Cisco 1760 Router and 12 Cisco 836 Routers Regional VPN

v_tigin85 · ‎12-06-2004

Hello there, this a question regarding a Network Infastructure that is currently in design stage.

Let me at first explain the scenario to you, a company, has 23 small sized branches in a region and a HQ. All of the servers are located at HQ. The orriginal idea was to connect 837 routers with the 1760 via VPN IPSEC 3DES tunnels.

But, for reliability, I would like to connect each 837 to another 3 offices, so that if the main link goes down, it will route all trafice via another link. What I would like to know, is whether such a solution is feasable on these routers, and if not, which routers are best to get, including IOS.

The connections vary, from 200mbit p/s at HQ and 2mbit ADSL - 128kbps ISDN at branch offices.

Thanks in advance.

thisisshanky · ‎12-06-2004

For reliability or redundancy I would recommend you to add multiple HQ routers and have the remote sites home into all of them. You can set costs or run a routing protocol to select one of the HQ routers as primary while use the rest of them as backup. I have seen some people using upto 2 backup tunnels for redundancy.

crypto map Test 10 ipsec-isakmp

set peer

..

crypto map Test 20 ipsec-isakmp

set peer

int tu 0

tunnel source s0

tunnel destination

crypto map Test

int tu 1

tunnel source s0

tunnel destination

crypto map Test

int s0

crypto map Test

The above is a very simple config of multihoming to two HQ routers. You can have HQ1 and HQ2 in physically two locations for physical redundancy and have a T1 or bundled T1s running between the locations.

HQ1------T1s------HQ2

R1, R2 R3...Rn are remote sites which multihome to HQ1 and HQ2 via IPSEC over GRE tunnels.

I would put a more robust router like a 3800 series router at the HQ rather than a 1760. That way your backbone is scalable if you want to add more remote sites in future.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

v_tigin85 · ‎12-06-2004

I see, we are limited by our budget, and therefore such a solution would create some problems, as far as I can understand, you're suggesting getting 2 HQ routers, 2 lines, and homing Rn sites on those 2 routers.

What I would like to know, is, is it possible to have the remote sites linking to each other, the chance of the link failing at HQ is unlikely, but the chance of losing a route to HQ is a probability.

Each 837 is connected via VPN IPSEC 3DES with HQ and 2 other remote sites, bandwidth allowing.

So, R1 is connected to R2, R3 and HQ.

By default, it's default route is HQ.

Say that HQ is in one city, and a remote site is an another (R1), that city where the remote site(R1) is located, loses it's uplink with HQ, but not with a neighbour city's remote site (R2) which still has it's link(HQ).

What I would like to know is, whether the 837 can be setup to use the route;

R1 -> R2 -> HQ

If not, what can?

thisisshanky · ‎12-07-2004

No doubt. It is possible to setup tunnels the way you want. Create two crypto maps on R2. One going to HQ and other going to R2. set the default route to HQ and a second backup default route to R2 (with a higher administrative cost). Run this crypto map over two tunnel interface (one pointing to HQ and other point to R2).

If you use the same internet pipe at R1 for both the tunnels, and that pipe goes down, you wont be able to connect to either HQ or R2.

Hope I am clear.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus