Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Frame, VPN, and DSL Oh My... 1

Status
Not open for further replies.
MattWray

MattWray

Technical User
Nov 2, 2001
2,332
0
0
US
I would like some opinions.
We are thinking of Disaster Recovery solutions and have come up with the following idea:

Currently we have 5 Frame links to remote sites with 1600's. If these links go down, right now they are dead in the water.
Would it be possible to get DSL at the remote sites, set up a VPN between the 1600's, and have that as an alternate route in case the Frame went down?
Does this sound right? If not, where am I going wrong?


Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Sort by date Sort by votes
Yes, this can work, I'm setting up such a system at present. You would need a second interface in the 1600 for the DSL link. Alternative would be ISDN backup.

The easiest way for the VPN is use a GRE tunnel and encrypt (IPSec) that tunnel over th Internet.
 
Upvote 0 Downvote
What about if I have a DSL router at the remote site, connect that thru VPN to the 1600 at the HQ, and have a route in the Remote 1600 that has a higher metric thru the DSL router? So if the Frame route is not available, it will route out the DSL router. Our 1600's only have 1 slot and it has a WIC already in it. I have read of some of the DSL routers being able to router-to-router VPN with Cisco....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
That's almost exactly what I'm doing. I use Linux firewalls on the T1 or DSL internet connections with Frees/wan running between them. The Cisco's have default routes set to the internal IP of the firewall (each site uses its internet connection for internet access) and run EIGRP for routing protocols. If a link goes down, the EIGRP routes are lost and all that's left are connected & default.
 
Upvote 0 Downvote
The GRE tunnel would originate in the 1600 at your remote site, it appears as a virtual interface in the router config once its enabled. You then point the tunnel over the DSL link to your central site, encrypt it and run eigrp over it. Set the eigrp delay on the tunnel to something higher than the normal frame link, when frame fails you'll automatically use the VPN.

You'll still need some form of firewall to protect your remote sites against intrusion over the DSL links, do the DSL routers provide this?
 
Upvote 0 Downvote
1600 routers do not support DSL, you need a 1721 or 2600 both have to be specified with the correct ISO

MCSE,MCSA,MCP+i,MCP
 
Upvote 0 Downvote
I am not planning on connecting the DSL to the 1600, but to a DSL router there also.
I am looking into a new Netgear DSL Firewall that supports Stateful Packet Inspection, as we are on a tight budget.
Routerman or lgarner, could you post a sample config of this? Easier for me to get my head around it if I can see an example of a working one....

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
I am currently knee deep in this and was wondering if anyone has a config they can post...

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
Hmmm. It's been a while. The generic failover-to-dsl that I used looks like this:

interface Ethernet0
description Connected to Internet Gateway
ip address 10.1.2.1 255.255.255.0
!
interface FastEthernet0
description Connected to Internal Network
ip address 10.1.1.1 255.255.255.0
!
interface Serial0
description Connected to Frame-Relay
ip address 192.168.0.5 255.255.255.252
!
router eigrp 1
network 10.0.0.0
network 192.168.0.0
no auto-summary
!
ip classless
! assumes that inside ip of firewall is "10.1.2.2"
ip route 0.0.0.0 0.0.0.0 10.1.2.2

You could do this with a single LAN interface, just put the internet router on your internal segment. You might want to specify "no ip redirects" on the LAN interface.

This also assumes that the VPN is being handled by the internet firewall/gateway.

Lee.
 
Upvote 0 Downvote
If you're on a tight budget you should consider ISDN. How often do your frame links fail? At least you can setup ISDN in a pay-by-the-minute setup, and if you rarely fail over you can keep your monthly charges extremely low.

I would think with DSL you'd be incurring a $40+ monthly charge per connection, which would be worse.

Of course your initial setup costs might be higer as you buy ISDN units for remote offices and get some ISDN pipes in to your main office.

