Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN failover to frame realy

Status
Not open for further replies.
Pancevo1956

Pancevo1956

IS-IT--Management
Nov 3, 2008
57
0
0
RS
I have vpn connection to an overseas location - IPSEC (site-to-site), Cisco 2601, and it woorks OK. in the meantime The overseas company establish location in my state. They are considering how to set up backup link to my company through Frame Relay. In fact they are considering something like failover scheme.


I do not know how to do it? OK I might set up a sort of HSRP to watch whether the overseas router-firewall is alive, and in the case of failure to switch to locition close to me through frame relay connection. I have one spare FR interface on my router.


Is there some reference manual (case study perhaps) to help me?
 
Sort by date Sort by votes
depending on your architecture at each location it could be a combination of floating static routes with hsrp, ip sla with hsrp, or using a dynamic routing protocol (depending on how you have your L2L VPN setup) with hsrp.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
I have static routes for both IPsec (tunnel) and nonecrypted interface (FR). However could I not figure out whether this could fit into the entry order of operation or not?

"If IPSec, then check input access list
Decryption--for Cisco Encryption Technology (CET) or IPSec
Check input access list
Check input rate limits
Input accounting
Policy routing
Routing
Redirect to Web cache
NAT inside to outside (local to global translation)
Crypto (check map and mark for encryption)
Check output access list
Inspect context-based access control (CBAC)
TCP intercept
Encryption
Here's the order of operations for the outside-to-inside list:

If IPSec, then check input access list
Decryption--for CET or IPSec
Check input access list
Check input rate limits
Input accounting
NAT outside to inside (global to local translation)
Policy routing
Routing
Redirect to Web cache
Crypto (check map and mark for encryption)
Check output access list
Inspect CBAC
TCP intercept
Encryption "

Let say that I use AD for static route 110 for VPN 110 and 120 for nonencrypted (backup). Would it work?
 
Upvote 0 Downvote
yes, what you're referring to are floating static routes. i would put the AD lower just because 110 and 120 are ADs for OSPF and RIP (it probably won't hurt anything, but i'm picky); something like a static without an AD specified (1) and then a static with an AD specified of like 2 or higher. have hsrp track the tunnel on the routers terminating the L2L VPN and the serial interface on the router with the frame link.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Luzbel
  • Locked
  • Question
Connecting HVAC controller to network
Replies
0
Views
71
Luzbel
Luzbel
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
101
madwok
madwok
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
37
quazimotto
quazimotto
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
90
bdk76
bdk76
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat
Replies
1
Views
87
BIS
BIS

Part and Inventory Search

Sponsor

Back
Top