Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN failover if T1 goes down...

Status
Not open for further replies.
nix45

nix45

MIS
Nov 21, 2002
478
US
One of our remote offices has a 1750 router with a T1 and an ISDN line coming into it. The T1 is the primary connection to the central office, and the ISDN is a failover for if the T1 goes down. The router in the central office is a 3640.

We'd like to possibly add a DSL connection in the remote office and install a PIX 506 (or another router). The PIX would create a VPN tunnel to our VPN Concentrator 3015. We only want to use this tunnel if the T1 goes down. The ISDN failover would now be a third choice and would only come into play if BOTH the T1 AND the DSL connection were both down.
Is this scenario (or something similar) possible?

Thanks,
Chris
 
Sort by date Sort by votes
Yes.
Setup the ADSL as a second tunnel.Put keepalive command for both Tunnel(T1&ADSL).You will have to put a backup command for T1 using ADSL connection, another backup command for ADSL using ISDN.
should solve all your problem here.
 
Upvote 0 Downvote
Hi nix45,

Please let us know how you make out with this scenario as this makes for interesting reading.. We had an engineer on our staff who tried doing this "similar" setup and didn't succeed very well. Not that it couldn't be done but maybe the wrong person was on the job

gman
 
Upvote 0 Downvote
I think this scenario would be possible by adding another 1750 (or similar) for the DSL connection and then using the HSRP (Hot Standby Router Protocol) on both routers. I'll post my results after I try it.

Chris
 
Upvote 0 Downvote
firstly,
you will need 3 loopback ip.
1 as tunnel source referral to tunnel 1
2 as tunnel source referral to tunnel 2
3 loopback ip for ISDN usage

keepalive command must be put in the tunnel interface
this will trigger the backup command if the tunnel fails.
note that loopback interface never fails.
 
Upvote 0 Downvote
I've implemented a similar soultion using 2 routers at the remote site, mine didnt have ISDN.

As you have ISDN you need to ensure the tunnel goes down before you can use the ISDN. In my case the VPN is the link of last resort. Check that the riouter detects the ADSL failure, otherwise you wont be able to fall back to ISDN.

To do this with Cisco routers you may be better off using a GRE tunnel with a dynamiv routing protocol, so the routers detect any link failures via the loss of hello messages.

 
Upvote 0 Downvote
gman10, you asked to see how we made out with this when we finished. I have our first demo up right now and it works great using HSRP.

Cisco 1751 router - primary connection - connected to the central office via frame relay on a fractional T1.

Cisco 1710 router - backup connection - connected to the central office via VPN tunnel through its sDSL line.

We're using HSRP to detect link failures. If you pull a cable out of the 1751 (primary), within seconds the 1710 will assume the virtual IP and everything will continue as normal (except for the fact that traffic is being routed through a VPN tunnel now instead of the frame relay). Everything is transparent to the end users, except for the few seconds that it takes to switch over.

Chris
 
Upvote 0 Downvote
Nix45,

Can you post the configuration of the 1710 router?

We're looking forward to implement something similar in our branch offices.

Any documentation you have will be helpful. Please email me at hectorm_z at yahoo.com.mx

Thanks!
 
Upvote 0 Downvote
Hector, I emailed you an HSRP.pdf from Cisco's website. Here are some notes...



The following is the configuration for Router A:

hostname RouterA
!
interface ethernet 0
ip address 1.0.0.1 255.0.0.0
standby 1 ip 1.0.0.3
standby 1 preempt
standby 1 priority 110
standby 1 authentication denmark
standby 1 timers 5 15
!


The following is the configuration for Router B:

hostname RouterB
!
interface ethernet 0
ip address 1.0.0.2 255.0.0.0
standby 1 ip 1.0.0.3
standby 1 preempt
standby 1 authentication denmark
standby 1 timers 5 15
!


The standby ip interface configuration command enables HSRP and establishes 1.0.0.3 as the IP address of the virtual router. The configurations of both routers include this command so that both routers share the same virtual IP address. The 1 establishes Hot Standby group 1. (If you do not specify a group number, the default is group 0.) The configuration for at least one of the routers in the Hot Standby group must specify the IP address of the virtual router; specifying the IP address of the virtual router is optional for other routers in the same Hot Standby group.

The standby preempt interface configuration command allows the router to become the active router when its priority is higher than all other HSRP-configured routers in this Hot Standby group. The configurations of both routers include this command so that each router can be the standby router for the other router. The 1 indicates that this command applies to Hot Standby group 1. If you do not use the standby preempt command in the configuration for a router, that router cannot become the active router.

The standby priority interface configuration command sets the router's HSRP priority to 110, which is higher than the default priority of 100. Only the configuration of Router A includes this command, which makes Router A the default active router. The 1 indicates that this command applies to Hot Standby group 1.

The standby authentication interface configuration command establishes an authentication string whose value is an unencrypted eight-character string that is incorporated in each HSRP multicast message. This command is optional. If you choose to use it, each HSRP-configured router in the group should use the same string so that each router can authenticate the source of the HSRP messages that it receives. The "1" indicates that this command applies to Hot Standby group 1.

The standby timers interface configuration command sets the interval in seconds between hello messages (called the hello time) to five seconds and sets the duration in seconds that a router waits before it declares the active router to be down (called the hold time) to eight seconds. (The defaults are three and 10 seconds, respectively.) If you decide to modify the default values, you must configure each router to use the same hello time and hold time. The "1" indicates that this command applies to Hot Standby group 1.




 
Upvote 0 Downvote
Guys,

I also would add that setting the "standby priority 110" on Router A is good, but also add "standby priority 105" to Router B only because its easy to forget the defaults.

R.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
67
quazimotto
quazimotto
darthvader167
  • Locked
  • Question
Download Cisco Hold Music
Replies
0
Views
206
darthvader167
darthvader167
Sycho123321
  • Locked
  • Question
T1 wic configuration
Replies
0
Views
61
Sycho123321
Sycho123321
tviman
  • Locked
  • Question
Same subnet on each side of a VPN 1
Replies
2
Views
82
tviman
tviman
DrB0b
  • Locked
  • Question
Moving LAG from one switch to another, hopefully w/o downtime 1
Replies
2
Views
99
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top