03-12-2012 03:22 PM
I have an Cisco 1841 at one of our remote sites, that has a dual-homed internet connection. Planning on using PBR & IP SLA to use the internet connections in an Active/Standby pair, but also need to setup a VPN tunnel (actually a couple of tunnels) over the Active internet connection. Is this possible on the 1841's & 2811's, and if so, how would I go about setting it up?
Jeff
03-14-2012 11:05 AM
So i'm finding information on Cisco's VTI, just not sure if it is available on the 2800 & 1800 ISR's (running advsecurity). Does anyone know?
03-14-2012 11:35 AM
03-14-2012 01:12 PM
That looks good for the VTI configuration. Will this work in conjunction with PBR & IP SLA in a dual-ISP scenario? Trying to setup a primary and secondary ISP connection, that can fail over automatically, yet still allow a VPN tunnel to function regardless of which ISP connection is the active one.
03-14-2012 01:25 PM
One method.
Using IP-SLA you are trying to achieve is basically entail a default route-failover when primary ISP circuits fails to standby one. So please read the below thread, shows how setup a default route-failover from one physical interface to another.
https://supportforums.cisco.com/thread/2034251
Second method is:
You introduce a dynamic routing protocol (such as EIGRP) from both ends (sites) and your router peer from both circuits to remote router.
When one circuits fails and dynamic routing protocol will start using to second circuit.
Hope that helps.
thanks
03-16-2012 12:05 PM
At the moment, I have an active GRE tunnel from one site to the data center. If I use either the IP-SLA or dynamic routing, will I still be able to have the tunnel functioning? Given that the Tunnel interface has to have a source command set on it, wasn't sure if there would still be some manual intervention necessary to fail over connectivity.
03-16-2012 01:12 PM
"If I use either the IP-SLA or dynamic routing, will I still be able to have the tunnel functioning?"
Yes, in the either case you can incorporate your existing tunnel as well.
In the existing GRE you use static route to push traffic from both end of tunnels and so, as far as IP-SLA is concern you use GRE interfaces as primary and backup with manupulating higher cost in the static-route as shown in the above thread.
Now, GRE tunnels when introducing dynamic routing protoco into equvation. In this senario your routing protocol will peer over GRE tunnel's interface IP addresses which are going over two separate circuits and you increase the delay on the one tunnel interface so that other circuit will be prefered over due to lower delay. When that circuit (i.e. lower delayed circute) goes down, EIGRP will start will using the backup circuit GRE tunnel.
I hope that helps.
thanks
Rizwan Rafeek.
03-18-2012 11:46 AM
Please rate helpful post.
thanks
03-19-2012 11:52 AM
I believe that will work. Need to read through everything you've posted, and write the configurations up for our environment. Hopefully will have an opportunity test it out this week.
Thanks again for the help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide