Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
0
Helpful
3
Replies

VPN with a Frame Relay backup, yes really.

PJWHITBY
Level 1
Level 1

‎08-18-2003 07:51 AM - edited ‎02-21-2020 12:43 PM

I have this scenario to fix :

c3620 (Spoke) <=> Frame Relay Circuit <=> c3640 (Hub)

c3620 (Spoke) <=> C2924 Switch <=> PIX-515 <=> ADSL Circuit <=> Internet

c3640 (Hub) <=> C5505 <=> PIX-515 <=> LEASED LINE <=> Internet

I hope thats clear !

Now my issue is this. The current setup does not have a VPN tunnel, therefore traffic from Site A (left/spoke) passes to Site B (right/hub) via the Frame Relay link and internet traffic from Site A goes out via the PIX515-a firewall.

Now what I want to do is create a VPN Tunnel between pix515-a (spoke) and pix515-b (hub) that will act as the primary conduit for data, yes I know this sounds daft, but I want the VPN to carry the traffic between sites with the Frame Relay link acting as a backup conduit.

I can create the VPN tunnel and get traffic to pass, thats not my problem, my problem is getting the Frame Relay circuit to act as the backup circuit. If the PIX could use HSRP then I would be okay, but I am at a loss on this one.

Any suggestions?, my gut feeling is that this just will not work. Any suggestions on how to make it work would also be gratefully accepted.

pjwhitby

cne/ccda/ccnp/mcse

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎08-18-2003 06:28 PM

The issue here is that your routing tables at spoke-A and hub-B have to change to point over the FR link when the VPN tunnel goes down. This implies that you need routing updates to go over the VPN tunnel, and when this goes down, you have a floating static route that points over the FR link.

Unfortunately in the PIX there's no way to send routing updates over the tunnel, nor does it support reverse-route injection like the router and VPN3000 does. This means there's no way to automatically make this happen.

About the best you could do is manually add a static route into each side that points the remote network over the FR link when the VPN is down, and then remove it when the VPN is back up.

This would work with VPN3000's or routers at either end, as they both support either RRI or sending routing updates over the tunnel.

0 Helpful

ROBERT WATSON
Level 1
Level 1
In response to gfullage

‎08-21-2003 05:36 AM

Actually you can send routing updates over your VPN tunnels that are established by the PIX FW as you have 3600 series routers at each site.

Create IPSEC tunnels between Pix firewalls and GRE tunnels over the IPSEC tunnels. At that point impliment a dynamic routing protocol on all routers and weight the FR links at a higher cost than the IPSEC links.

Your 3600's will all have a tunnel interface over ipsec and frame interface both to the same destination.

Also don't forget to enable GRE keepalives on your tunnel interfaces due to the default being a no keep.

0 Helpful

PJWHITBY
Level 1
Level 1
In response to ROBERT WATSON

‎08-21-2003 06:46 AM

Thanks gfullage,

The IPSEc tunnel between the PIX-515 is established and operational. Do you then mean generate a GRE tunnel between the PIX's using the IPSec tunnel, or between the routers using the IPSec Tunnel?

I think you mean between the routers which is what I will try whilst I await your response.

Thanks alot,

Paul

0 Helpful
Customers Also Viewed These Support Documents