10-04-2011 04:45 PM
Experts,
I have been reading trying to figure out a way to create the best VPN redundancy using Cisco Routers.
I have multiple sites connecting to a Cisco 1841 on my central site. Budget is always an issue, so I can only use what we have (another Cisco Router)
I would like to accomplish the following:
1. Have 2 routers load balancing the VPN connections (maybe one virtual ip) ? Not sure if HSRP will help?
2. Have a secondary Internet connection (different ISP) so that if one link goes down the other one can pick up.
What are your recommendations?
a. If you can provide some links for reading
b. If you have examples.
Thanks for all the help!!
10-05-2011 07:26 AM
Randall,
Seems like a topic for a day long lecture not a forum question
Do you want to load balance VPN connections between peers, or do you want to load balance traffic between ISPs/tunnels.
How many routers do you have at central location?
Anyway you should start here:
And hands down the way to go is either DMVPN setup or VTI setup (SVTI-SVTI or SVTI-DVTI).
This will allow you to have routing protocol over IPsec.
If you have at least two router at your central location you can either have one router service each ISP or have each router connected to two ISPs (either multihomig or VRF lite).
So my short answer is, it depends.
Marcin
10-05-2011 09:02 AM
Marcin,
Thanks for taking the time to answer my question. And believe me...I know I have to do lots of reading :-) but it is fun to learn!
1. I have 2 routers (trying to get one more)
2. I want to load balance VPN connections
3. If possible...i will do multihoming with 2 ISP * this one is not really required...it would be a nice plus.
Starting to read..... let me know your thoughts
Thanks
10-05-2011 09:17 AM
Randall,
(not going to spellcheck below, in a hurry)
HSRP based redundancy will not allow you to load balance, it will only allow one router to be active at a time (stateful or stateles).
The proper way to do it on IOS (for now! clustering is on the horizon!) is to have connections active to both "hubs" and load balance the traffic.
Recently we were discussing two ISPs on one device scenario for IPsec here:
https://supportforums.cisco.com/thread/2106309
I gave some config examples if you want to have a look.
Multihoming is going to cost you extra, and having BGP on your edge might be a hassle :]
Check it out, read up a bit, let me know what other questions you have we will discuss and clear up a "vision".
Just FYI, it's always best to involve your local SE, they can give you good overview of current best practices etc. Forums is a nice place to start to get idea, but nothing will substitute sitting someone over a cup of coffee ;-)
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide