From: Murtaza Bhaiji (mbhaiji@yahoo.com)
Date: Sun Mar 13 2005 - 05:50:53 GMT-3
Hi once again,
Apart from the below config. You can have both the
Framerelay and DSL terminate in one router, and
configure one link to be the back up of the other
(using the backup interface command) the rest of the
IPSEC config remain the same. only on the remote end
you will have 2 set peer statements or Cryto maps, and
you will have to configure ISAKMP keep alives.
Hope this helps. For any further clarification you can
ping me offline.
regards,
MB
--- Murtaza Bhaiji <mbhaiji@yahoo.com> wrote:
> Hi There,
>
> Instead of doing all the follows you can add another
> router to your DSL link. Configure HSRP on the
> Ethernet interfaces. Use the Virtual IP on the PCs
> on
> the LAN as the DG.
>
> Configure your IPSEC Tunnel over the HSRP. This is
> known as High Availability IPSEC VPN.
>
> Read the following links to get config ideas:
>
>
http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide09186a00800ed370.html
>
>
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml
>
> regards,
> MB
>
> --- cciex4 <cciex4@yahoo.com> wrote:
> > Hi all,
> >
> > I have one network scenario that needs your expert
> > inputs. It is a hub-and-spoke setup. The spoke
> side
> > has one WAN/Internet router that has one
> frame-relay
> > and one Ethernet interface (connected to a DSL
> > router), which connect to two different routers on
> > the hub side (one for frame relay and the other
> for
> > DSL).
> >
> > Also, VPN is to be configured on the DSL
> connection
> > between the spoke and hub routers. The IGP is
> EIGRP.
> >
> > Topology below:
> >
> >
> SpokeRouter-FR-------WAN-------FR-HubFRRouter-----|
> > |
>
> > LAN
> >
> ETH--DSL--------Internet-----DSL--ETH-HubVPNRouter-|
> >
> > The requirement for spoke side are (1) to do load
> > balancing between the frame and VPN/DSL, (2)
> suport
> > dynamic failover between frame & DSL, and (3)
> direct
> > part of the traffic to DSL and others to frame,
> and
> > (4) all internet bound traffic need to be back
> > hauled to the hub.
> >
> > For req #1, I'm thinking of create a GRE/IPSEC
> > tunnel on the DSL, then use EIGRP for dynamic load
> > balancing. For req #2 & #3, NBAR (ie MOD CLI) and
> > PBR traffic on the incoming LAN interface. In
> order
> > to allow dynamic failover, use "set ip next-hop
> > verify-availability" on the PBR route-map. For req
> > #4, set a default route to a loopback interface on
> > the hub router.
> >
> > What are the issues that you see? One of the
> issues
> > that I can see is that packets sent from spoke to
> > HubVPNRouter need to return to the same router (ie
> > not from the HubFRRouter) otherwise the IPSec
> > session will break? am I right?
> >
> > Thank you very much!
> >
> >
> >
> >
> > ---------------------------------
> > Do you Yahoo!?
> > Yahoo! Small Business - Try our new resources
> site!
> >
> >
> >
>
> Send instant messages to your online friends
> http://uk.messenger.yahoo.com
>
Send instant messages to your online friends http://uk.messenger.yahoo.com
This archive was generated by hypermail 2.1.4 : Sun Apr 03 2005 - 17:56:45 GMT-3