Re: site-to-site vpn redunancy

pokey · ‎06-05-2005

Hi all

Has anyone configured a site-to-site vpn with the head site with 1 router and the remote site with 2 routers. I was thinking of configuring the remote end with hsrp with dpd for failover but the problem i would get is having the backup link cut back to the primary link.Does anyone know how i can get the backup link to cut back? or use any other method to solve this?

Thanks in advance

Nhon

Philip D'Ath · ‎06-05-2005

I've done this several times.

The best way is to use GRE over IPSec, enable a dynamic routing protocol like EIGRP, and weigth the GRE tunnel connections to make whatever one you want to use as the preferred link.

thisisshanky · ‎06-06-2005

Its a general trend to run two hubs and just run one router each at each remote site. Each remote will run two tunnels to each hub (each hub is preferably located at two physically separate locations for disaster recovery and connected to each other by a high bandwidth link). If you want additional redundancy you can add two routers at each remote site and run HSRP on the lan side with interface tracking on the outside interface. (This will be a more expensive solution).

DMVPN is a good choice for your scenario. DMVPN uses GRE and IPSEC along with NHRP to resolve next hops of remote sites. So you do not need a static public ip addressing on each remote site. Also you can establish dynamic spoke-to-spoke tunnels using DMVPN. Once the DMVPN network is established, you can use a protocol such as OSPF or EIGRP (preferred) to route traffic. I have recently designed a 10 site DMVPN with two hub sites and a teritiary backup hub site via ISDN (dial backup)

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus