels (either over an Internet circuit, or over a Cox Communications Ethernet WAN circuit).  The branch sites each have a 2821 Cisco ISR Router.  At the headquarters and at the DR site, we use a Cisco ASA 5510 to terminate the VPN tunnels and do all of our backbone routing.  Routing on the ASA and on the branch routers is all static, using a routing protocol would be a nice upgrade in the future..any ideas?  We use lan-2-lan IPSEC VPN tunnels, no GRE/VPN is in use because the ASA does not terminate it.

What is the best way to setup my branch routers to automatically or manually fail-over to connect to a different ASA at the DR site?

Also, if my Headquarters site is still up, but either my Internet circuit or the Cox ethernet circuit at the headquarters goes down.  How can I re-route all traffic in a loop back to the headquarters over the one good remaining circuit?

Is there a better way to do what I want to accomplish?  BGP is not an option at this point due to its complexity.

KCOEWan - DR Simple.png

1 ACCEPTED SOLUTION

Accepted Solutions
Rising star

Re: Disaster Recovery - Redundant VPN Tunnels

Hi,

You need to setup two site to site VPN tunnels from the branches to the head quarter and the DR sites with (IP SLA Tracking).

So each branch will trigger a failure of any of it's WAN link dynamically without the need of manuall intervention.

You would also need to setup LAN to LAN IPSec between your HQ and the DR to be used for detouring traffic incase of any Wan failure.

However, from a design approach, I would suggest different way but this depends on your future plan. In any way, the above should be a solution with your current setup.

Regards,

Mohamed

6 REPLIES 6
Contributor

Disaster Recovery - Redundant VPN Tunnels

Anybody?

Advocate

Re: Disaster Recovery - Redundant VPN Tunnels

Research GRE over VPN or DMVPN

Contributor

Re: Disaster Recovery - Redundant VPN Tunnels

I have and it looks like they are limited to Cisco IOS routers.  I am terminating my VPN tunnels at the headquarters and DR site with a Cisco ASA.  The ASA does not support GRE over VPN.

Rising star

Re: Disaster Recovery - Redundant VPN Tunnels

Hi,

You need to setup two site to site VPN tunnels from the branches to the head quarter and the DR sites with (IP SLA Tracking).

So each branch will trigger a failure of any of it's WAN link dynamically without the need of manuall intervention.

You would also need to setup LAN to LAN IPSec between your HQ and the DR to be used for detouring traffic incase of any Wan failure.

However, from a design approach, I would suggest different way but this depends on your future plan. In any way, the above should be a solution with your current setup.

Regards,

Mohamed

Contributor

Re: Disaster Recovery - Redundant VPN Tunnels

Thanks for your reply Mohamed,

I like your plan as well. I think I'll be going that route.

From a design approach, what suggestions would you make?  How would you change the design?

Lucas

Rising star

Re: Disaster Recovery - Redundant VPN Tunnels

Lucas,

There is some limitation in your current design. As well as I wouldn't rely on static routing in my all configuration here.

For example, with the current setup, you can't have a multicast deployed which is one of the main deployment now adage.

What I would do here if it's a choice, is to terminate all wan links on the HQ and DR sites to a WAN routers that supports DMVPN. Or if it's not, then having GRE Tunnels over IPSec from the branches to both hubs.

We have recently designed and implemented similar setup over L3-MPLS-VPN, I had BGP running between my HQ and DR site links with additional tuning to trigger a failure faster than it normally does.

I still have the same firewalls in place providing additional protection to both DMZ and internal users. But this protection is only from the Internet since I have already secured WAN.

Regards,

Mohamed

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards