Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4713
Views
50
Helpful
21
Replies

Two border routers. No load balancing

incognito
Level 1
Level 1

‎05-13-2019 09:30 PM - edited ‎05-14-2019 10:01 PM

Hello everyone

How to realize this scheme on the attached image?

We have to arrange an ISP1 check and, if it is alive, walk through it, and if it is “dead”, then switch to the ISP2 backup provider.

Can I configure HSRP/VRRP in this situation? Or only IPSLA can help to realize it??

----------------------------------------------------------------

SECOND QUESTION (attached images IPSec profile.png and crypto IPSec profile.png):

In this case how many crypto ipsec profile i have to create? In many cases i found everyone use only one (the same profile, like DMVPN) profile (look at the crypto IPSec profile.png). But when I use two different profiles for every tunnel (like crypto ipsec profile DMVPN1 and crypto ipsec profile DMVPN2) my scheme works. What is correct: using the same crypto ipsec profile or different?

 

 

Labels:
Preview file
57 KB
Preview file
269 KB
Preview file
175 KB
0 Helpful
21 Replies 21

Richard Burts
Hall of Fame
Hall of Fame
In response to SamanBayat4424

‎05-15-2019 05:23 AM

There are things that we do not know about this environment and that impacts our ability to give good advice. For example we do not know whether there is a dynamic routing protocol between R1, R2 and the ISPs.

 

If the objective is to prefer outbound traffic through R1 and to be able to fail over to R2 if there is a problem with R1 then I would believe that the optimum solution would be to run a dynamic routing protocol between R1, R2, and both ISPs. For routing protocol with ISP the usual choice is BGP but depending on the ISPs other protocols might be possible.

 

The drawing does make clear that the connection of R1 and R2 to their ISP is in different subnets. In that case HSRP is not an option for detecting a failure of the ISP.

 

HTH

 

Rick

HTH

Rick

Richard Burts
Hall of Fame
Hall of Fame

‎05-15-2019 05:44 AM

Perhaps there is something in question 2 that I am not understanding correctly. You show us the configuration of both hub routers, which have a single tunnel, and ask whether you should use 2 profiles. It seems pretty obvious that for a single tunnel  you do not need 2 profiles. The question would make more sense if it were about the remote sites which have 2 tunnels. For those routers we would need to know whether there was some parameter in the profile that would be different between the tunnels. If there is some parameter that is different then pretty obviously you need 2 profiles. If the parameters are the same it certainly would work with 2 profiles (as you say it does) but I see no reason why 2 profiles would be required and I do not understand how a second profile would provide much benefit. If there is something I am not understanding then please provide clarification.

 

HTH

 

Rick

HTH

Rick
0 Helpful

incognito
Level 1
Level 1
In response to Richard Burts

‎05-15-2019 10:30 AM - edited ‎05-15-2019 10:31 AM

Thanks!
I updated the network today, then R1(10.0.1.10), R2 (10.0.1.11) and switch (10.0.1.12) are in the same network 10.0.1.8/29 (vlan500). On switch I configured SVI (vlan500).
In HQ I have these 2 routers and switch (works as core) and many spokes. Have tunnel0 for HUB1, tunnel1 for HUB2, tunnel0 and tunnel1 for each spoke. I run EIGRP DMVPN PHASE 2. My question is: should I use different crypto IPSec profiles Or just one?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to incognito

‎05-15-2019 12:08 PM

As I stated in my previous response, are there any parameters or any attributes used in the profile that are different between the tunnels? If there are differences then you need separate profiles. If they use the same parameters and attributes then there is no requirement for a separate profile. 

 

HTH

 

Rick

HTH

Rick
0 Helpful

incognito
Level 1
Level 1
In response to Richard Burts

‎05-15-2019 06:45 PM - edited ‎05-15-2019 08:49 PM

There’s no any difference. Profiles are same.
I understand you. But on spoke site I protect my tunnel with 'shared' keyword
which is sharing same ipsec profile. Is this correct?

 

Config (i mean any parameters and attributes used in the profile) on all Spokes are  the same:

crypto ipsec transform-set dmvpn esp-3des esp-md5-hmac
mode transport
!
crypto ipsec profile dmvpn
set security-association lifetime seconds 120
set transform-set dmvpn

 

interface tunnel0
..................

..................
tunnel protection ipsec profile DMVPN shared
__________________________________________________
Interface tunnel1
...................
tunnel protection ipsec profile DMVPN shared

 

0 Helpful

Georg Pauwen
VIP
VIP
In response to incognito

‎05-17-2019 12:14 AM

Hello,

 

on a side note, if you use shared profiles, make sure the tunnel source is the same for each tunnel that uses the shared profile, e.g.:

 

interface Tunnel 0

tunnel source GigabitEthernet0/0

tunnel protection ipsec profile DMVPN shared

!

interface Tunnel 1

tunnel source GigabitEthernet0/0

tunnel protection ipsec profile DMVPN shared

incognito
Level 1
Level 1
In response to Georg Pauwen

‎05-17-2019 05:17 AM

thanks for the reply
0 Helpful
Customers Also Viewed These Support Documents