VPN w/Frame Relay backup

nds-frank · ‎06-16-2004

Ok this is going to be very long and drawn out. It is more of a routing question I think. We have 155 sites, but this is only a test at 1. We have a 1720 Router with two WIC's one a 56k CSU/DSU and the other a 10Mb Ethernet card.

The Ethernet card connects to a DSL modem which is successfully connected. The 56k csu connects to a FR network. At our headend we have 1 3640 router which has a connection to the 56k frame circuit (routing via ODR on headend).

We also have a VPN 3000 Concentrator in our network with an outside ip to the Internet. We would like to have a route over the VPN connection from the site to our headend but when it goes down to backup on Frame Relay. We are running RIP between the 3640 and the concentrator so the 3640 will know of the route between the concentrator over the DSL to the router.

My dilema is that when I tell the 1720 to default route to the ethernet0 interface(dsl) the whole connection dies. How can I get these two routers to use the VPN connection and backup over the FR if the VPN connection goes down? (not the interface but the actual connection itself). I have added an offset to the 3640's rip setup so it seems that it is taking the route from the 3000 concentrator but when I put the default route in on the remote side it dies. (BTW full connectivity by FR and VPN works and has been tested).

Thanks,

Frank

aacole · ‎06-17-2004

Hi Frank, your correct in thinking this is primarily a routing question.

Just to be clear, as I understand this you currently have a VPN link between the 1720 and the 3000, which is at HQ. Both the VPN and the Frame links work fine.

Part of the problem is that your using RIP, you really need to use a routing protocol that can form an adjacency with its neighbour, such as EIGRP. Then when any part of the link between the 2 routers that form the adjacency fails the route table gets updated and the router can select an alternate path.

This solution may sound complex, but it works fine, I've used it with PIX to IOS VPN links to back up frame circuits, but it will also provide Frame back up to the VPN. That’s down to route selection on the routers.

The steps needed.

Enable EIGRP on the 1720 and the 3640, this will run alongside RIP.

Create a GRE tunnel between the 3640 and the 1720, using static routes ensure this establishes via the VPN link, not the frame.

EIGRP will form a neighbour relationship over the VPN. By altering the tunnel bandwidth or delay it’s possible to make this the primary route.

Add a floating static route that points over the frame, floating means that this route will only become active if the VPN links fails and that route drops out of the routing table.

As an alternative you could use EIGRP across the frame instead of a floating static, alter metrics to make this a secondary route.

Here is a tunnel configuration:

interface Tunnel0

description primary tunnel to branch

bandwidth 1024

ip address 192.168.nn.nn 255.255.255.0

ip mtu 1420

delay 100

tunnel source Loopback0

tunnel destination 192.168.yy.yy

tunnel path-mtu-discovery

ip route 192.168.yy.yy 255.255.255.255 10.5.0.100

router eigrp 100

network 10.0.0.0

network 192.168.nn.nn 0.0.0.255

no auto-summary

eigrp log-neighbor-changes

If you want more help with this let me know, honestly it’s not as bad as its sounds!