ISDN backup for ADSL connected remote sites

[mitchen]

In our set-up we have a central site with a large number of remote sites connected.

We have moved a number of remote sites from ISDN connections to ADSL connections. However, we would like to keep the ISDN and use it for backup.

The problem I have is - how do I implement ISDN backup with our current set-up? From the documentation, I can see how to do this for more "straightforward" set-ups but not for the set-up we have! Let me explain:

At the central site, we have a Cisco 7206 router. The ISDN connected sites connect directly to this router (which is configured with a large number of dialer map statements for each site)

The 7206 connects to a PIX515E firewall. The ADSL connected sites connect over the public internet using IPSEC with the tunnels terminating on the PIX.

The 7206 router contains static routes for the ADSL connected sites, pointing to the firewall.

At the remote sites, we have a Cisco 837 router for the ADSL connection.

This is connected (via ethernet) to the router we want to use for ISDN backup - a Cisco 800. The 837 and 800 are configured with HSRP.

However, at the moment, if the 837 or the ADSL link was to go down, there would be no means to connect to the central site. How can we configure this to use the 2nd router for ISDN backup, given our set-up?

Any suggestions would be greatly appreciated!

 

[valarian]

Hi mitchen,
first thing I'd do is to make sure the 800's dial out when the ADSL connection breaks down. I would do it, by having the 837 decrease his HSRP priority as soon as his PPPoE interface goes down. You can do this with the "standby track" command.
Check this link for more details:

http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8c.shtml

So by this we would have the 800 as HSRP active as soon as the ADSL connection is no longer available.
In order to have the 800 dial out, you need to have a static default route pointing to the dial target's IP address.

So when the ADSL breaks down, the 837 decreases his HSRP prio and becomes HSRP backup. The 800 become HSRP active and handle all user traffic. The static default route and the dialer lists make him dial ISDN to the 7206.

Next problem we have are the static routes pointing to the PIX. The 7206 would send any traffic to the PIX, even if the remote location in question is dialed in via ISDN.

As long as the 7206 is not allowed to dial out to the remote site itself, maybe the following scenario might work:
Give the static routes to the PIX an AD of, let's say 100.
(ip route <network> <subnetmask> <next-hop> <AD>)
And add static routes to the remote location's subnets with an AD better than 100 that point to the ISDN connection of that site.
The ISDN static route should only be in the routing table, when the interface is up and the next hop is available (next-hop awareness).
So, then the static route to the PIX should be in the routing table, as long as the target site is not dialed in.
I'm not sure wether the latter part with the static route will work, you will have to try.

If it doesn't, I'll have to make up my mind again... ;-)
The problem is, that we don't have any dynamic routing in here...

So long,
Mike

 

[mitchen]

Hi Mike,

thanks for the response. I've been doing some digging around myself and think I may be onto a solution (in theory anyway - putting it into practise may be a different matter!)

How does this sound?

I set up a GRE tunnel between the remote site and 7206 router at head office, which in turn would be using IPSEC tunnel between remote router and PIX.

So, steps required:

1) set up IPSec tunnel to to PIX (this is the way it is already currenly configured so I don't think I need to change anything here)

2) set up GRE tunnel between remote ADSL router and 7206 - requires tunnel interface on both router with start point and end point configured. Use GRE keepalive to enable the line protocol to be brought down if the far end cannot be reached.

3) Add static routes on ADSL router to reach head office network via tunnel interface

4) Add static route on 7206 router to reach remote network via tunnel interface

5) Configure ISDN map statement on 7206 mapping remote network to ISDN number

6) Configure "floating" static routes on 7206 to use ISDN to reach remote network

7) Configure HSRP on ADSL and ISDN routers with tracking of tunnel interface. If tunnel interface goes down, then ISDN router takes over as active.

8) Configure static routes on ISDN router to point to head office network using BRI0 interface.

So, under normal operation, traffic between head office and remote office will be routed across the GRE tunnel using the ADSL link.

If the ADSL link was to go down then the GRE tunnel would also go down. So, the 7206 would then use the floating static routes to reach the remote network via the ISDN connection.

The ISDN router would take over as active at the remote site since the tunnel interface would have gone down, forcing the HSRP to failover.

Does that sound feasible?

Thanks,

Neil

 

[valarian]

Hi Neil,
yes sounds quite good, should work from my point of view. The only drawback is haveing the GRE and IP Sec protocol overhead on the ISDN, that might have impact on performance.
But besides of that... great solution!
Mike