From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Wed Apr 05 2006 - 14:11:51 GMT-3
I understand...no diagram necessary. I've setup similar solutions in the
past when I controlled both sides of the tunnel but I don't think I could
get all my vendors to set this up, especially when many of them may not run
EIGRP. You are right though, when this solution is in place it fails over
very well.
Thanks for the info Christian!
Rik
_____
From: Administrator [mailto:Administrator@StandardAeroTech.ca]
Sent: Wednesday, April 05, 2006 11:34 AM
To: Guyler, Rik; ccielab@groupstudy.com
Subject: RE: OT: VPN redundancy
Basically the way I do it is as follows . . . ( oh and I appologize in
advance, its easier to diagram or talk it out )
Anyway, head site has a router. Head site has a backup router.
Basics of it is like this.
Remote site has saya 1710 connected to the internet. A GRE VPN Tunnel is
created from the remote site to the head site. A second tunnel is built to
the backup router in the head site also using GRE. Each gre tunnel
interface has its own wan network as well. Keepalives are running on the
tunnels as well.
The remote site router has two tunnels ( running eigrp ) across to two
seperate tunnel enpoints at the main site. I can start a constant ping to
the network across the vpn, and shut the primary vpn router off and the
pings 99 out of 100 times dont even miss one. Sometimes they do miss 1
ping.
Now, if you have two routers at the remote side, and two routers at the
central side, its even more redundant. I have a couple of those as well.
No HSRP needed there. These boxes go into a switch that also has routing
tables and such. They get the path information accordingly.
I think this is a pretty crappy description so my appologies. But I hope
this helps a bit Rik. If you have any questions, I will continue to do my
best to answer them. But as I said, I diagram is probably best.
christian
_____
From: nobody@groupstudy.com on behalf of Guyler, Rik
Sent: Wed 4/5/2006 9:12 AM
To: 'ccielab@groupstudy.com'
Subject: RE: OT: VPN redundancy
Thanks for the reply. Stateful failover would be nice but I don't consider
it necessary. If the SAs had to be rebuilt on the backup router than that
would happen dynamically and within seconds so the worst case scenario is
something would have to be retransmitted or reconnected.
We'll see. I haven't ruled out the ASA boxes yet but they aren't at the top
of the list. Some of the newer IOS supports SSO failover for IPSEC but
unfortunately not on a 3600 series. I would have to buy to new 3800
routers. Oh darn... ;-)
Rik
-----Original Message-----
From: Alexei Monastyrnyi [mailto:alexeim@orcsoftware.com
<mailto:alexeim@orcsoftware.com> ]
Sent: Wednesday, April 05, 2006 9:50 AM
To: Guyler, Rik
Cc: 'ccielab@groupstudy.com'
Subject: Re: OT: VPN redundancy
Hi.
The problem with redundancy with HSRP+VRRP that it is not a stateful
failover, i.e. if primary fails, secondary has to rebuild tunnels anyway. I
don't know if it is critical for you.
With PIX (and most probably ASA) you have a stateful failover over dedicated
LAN interface. I have 2 PIX 515E in failover mode with 7.1.1 on primary and
7.1.2 secondary. Have a plane to restart the primary to activate 7.1.2 which
is on flash now.
Documentation claims that 7.1 has a VPN stateful failover. 7.0 had really
buggy failover in general, you can have a look at bug fixes.
Let's see if stateful failover for VPN works in 7.1. Will post results as it
happens.
A.
on 05/04/2006 15:28 Guyler, Rik wrote:
> I currently have a 3660 router that terminates nearly 25 vendor VPN
tunnels.
> These tunnels are considered mission critical to our hospital
> operations and so an outage of much duration would be a hardship.
> Even with a 4-hour SmartNet it could take several hours to get this back
up and running.
>
> I'm looking at various redundant setups so I could lose this router
> and still maintain connectivity. Here are the options I have
> considered so far in order of preference:
>
> 1) add a second router and setup HSRP/VRRP on both the inside and
> outside interfaces and terminate the tunnels to the virtual address on the
outside.
>
> 2) setup a pair of ASA5500s and setup failover
>
> 3) setup a second router and build secondary tunnels to each vendor
>
> I like the sound of number one the best but not sure if it will work.
> I'll lab it up to verify that unless somebody can say for sure it
> won't work. I really don't want to move over to the ASA boxes...I
> just love VPN on routers. Secondary tunnels would require a lot of
> work and time so that's really the last option.
>
> Does anybody know of any other possible solutions to throw in the mix?
> Even some outrageous ideas might be fun to try and who knows...might just
work.
> I'm open to any ideas or suggestions at this point!
>
> Thanks!
>
> Rik
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
<http://www.groupstudy.com/list/CCIELab.html>
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:56 GMT-3