Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
4
Helpful
2
Replies

Peer redundancy using GRE tunnel

Paolo Moserle
Level 1
Level 1

‎04-08-2014 09:50 AM

Hi !

I have a question about a design solution.  I need to create a redundancy solution, with HQ and more that 30 branch office. The HQ have 3 connectivity with 3 ISP, these connectivity terminated in the providers's routers and then, they are connected to different isolated vlans that share the connection between two our router.

So I want to create a connection between HQ and Branchs, with vpn Gre tunnel and with Eigrp routing protocol.

In the HQ environment, I need to use HSRP in the Lan side, so the Ip of R1 is 192.168.100.1, ip of R2 is 192.168.100.2 and the Vip is100.3. 
Thats is right, so the question is: For the Wans side, can I use the HSRP solutions ? Or i need to use two different tunnel for each router on R3 router ( two tunnel for R1 and two tunnel for R2)? 

I can take in consideration the Dmvpn, but I want to be able to select a different destinations tunnel for the Branch routers, for example Branch 1 should connect to R1 ISPA end R2 ISPC and Branch 2 should connect to R1 ISPB and R2 ISPA. I think this is not simple in the Dmvpn scenario. 

I attached the topology.

 

Labels:
Preview file
48 KB
0 Helpful
2 Replies 2

kenrandrews
Level 1
Level 1

‎04-08-2014 10:53 AM

This is possible as far as I can tell. I did this with fewer ISPs, 2 at HQ and one at the remote sites. That being said it should not be too much different. I think the key is the loopback interfaces for the tunnel destinations and sources. Each site would need to have 2 loopbacks one for each tunnel you create, you could likely reuse them at the HQ site. This would allow you to change the ACLs for the VPNs and determine which HQ router the tunnel terminates on.

 

So HQ1 lo1 would be 10.0.0.100/32 and the RS1a lo1 would be 10.0.0.1/32, HQ2 lo1 10.10.10.100/32 and RS2b lo1 would be 10.10.10.1/32. For RS2 you would use HQ1 lo1 and HQ2  l2 and RS2a lo1 would be 10.0.0.2/32 RS2b lo2 would be 10.10.10.2/32. I think this would make logical sense once you add multiple sites in. I highly recommend you plan all the IP scheme out before hand to make sure it is manageable in the end.

 

As for HSRP you can use it, just have the routers are the RS participate in eigrp with each other and the the primary will send any routes to the standby that has a better metric for. If the primary goes down the standby will take over all the routing.

 

I should mention that while this should work, I have noticed the more you try to build in redundancy the more odd things will happen. This is due to the additional complexity that comes with additional redundancy. I am not saying you should not do it, but figured it was worth mentioning.

 

Good Luck and I hope this was helpful.

 

 

Paolo Moserle
Level 1
Level 1
In response to kenrandrews

‎04-09-2014 01:47 AM

Many thanks kenrandrews, your answer is very useful.

I fully agree with you about  the "strange redundancy problem", but in this project there are some factor that are very difficult to explain now.

Have you got some opinion about Dmvpn ?

0 Helpful
Customers Also Viewed These Support Documents