If you haven't already try to work out the math on both options before you make a final decision.
 
Upvote 0 Downvote
Thanks guys for the responses. Maondas, we already have the cable in place. One reason for using cable is that I'd like to prove that in can work well in the hopes of doing away with the Frame.
Lee, thanks for the config. I think it will help me greatly. I go to San Antonio next week to implement our first site of the rollout. Will post back with what I do and how it works out...

Thanks,

Matt Wray
MCSE, MCSA, MCP, CCNA

 
Upvote 0 Downvote
Matt - just out of curioisity are you running any voice traffic over your WAN?
 
Upvote 0 Downvote
Well, we got it up and running. The only weird thing is when it goes down and comes back up. When I take it down, it's good to go kicks right over to the VPN. Problem is when it comes back up I have to reboot the machines. What it looks like is happening is that the machines are caching a route over the backup link and want to keep sending that way...

I also still have RIP turned on. Would it be beneficial to trun it off now that I have enabled EIGRP?

All inputs/ideas welcome!

Thanks,

Matt Wray

GFH

 
Upvote 0 Downvote
That's odd. So I understand- is there a single router which has a LAN interface, an Internet interface, and a DSL interface? Or do you have two routers, one to the Internet and one to the Frame? And by "machines" I assume you mean the computers, not the router(s). If you have only one router, then you can disregard the rest of my reply since I don't see how rebooting the workstations could affect the router's actions.

If you have two routers on your LAN, then I can see the problem. Your Frame router is redirecting your workstations to the Internet router when it goes down, but the Internet router isn't redirecting them back.

One way around this is to enter "no ip redirect" on the LAN interface of the frame router to ensure that workstations always talk to it first. It will then forward the packets to the Internet router if necessary, and won't tell the workstations to go there directly.

Another (better, I think) way is to have the Internet router participate in the EIGRP group with the Frame router, and make sure that ip redirects is enabled. Also, ensure that the Frame route is preferred over the Internet- you might have to tweak something, like lying about the bandwidth or delay so the Frame looks better.

I see no need for RIP as long as you don't need to transfer routing information to non-Cisco equipment. EIGRP is more robust and faster to converge.



 
Upvote 0 Downvote
Thanks Lee. To clarify, we do have 2 routers there. We have one 1721 and a Linksys RV082 VPN router. I think the No IP redirect would work, the linksys don't really have that much in the way of configurable options, and they don't support EIGRP though hopefully that will change with Cisco taking over.

Thanks again for the tips. I'll try 'em out and post back with results...

Thanks,

Matt Wray

GFH

 
Upvote 0 Downvote
Sorry about the delay, but everything is working perfectly. Got to see it live unfortunately. We were changing Frame providers and of course they waited to cut till the 26 of Feb to do it. So, we cut and the Frame did not come up, but it kicked right over to the VPN. We went ahead and left it on the VPN for 2 days till we got the CO straightened out. As soon as the Frame came up, kicked right over to the frame.

I just enabled EIGRP on all routers, set 2 routes to the destination with the VPN having a higher metric, and set no ip redirects on the E interface.

Big thanks to Lee, and hope this can help someone else!

Thanks,

Matt Wray

GFH

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
37
quazimotto
quazimotto
Lccarter
  • Locked
  • Question
Cisco CUCM Provisioning and Order Management System
Replies
1
Views
70
Lccarter
Lccarter
hairyprogrammer1
  • Locked
  • Question
What is my Speed...?
Replies
1
Views
39
iggsterman
iggsterman
acabezas2014
  • Locked
  • Question
Need to create QoS for SNMP and Radius traffic on Cisco 4948 Switches
Replies
0
Views
38
acabezas2014
acabezas2014
mrdom
  • Locked
  • Question
RV325: Accessing LAN and WAN resources using the same hostname ...
Replies
0
Views
41
mrdom
mrdom

Part and Inventory Search

Sponsor

Back
Top