Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
15
Helpful
6
Replies

Two ISR 2821-VPN failover with two ISPs to one customer

Go to solution
Yulian Iliev
Level 1
Level 1

‎06-02-2016 08:11 AM - edited ‎03-05-2019 04:08 AM

Hello everyone!
I have two Cisco 2821 routers and two services providers, I have to do VPN with one customer. So my VPN should switch over to the second provider in case something happen with the primery ISP. The customer router is already configured for VPN with both IPs for both ISPs . The question is how to configure both Cisco2821 to switch between ISP lines and VPN ? All devices are connected to Cisco 3750 Switch(three switches in stack). 

Below is provided simple diagram from GNS3.
Thank you in advance.

Labels:
Preview file
62 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-02-2016 09:58 AM

While there might be several ways to accomplish this the most common solution is that you configure a VPN on R1-primary to connect to the customer and you configure another VPN on R2-secondary to connect to the customer. And the customer configures its single VPN with two peer addresses (which I believe you say has already been done). Both of your VPN will attempt to negotiate with the customer router. But the customer will negotiate with only one or the other. So the failover is done on the customer side and not on your side.

HTH

Rick

HTH

Rick

View solution in original post

6 Replies 6

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎06-02-2016 09:58 AM

While there might be several ways to accomplish this the most common solution is that you configure a VPN on R1-primary to connect to the customer and you configure another VPN on R2-secondary to connect to the customer. And the customer configures its single VPN with two peer addresses (which I believe you say has already been done). Both of your VPN will attempt to negotiate with the customer router. But the customer will negotiate with only one or the other. So the failover is done on the customer side and not on your side.

HTH

Rick

HTH

Rick

Go to solution
Yulian Iliev
Level 1
Level 1
In response to Richard Burts

‎06-03-2016 08:00 AM

Richard I appreciate your answer!

I did this design and works fine, HSRP is on my LAN side and R1 and ISP1 is my preferred path and I have SLA pinging the path thru ISP1 and if something hapen the traffic goes thru R2 and ISP2 and using the VPN trhu the second ISP2 to our customer. My topology is R1 is connected via VLAN to ISP1, R2 is connected via second VLAN with ISP2 and I have one interface from each router that connecting my LAN (HSRP running on those). So far so good, but what will happen if at the same time ISP1 and R2 die? I have only two interface per router, one is connected to ISP and the second to LAN switch.
Thanks

Yulian.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Yulian Iliev

‎06-03-2016 09:53 AM

Yulian

I am glad to know that you have done this design and that it works fine. You ask an interesting question about what happens if at the same time ISP1 and R2 die. The answer is that this design provides good redundancy for single failures but not necessarily for multiple simultaneous failures. If both ISP1 and R2 die then you would lose the VPN connectivity.

So perhaps the question becomes what is the likelihood of both failures at the same time and what is the impact of losing the VPN connectivity? Once you have answers to this question then you can consider the question of whether this solution is good enough or whether the risk of losing the VPN connectivity is worth the cost of implementing a design that would provide redundancy for two simultaneous failures.

HTH

Rick

HTH

Rick

Go to solution
Yulian Iliev
Level 1
Level 1
In response to Richard Burts

‎06-06-2016 05:13 AM

Thanks for your post.

Is it possible to implement HSRP on ISPs facing interfaces and for VPN endpoint to use standby IP addresses instead of the physical interfaces? If this solution works I will make sub-interfaces on both routers  and both of them will be connected to both ISPs, just I'm looking for a way to make VPN from the customer router to me but with standby interfaces in my side?

Best regards!

Yulian

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Yulian Iliev

‎06-06-2016 07:34 AM

Yulian

I do not think that configuring HSRP on ISP facing interfaces would be a good solution. For one thing it would require that each router have an additional interface (two outside interfaces instead of one and at least one inside interface). Do you have the extra interface available on both routers? Also it would require that you have at least 3 IP addresses from the ISP to use on the ISP connecting subnet on each of the interfaces. And it would require that you connect each ISP through a switch. And to avoid creating a new single point of failure you would need one switch for ISP1 and a second switch for ISP2. And the most significant problem is that now each router will need to configure two VPN connections to the remote peer. And in my experience it is problematic to try to have two VPN connections from one peer to the same remote peer.

If you really want to have a configuration that can survive two simultaneous failures then I believe that you will need a third path between the peers (which implies needing a third ISP and a third router). It is probably expensive and gets complex but is the only reliable way that I see to survive two simultaneous failures.

HTH

Rick 

HTH

Rick

Go to solution
Yulian Iliev
Level 1
Level 1
In response to Richard Burts

‎06-06-2016 08:06 AM

I think for Stateful switchover (SSO), but requirements for SSO is to have HSRP?

Thank you.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card