cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1628
Views
4
Helpful
5
Replies

Multiple site-to-site VPNs with resilience - possibilities?

mitchen
Level 2
Level 2

                  

Site A –                 Voice VLAN        –             192.168.1.0/24

Site A –                 Data VLAN          –             10.10.1.0/24

Site B     –             Voice VLAN        –             192.168.2.0/24

Site B     –             Data VLAN          -              10.10.2.0/24

Datacentre (DC)         -              10.0.0.0/16

This is the situation I have:

Site-to-site VPNs in place between Site A and Site B and between each site to the DC. Site A and Site B have Cisco 2911 routers, there are ASA’s at the DC. The existing Site-to-site VPNs carry data and voice traffic between the sites (though voice and data is on separate VLANs in separate subnets)

ISP1 currently used for the existing circuits at Sites A and B but we have experienced issues with them recently which has disrupted service. So new circuits are to be installed at each site with ISP2. (See basic diagram attached which shows current set-up with intention to get new circuits via ISP2 installed)

We have 3 ports on our Cisco 2911 routers with 2 ports already in use for the existing connections (1 for the LAN and 1 for the WAN connection to ISP1) Can we simply use the 3rd port for the connection to ISP2 or would it be far more advisable to use a 2nd router (for redundancy, etc)

Would it be feasible to have a set-up where we have e.g. voice traffic go over a site-to-site VPN via ISP1 and data traffic go via site-to-site VPN via ISP2 but each can take over from the other in the event of a failure? (Similarly, for the traffic to the datacentre)

If so, what would be the best way of achieving this?

Thanks for any advice/suggestions you can offer!

5 Replies 5

david.tran
Level 4
Level 4

This can be easily done with GRE/IPSec and route manipulation.  Unfortunately, you can not terminate GRE on the ASA

Hi David,

thanks - I had wondered about GRE (but haven't implemented it before so I'm not too clued up on it!)

Would it be possible to do something with GRE between the siteA and siteB routers so that voice and data can be sent on the different ISP links (over site-to-site VPN) with each being capable of taking over from the other in the event of a failure?

Then do something different for each site's connection to the DC? (e.g. even if all site to DC traffic had to go over the one ISP link but could failover to ISP2 if needed then that would still be ok I think)

Or is it a case of - either all GRE/IPSEC or none for the connectivity between the 3 sites?

Any further advice/suggestions would be welcome!

Shameless bump in case anyone else has more ideas/thoughts on this one! 

Very simple.  Excluding the DC side.

Setup GRE tunnel1 between SiteA and siteB using ISP1, easy

steup GRE tunnel2 between SiteA and siteB using ISP2, easy

Encrypt both GRE tunnels with IPSec, easy

send your voice traffics over GRE tunnel1 but add floating route to

point to GRE tunnel2 should GRE tunnel1 is down

send your data traffics over GRE tunnel2 but add floating route to

point to GRE tunnel1 should GRE tunnel 2 is down

your voice traffics will prefer ISP1 and data traffics will prefer ISP2 but

you still have redundancy should either ISP1 or ISP2 is down.

The whole thing would have been much easier if you have router at the

DC.  With router at the Dc, you can do DMVPN and you will now have total

redundancy.  Because ASA does not support GRE or DMVPN, you're out of luck

from the DC side

Thanks, that gives me some things to think about - frustrating that things are going to be awkward as far as the DC is concerned though.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: