09-02-2019 06:14 AM
Hi, Guys,
I have a question on route path priority scenario:
Two hosts with public IPs and private IPs in two separate sites, such as:
1. Site A has a host with public IP 202.202.202.2/32 and NAT private IP = 192.168.10.2/32
2. Site B has a host with public IP 101.101.101.1/32 and NAT private IP = 172.172.1.3/32
3. The two sites have default route 0.0.0.0/0 to their individual ISPs.
4. Using static route
At normal situation, they are communicating each other through Internet connection, that is fine; and now
a VPN tunnel is established between two sites.
How to configure the route priority so that whenever internet connecticity is lost, they can communicate each with their private IP through the VPN tunnel ?
Thanks so much for your kind help.
BensonLEI
Solved! Go to Solution.
09-03-2019 06:31 AM - edited 09-03-2019 06:35 AM
Hi, Jon,
Great, thanks a lot.
You are probably right, same concept as the above example no matter it is public IP or private IP, by inserting a route with IP SLA.
Cheers
Benson LEI
09-02-2019 07:05 AM
We do not have much detail to work with in this question and that limits what we can suggest. At first reading it seems to be a question about what to do if you lose your default route. The common solution for that would be a floating static default route (a static default route with a higher administrative distance). But on close reading I believe that you probably do not want to replace the default route and want a route only for the peer to peer traffic. It is not clear what you want to happen with other traffic if the default route fails. I would suggest these steps to be able to route the peer to peer vpn traffic in the event of a failure of your default route:
- configure tracking with IP SLA for some address reached using the default route.
- configure an EEM script that could insert the new route to reach the remote peer and would be triggered by tracking the normal default route.
HTH
Rick
09-02-2019 10:20 AM
Not sure I follow.
Firstly does the VPN not run across the internet and if so if you lose the internet you lose the VPN as well.
Secondly if it is does not run across the internet then it seems to be more a question as to how to tell the servers which IPs to use rather than a routing issue.
A better understanding of your topology would help.
Jon
09-02-2019 11:11 AM - edited 09-03-2019 10:36 AM
In addition to the point made by Jon (i.e. doesn't the VPN run across the Internet?), another possible issue is how does each host "know" what destination IP to use for the other host (which appears could be both a public and private IP)?
Often when using VPNs, they are preferred as they can maintain usage of private IPs and they also appear "shorter". However, a VPN adds overhead to the communication, so going via NAT and public IPs should be a tad more efficient.
09-02-2019 06:35 PM - edited 09-02-2019 06:36 PM
Hi, Guys,
Firstly, thanks so much for your kind and quick replies.
Sorry for my misleading of the scenario, we have another IPLC network connection.
If we lose the internet connection, the hosts communicate with each other through the IPLC line (not VPN connection, in these sites) with the private IPs.
How should I configure the route priority, thx a lot.
With many thanks in advance.
Cheers
BensonLEI
09-03-2019 12:11 AM
I still think you are seeing this a routing issue when it is more to do with how the servers know to switch between the use of public or private IPs and how that happens which is nothing to do with the network.
You could already have the routes in place for the private IPs to be used when needed but how do the servers know when to use them.
Jon
09-03-2019 12:53 AM - edited 09-03-2019 12:54 AM
Hi, Jon,
Thanks so much for your quick reply.
I have not yet configured the route for the private IPs, but planning for this solution ( failover to private IPs communication through IPLC while internet access is not available ).
What should I do for the solution ( route priority ? what action implementation in the hosts for network connectivity failover ? )
Thanks a lot.
09-03-2019 01:40 AM
I think you need to do as Rick suggests and use IP SLA to track an IP address on the internet and if that IP becomes unreachable then you can install a static route for private link.
See this link for an example -
https://blog.ipspace.net/2007/08/install-static-route-when-ip-address-is.html
Jon
09-03-2019 06:31 AM - edited 09-03-2019 06:35 AM
Hi, Jon,
Great, thanks a lot.
You are probably right, same concept as the above example no matter it is public IP or private IP, by inserting a route with IP SLA.
Cheers
Benson LEI
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide