Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
0
Helpful
4
Replies

VPN L2L as a WAN Backup

Go to solution
jose cortes
Level 1
Level 1

‎02-21-2011 08:40 AM

Hi everybody,

I have a customer who has the topology shown on the picture below (also attached like a file). As you can see he has two ISP, one for Internet Service and another for WAN service. Also there is 3 remote branch offices that have also WAN connections with ISP-2 and each one has an Internet Connection with different ISPs.

Currently the ASA works as VPN server for the Remote teleworkers by means of IPsec Tunnels using the cisco VPN Client.

The customer (and so do I) wants to know if is there a possibility to backup the WAN connection using VPN Lan-2-Lan tunnels? This way, if the ISP-2 WAN fails the VPN L2L connection is automatically up and the branch offices will access the services throughout the Tunnel.

Can you help me with some information an configuration guides? please

Topologia.png

Thanks in advance.

Jose Manuel Cortes Hurtado

Labels:
Preview file
127 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Yudong Wu
Level 7
Level 7
In response to jose cortes

‎02-21-2011 01:20 PM

Yes, you can terminate the vpn on your internet router if possible. The key of this implementation is about routing. So you have to find a point where you can control where the traffic should be forwarded. Then use routing with SLA tracking to control when the floating route should be added inot the routing table. If you can provide the detail info about how the routing is setup at main office, I can take a look at it.

As for branch office, if there are two routers already for WAN and internet connection respectively, is there any other layer 3 device behind them to do the routing? a topology diagram of a typical branch office and routing setup info will be helpful.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Yudong Wu
Level 7
Level 7

‎02-21-2011 11:01 AM

Yes, you can use l2l tunnel as the backup.

You can configure L2L tunnel as normal but use routing to control how the traffic to main offic is forwarded.

For example, at branch office, you can configure a floating static route to route all traffic to main office via Internet connection. In normal situation, the traffic to the main office will be forwarded to WAN interface based on its existing routing table. You need configure SLA to track the reachabilility to the wan router of main office. When it is not reachable, the existing route will be removed based on SLA tracking and the floating route for L2L vpn will be added to the routing table and the traffic will be forwarded via VPN tunnel accordingly.

At the main office, you can do the similar thing. Here is an example for ASA and you can do the same on router as well.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

0 Helpful

Go to solution
jose cortes
Level 1
Level 1
In response to Yudong Wu

‎02-21-2011 12:57 PM

Hi Yudong,

thanks you for answer so fast. I have some doubts about the deployment. In the Topology my internet connection and WAN connection belongs to different ISPs with different routers, so I guess I should implement the routing tracking and floating route on the ASA for the HQ. Until clear i think i figured out, but, when I look at the Branch Offices I also have 2 different ISPs, and of course, 2 different routers. My questions are:

if ask the Internet Provider to setup the vpn-tunnel policies on its router, will the deployment work? or

Will i need another Router (per branch office) to implementing the tunnel and also route my LAN traffic whether to the WAN or to the VPN Tunnel?

Thanks in Advance

Jose Manuel Cortes Hurtado

0 Helpful

Go to solution
Yudong Wu
Level 7
Level 7
In response to jose cortes

‎02-21-2011 01:20 PM

Yes, you can terminate the vpn on your internet router if possible. The key of this implementation is about routing. So you have to find a point where you can control where the traffic should be forwarded. Then use routing with SLA tracking to control when the floating route should be added inot the routing table. If you can provide the detail info about how the routing is setup at main office, I can take a look at it.

As for branch office, if there are two routers already for WAN and internet connection respectively, is there any other layer 3 device behind them to do the routing? a topology diagram of a typical branch office and routing setup info will be helpful.

0 Helpful

Go to solution
jose cortes
Level 1
Level 1
In response to Yudong Wu

‎02-21-2011 01:37 PM

Thanks again Yudong,

right now I don't have the Router Configurations. But I think you made yourself clear with your last post. I will try to do a Lab test and later I'll deploy it on the customer's network.

Regards,

Jose Manuel Cortes Hurtado

0 Helpful
Customers Also Viewed These Support Documents