[c-nsp] VPN failover / load sharing using IOS?

Rodney Dunn rodunn at cisco.com
Wed Feb 9 08:01:50 EST 2005


I need to see a topology diagram to answer
most of this because there are different
scenarios that require different things.

If you have one spoke router with dual
GRE tunnels to two different hub routers
you have a single point of failure at
the spoke.

Therefore what I would do is on the spoke
have a static route that points at hub1 out
WAN connection 1 and a static route towards
hub2 out WAN connection 2.
Then also have a default route pointing at
both ISP1 and ISP2 of equal cost.

What that does is force IPSEC1 to always
go to ISP1 and ISEC2 to always to towards
ISP2.  Your defaults will loadSHARE (not
balance) your internet traffic from the spoke
on a hash of the src/dst ip address.  If
it's private address space you will nat on each
outside interface to get the same return path.

Then for your traffic going to the hub you run
EIGRP stubs to the spokes and therefore for your
networks from the hub you will have equal cost
paths at the spoke and the traffic will loadSHARE
based on the src/dst hash.

When things get really strange is when there
is a requirement to send one type of traffic over
one path and traffic from the same sourc ip address
down a different path with failover.  You can do it
it's just not very intuitive.

With dual spoke routers it also is a bit more complex.

Rodney


On Wed, Feb 09, 2005 at 12:59:54AM -0500, Luan Nguyen wrote:
> It would work just like that I think.  The router would just do
> per-destination load share wouldn't it - unless you only have one host
> talking to one host?  In our environment we have one spoke with dual GRE
> tunnels to 2 hubs with equal cost.  Yours is a little different but it
> should work for load balancing just like that.  
> 
> Luan
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Feeny
> Sent: Wednesday, February 09, 2005 12:33 AM
> To: Rodney Dunn
> Cc: Cameron.Dry at didata.com.au; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] VPN failover / load sharing using IOS?
> 
> 
> Rodney,
> 
> I will definitely look into OER.  But if I had 2 GRE tunnels, why can't  
> I just point statics like in my example, for each remote subnet down  
> the tunnels?  Wouldn't that load balance AND work for failover?
> 
> Thanks,
> 
> Brian
> 
> On Feb 8, 2005, at 11:20 PM, Rodney Dunn wrote:
> 
> > There are really on two ways to do this:
> >
> > a) you announce some subset of routes down
> >    one gre tunnel from the headend and prefer
> >    them and the other subset over the backup tunnel
> >
> > that way if one tunnel goes away you will have failover.
> > The drawback there is the load sharing isn't dynamic.
> >
> > The only way you can get dynamic loadsharing in
> > this type of setup is OER.
> >
> > b) Do OER at the spoke side and let it load balance
> >    the traffic back towards the headend.
> >
> > They were going to put a sample of that in the OER
> > deployment guide but I'm not sure they have gotten
> > to it yet.
> >
> > http://www.cisco.com/go/oer
> >
> > Rodney
> >
> >
> >
> > On Tue, Feb 08, 2005 at 10:31:43PM -0600, Brian Feeny wrote:
> >>
> >> thanks, although that looks to be for sites with multiple routers and
> >> multiple links.  Each of these sites is only going to have one router,
> >> that takes in 2 T1's.  I don't think that will work in that scenrio.
> >>
> >> Brian
> >>
> >> On Feb 8, 2005, at 10:07 PM, Cameron.Dry at didata.com.au wrote:
> >>
> >>> Check out:
> >>>
> >>> http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/
> >>> products_feature_
> >>> guide09186a00800ed370.html
> >>>
> >>> Cameron
> >>>
> >>>
> >>>
> >>>
> >>> -----Original Message-----
> >>> From: cisco-nsp-bounces at puck.nether.net
> >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> >>> signal at shreve.net
> >>> Sent: Wednesday, 9 February 2005 11:50 AM
> >>> To: 'cisco-nsp'
> >>> Subject: [c-nsp] VPN failover / load sharing using IOS?
> >>>
> >>>
> >>> Has anyone done any type of VPN failover and/or load balancing using
> >>> IOS?
> >>>
> >>> For example something like a 2 1700 routers, each with 2 T1 cards in
> >>> them,
> >>> Each T1 card would be connected to a different ISP, each with its own
> >>> IP space
> >>> (no BGP).  Either T1 would be able to go down, and the VPN could
> >>> re-establish
> >>> itself over the remaining T1.  Both T1's would be load balanced over
> >>> for VPN
> >>> connectivity.
> >>>
> >>> Is it possible to establish 2 VPN's, 1 over each link, with the same
> >>> source/destination private networks defined, and have the router load
> >>> balance these and also work in failover?
> >>>
> >>> Another thought, which is kind of ugly (but maybe not), is 2 GRE
> >>> tunnels, and then dual static routes over the tunnels:
> >>>
> >>> Router 1 T1 #1  <----------------------- GRE Tunnel #1
> >>> -------------------> Router 2 T1 #1
> >>> Router 2 T1 #2 <------------------------ GRE Tunnel #2
> >>> -------------------> Router 2 T1 #2
> >>>
> >>> ip route <insert vpn endpoint ip> 255.255.255.255 Tunnel1
> >>> ip route <insert vpn endpoint ip> 255.255.255.255 Tunnel2
> >>>
> >>> Then establish the VPN on top of the above.  I don't particular like
> >>> the idea of building a tunnel on top of 2 other tunnels, so if anyone
> >>> has experience in doing this type of setup, please share what you  
> >>> used
> >>> to do it.
> >>>
> >>> Brian
> >>>
> >>>
> >>>
> >>> Brian Feeny, CCIE #8036, CISSP
> >>> Network Engineer
> >>> ShreveNet Inc.
> >>>
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> >>>
> >>> ********************************************************************* 
> >>> **
> >>> *******
> >>>  - NOTICE FROM DIMENSION DATA AUSTRALIA
> >>> This message is confidential, and may contain proprietary or legally
> >>> privileged information.  If you have received this email in error,
> >>> please notify the sender and delete it immediately.
> >>>
> >>> Internet communications are not secure. You should scan this message
> >>> and any attachments for viruses.  Under no circumstances do we accept
> >>> liability for any loss or damage which may result from your receipt  
> >>> of
> >>> this message or any attachments.
> >>> ********************************************************************* 
> >>> **
> >>> *******
> >>>
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> >>
> >> Brian Feeny, CCIE #8036, CISSP
> >> Network Engineer
> >> ShreveNet Inc.
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list