Remote site redundancy with multiple ADSL lines connecting to datacentre via IPSEC VPN
We are looking into options for improving resiliency at our remote sites. At the moment, they typically have an 800 series router and single ADSL line at our remote branches, connecting to the headend ASA firewall in the datacentre via IPSEC VPN.
At some geographical locations, ADSL is really the only option (without spending a LOT of cash) so, although there are limitations to it, the only possibility may be to have a 2nd ADSL line at these locations via a 2nd ISP.
The question is, what would be the best/most cost-effective way of achieving resilience with 2 ADSL lines at our branches? The problem I can see is getting the headend ASA to "realise" when the primary ADSL connection is down and to use the secondary ADSL instead?
Maybe we could have e.g. a Cisco1921 with 2 x ADSL WIC cards and select one of them as the "backup" interface, tracking the primary? (then rely on Dead Peer Detection at the ASA with each peer defined in the crypto map) Is that possible? If so, I guess the main issue with that would be that we would only have a single router so no hardware redundancy?
The other option might be simply to "double-up" and get another Cisco 800 series router and connect it to the 2nd ADSL line. I could see how we could use HSRP (tracking the primary router and ADSL line) to take care of the branch traffic. But, as above, we'd be left with the problem of how the headend ASA would "know" when the primary had failed (and/or when it came back up again?)
Any thoughts/suggestions on best way of achieving resilience with 2 ADSL lines at a remote site and IPSEC VPN connectivity to a headend ASA?
One thing you should consider is path redundancy. Typically multiple Adsl providers will use the wire plant of the ilec to deliver the circuits. So while you will wind up with multiple providers, you really will only improve your uptime if your existing provider is having internal issues. If your primary downtime is because of fallen trees or backhoes, you may be achieving very little.
If possible you should investigate cable modems. While path redundancy is still an issue, at least you will have separate headends for the devices to talk to.
Hi Guys, I have two questions about EIGRP behavior when we have Multiple EIGRP routes: 1- I tried to show on some router the acquired EIGRP paths for a route X.X.X.X by typing the command : "show ip eigrp topology X.X.X.X". On the output there w...
[ The Discussion forum will be published on December 1st ]
Take the opportunity to reach out to our expert and discuss best practices regarding on how to troubleshoot a live network and identify the root cause easily. Learn more about Serviceability and h...
To provide a solution to quickly setup a router at a remote location that supports WiFi and provides instant internet access using LTE as a transport while deploying with Cisco SD-WAN.
Plug the router to a power sou...
Hello!I'm looking for a way to make my EEM script more dynamic and automated for my environment. This is what I have - basically I just capture the 4 IPSec peer IP addresses of each neighbor and insert this data into 4 different variables. ...
Hi all,I have a couple of Nexus9k switches. I need to get tcpdump from the physical interface which connected to the server. I'm looking for a specific protocol on tcpdump so that which feature should I use? I asked that because I couldn't full...