Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1579
Views
4
Helpful
4
Replies

wan failover with vpn

Go to solution
jorge.arenas
Level 1
Level 1

‎08-06-2006 05:44 PM - edited ‎03-03-2019 01:34 PM

Hi

i'm a little confuse

i have two 2800 routers connecting my central office and branch office with a E1 WAN.

I put a dsl card in each one and conect dsl line to internet with my provider. The central office had a static public ip address and the branch office gets a dynamic public ip address.

i need to configure a failover, so when my WAN E1 goes down, all the traffic redirects in a vpn tunnel using the DSL line to internet.

my questions are:

the vpn tunnel must be up all-time?

wich is the best routing protocol to use ?

and... i need static public address in both ends? (i was reading something and in all cases i found static public address are required in both ends)?

thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mikhail.Galiulin
Level 1
Level 1
In response to jorge.arenas

‎08-11-2006 12:30 AM

Hi Jorge,

Now when you have knowledge about all separate bits of system it is time to put all together:

1. Set up your E1-WAN link with any routing protocol you want. Make sure that link is up and running. Test it.

2. Forget about the E1-WAN link and set up VPN link like it is the only link between the two sites. Make sure that it pass all the traffic that normally goes via WAN. Test it.

3. Now when you have two links running separately of each other, create a static route. The static routes distance must be higher than administrative distance for the routing protocol you use on your WAN link (for example if you are using OSPF than the distance must be higher than 110). The route should point to the interface where traffic is encrypted to be sent via VPN.

For example:

if the interface with crypto-map is Fa0 and the network address at the other site is 192.168.1.0/24 then it should look like this

ip route 192.168.1.0 255.255.255.0 Fa0 249

In this case when the E1-WAN link is up the information about route to 192.168.1.0/24 will come from yor dynamic routing protocol because it has lower distance. So all traffic wil be routed via E1-WAN. But when it goes down the dynamic route will disapear from the routing table because the router stop to get updates from its peer via WAN. In this case router will see that there is no route to 192.168.1.0/24 with distance better then the static route we discussed above. It will place it in the routing table and since this happen all traffic will go via VPN.

When the WAN link comes back the dynamic routing protocol will again get updated from its peer so the static route in the routing table will be overrided by route with lower distance coming from dynamic routing protocol.

//Mikhail Galiulin

PS You can read the following document to become more familiar with the route selection process

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094823.shtml

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mikhail.Galiulin
Level 1
Level 1

‎08-07-2006 01:23 AM

Hi,

1. It would be better but not requred to have the tunnel up all the time. Depend of applications running, how intensive traffic is and stuff like this.

2. Whatever routing protocol you want. I use, for example, OSPF for the WAN link and static route with higher cost for VPN tunnel - if WAN link goes down all OSPF routes dissapears from the routing table and router begins to send trafic according the static route to VPN tunnel. Of course, it is possible to run dynamic routing protocol on both WAN and VPN, but in this case you need more complicated configuration of VPN link.

3. It depends of your scenario. If only trafic from branch office can initiate VPN tunnel then you need static address only at central office. But if you want that any trafic can bring the VPN link up in case of WAN-link failure then you need static addresses on both sides.

//Mikhail Galiulin

Go to solution
Wilson Samuel
Level 7
Level 7
In response to Mikhail.Galiulin

‎08-08-2006 05:22 AM

Hi,

Regarding the DSL Internet link, you can very well use the IPSec to establish VPN. Hoever please ensure that, its Peer-to-Peer GRE in IPSec as its the most simplest way (I would think) to make all the Dynamic Routing Protocol traffic flow and other multicasting applications flow seamlessly across the VPN.

Please have a look at :

P2P GRE in IPSec

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns130/c649/ccmigration_09186a0080685ce8.pdf

Multicasting in IPSEC

http://www.cisco.com/application/pdf/en/us/guest/netsol/ns656/c649/cdccont_0900aecd80402f07.pdf

Hope this helps and simplifies your issues.

Regards,

Wilson Samuel

Hope it simplifies the matter.

0 Helpful

Go to solution
jorge.arenas
Level 1
Level 1
In response to Wilson Samuel

‎08-08-2006 09:25 AM

Thank you very much Wilson

i'm just reading the documents.

just another question, i choose this because i read in the website of cisco this option.

but after a few days of searching for a case i can not find a example or design case to make a backup of a wan dedicated line with a vpn over internet.

do you know a document about this ?

i found vpn with vpn backup

i found wan with dial-up backup

but nothing with E1-WAN link with vpn backup

thanks again for the info and i hope you can help me

Jorge Arenas

0 Helpful

Go to solution
Mikhail.Galiulin
Level 1
Level 1
In response to jorge.arenas

‎08-11-2006 12:30 AM

Hi Jorge,

Now when you have knowledge about all separate bits of system it is time to put all together:

1. Set up your E1-WAN link with any routing protocol you want. Make sure that link is up and running. Test it.

2. Forget about the E1-WAN link and set up VPN link like it is the only link between the two sites. Make sure that it pass all the traffic that normally goes via WAN. Test it.

3. Now when you have two links running separately of each other, create a static route. The static routes distance must be higher than administrative distance for the routing protocol you use on your WAN link (for example if you are using OSPF than the distance must be higher than 110). The route should point to the interface where traffic is encrypted to be sent via VPN.

For example:

if the interface with crypto-map is Fa0 and the network address at the other site is 192.168.1.0/24 then it should look like this

ip route 192.168.1.0 255.255.255.0 Fa0 249

In this case when the E1-WAN link is up the information about route to 192.168.1.0/24 will come from yor dynamic routing protocol because it has lower distance. So all traffic wil be routed via E1-WAN. But when it goes down the dynamic route will disapear from the routing table because the router stop to get updates from its peer via WAN. In this case router will see that there is no route to 192.168.1.0/24 with distance better then the static route we discussed above. It will place it in the routing table and since this happen all traffic will go via VPN.

When the WAN link comes back the dynamic routing protocol will again get updated from its peer so the static route in the routing table will be overrided by route with lower distance coming from dynamic routing protocol.

//Mikhail Galiulin

PS You can read the following document to become more familiar with the route selection process

http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094823.shtml

0 Helpful
Customers Also Viewed These Support Documents