Solved: Re: How to achieve redundancy in this scenario?

Iloveyou · ‎01-07-2024

I have 1 router in which there is 1 physical interface with ipsec tunnel to another site.

I want to have another router for redundancy.

What is a possible design?

MHM Cisco World · ‎01-08-2024

under the same crypto map

set peer x.x.x.x
set peer y.y.y.y

when the Peer x.x.x.x is down the crypto map will try with y.y.y.y

that it

MHM

View solution in original post

Georg Pauwen · ‎01-08-2024

Hello,

what do you mean by IPSec tunnel ? Is this a DMVPN topology ? If so, a dual hub/single cloud would work.

Iloveyou · ‎01-09-2024

i know what is a dual hub. but what is a single cloud?

MHM Cisco World · ‎01-08-2024

under the same crypto map

set peer x.x.x.x
set peer y.y.y.y

when the Peer x.x.x.x is down the crypto map will try with y.y.y.y

that it

MHM

paul driver · ‎01-08-2024

Hello
Can you elaborate a little on the topology you are suggesting.

Will this be a single/multiple local rtrs with single/dual homed external connections?
What routing process are you using?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joseph W. Doherty · ‎01-08-2024

Possible design depends on how much redundancy you want to achieve.

You mention using another router for redundancy. Okay, that's fine, but what about redundancy to/from the dual routers, both on inside and outside these routers. For example, what, if any, redundancy options are available to/from the destination of the IPSec tunnel?

Do you want a cold spare redundancy, warm standby redundancy or active-active redundancy? With the latter, if one router fails, is loss of capacity a possible issue?

You need to clarify how much redundancy you need/desire beyond just having another router.

At the simplest, another router might be set in parallel to your current router and would backstop just your current router.

In more extreme redundancy, you try to have a parallel path that one failure will not break connectivity on the other path. (Personally, in my experience, dealing with redundant WAN fiber sharing the same trench or POP was the hardest to handle.)

Iloveyou · ‎01-09-2024

I am referring to something like hsrp.

Do we have something similar for ipsec?

Joseph W. Doherty · ‎01-10-2024

Not that I'm aware of.

Usually I treat tunnels like L3 independent links. I.e. if one fails, traffic is routed via redundant paths.

Leo Laohoo · ‎01-09-2024

How many physical WAN links, two? Does the two physical WAN links go to the same provider?

If they go to the same provider, do the links go to two different exchanges or not?