01-25-2013 03:06 AM
Site A – Voice VLAN – 192.168.1.0/24
Site A – Data VLAN – 10.10.1.0/24
Site B – Voice VLAN – 192.168.2.0/24
Site B – Data VLAN - 10.10.2.0/24
Datacentre (DC) - 10.0.0.0/16
This is the situation I have:
Site-to-site VPNs in place between Site A and Site B and between each site to the DC. Site A and Site B have Cisco 2911 routers, there are ASA’s at the DC. The existing Site-to-site VPNs carry data and voice traffic between the sites (though voice and data is on separate VLANs in separate subnets)
ISP1 currently used for the existing circuits at Sites A and B but we have experienced issues with them recently which has disrupted service. So new circuits are to be installed at each site with ISP2. (See basic diagram attached which shows current set-up with intention to get new circuits via ISP2 installed)
We have 3 ports on our Cisco 2911 routers with 2 ports already in use for the existing connections (1 for the LAN and 1 for the WAN connection to ISP1) Can we simply use the 3rd port for the connection to ISP2 or would it be far more advisable to use a 2nd router (for redundancy, etc)
Would it be feasible to have a set-up where we have e.g. voice traffic go over a site-to-site VPN via ISP1 and data traffic go via site-to-site VPN via ISP2 but each can take over from the other in the event of a failure? (Similarly, for the traffic to the datacentre)
If so, what would be the best way of achieving this?
Thanks for any advice/suggestions you can offer!
01-25-2013 05:52 AM
This can be easily done with GRE/IPSec and route manipulation. Unfortunately, you can not terminate GRE on the ASA
01-25-2013 07:29 AM
Hi David,
thanks - I had wondered about GRE (but haven't implemented it before so I'm not too clued up on it!)
Would it be possible to do something with GRE between the siteA and siteB routers so that voice and data can be sent on the different ISP links (over site-to-site VPN) with each being capable of taking over from the other in the event of a failure?
Then do something different for each site's connection to the DC? (e.g. even if all site to DC traffic had to go over the one ISP link but could failover to ISP2 if needed then that would still be ok I think)
Or is it a case of - either all GRE/IPSEC or none for the connectivity between the 3 sites?
Any further advice/suggestions would be welcome!
01-29-2013 04:34 AM
Shameless bump in case anyone else has more ideas/thoughts on this one!
01-29-2013 06:37 AM
Very simple. Excluding the DC side.
Setup GRE tunnel1 between SiteA and siteB using ISP1, easy
steup GRE tunnel2 between SiteA and siteB using ISP2, easy
Encrypt both GRE tunnels with IPSec, easy
send your voice traffics over GRE tunnel1 but add floating route to
point to GRE tunnel2 should GRE tunnel1 is down
send your data traffics over GRE tunnel2 but add floating route to
point to GRE tunnel1 should GRE tunnel 2 is down
your voice traffics will prefer ISP1 and data traffics will prefer ISP2 but
you still have redundancy should either ISP1 or ISP2 is down.
The whole thing would have been much easier if you have router at the
DC. With router at the Dc, you can do DMVPN and you will now have total
redundancy. Because ASA does not support GRE or DMVPN, you're out of luck
from the DC side
01-29-2013 07:38 AM
Thanks, that gives me some things to think about - frustrating that things are going to be awkward as far as the DC is concerned though.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide