[c-nsp] VPN failover / load sharing using IOS?

Rodney Dunn rodunn at cisco.com
Wed Feb 9 08:07:47 EST 2005


What are  your ISP connections?
HDLC, PPP, *net, ?

I've done a couple of desigs leveraging
HSRP with Object tracking of the wan
links for failover also.

Rodney

On Wed, Feb 09, 2005 at 12:18:40AM -0600, Brian Feeny wrote:
> 
> Actually, your right. But really the vpn is establishing a single  
> source host to a single destination host, since whats really riding on  
> top of the GRE layer is the VPN itself.  Like you say, per destination  
> balancing sort of makes it not work very well.
> 
> Too bad cisco doesn't allow you to just define two vpn's and treat the  
> result as two equal paths, that would be a bit better.
> 
> Brian
> 
> On Feb 8, 2005, at 11:59 PM, Luan Nguyen wrote:
> 
> > It would work just like that I think.  The router would just do
> > per-destination load share wouldn't it - unless you only have one host
> > talking to one host?  In our environment we have one spoke with dual  
> > GRE
> > tunnels to 2 hubs with equal cost.  Yours is a little different but it
> > should work for load balancing just like that.
> >
> > Luan
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Feeny
> > Sent: Wednesday, February 09, 2005 12:33 AM
> > To: Rodney Dunn
> > Cc: Cameron.Dry at didata.com.au; cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] VPN failover / load sharing using IOS?
> >
> >
> > Rodney,
> >
> > I will definitely look into OER.  But if I had 2 GRE tunnels, why can't
> > I just point statics like in my example, for each remote subnet down
> > the tunnels?  Wouldn't that load balance AND work for failover?
> >
> > Thanks,
> >
> > Brian
> >
> > On Feb 8, 2005, at 11:20 PM, Rodney Dunn wrote:
> >
> >> There are really on two ways to do this:
> >>
> >> a) you announce some subset of routes down
> >>    one gre tunnel from the headend and prefer
> >>    them and the other subset over the backup tunnel
> >>
> >> that way if one tunnel goes away you will have failover.
> >> The drawback there is the load sharing isn't dynamic.
> >>
> >> The only way you can get dynamic loadsharing in
> >> this type of setup is OER.
> >>
> >> b) Do OER at the spoke side and let it load balance
> >>    the traffic back towards the headend.
> >>
> >> They were going to put a sample of that in the OER
> >> deployment guide but I'm not sure they have gotten
> >> to it yet.
> >>
> >> http://www.cisco.com/go/oer
> >>
> >> Rodney
> >>
> >>
> >>
> >> On Tue, Feb 08, 2005 at 10:31:43PM -0600, Brian Feeny wrote:
> >>>
> >>> thanks, although that looks to be for sites with multiple routers and
> >>> multiple links.  Each of these sites is only going to have one  
> >>> router,
> >>> that takes in 2 T1's.  I don't think that will work in that scenrio.
> >>>
> >>> Brian
> >>>
> >>> On Feb 8, 2005, at 10:07 PM, Cameron.Dry at didata.com.au wrote:
> >>>
> >>>> Check out:
> >>>>
> >>>> http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/
> >>>> products_feature_
> >>>> guide09186a00800ed370.html
> >>>>
> >>>> Cameron
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> -----Original Message-----
> >>>> From: cisco-nsp-bounces at puck.nether.net
> >>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> >>>> signal at shreve.net
> >>>> Sent: Wednesday, 9 February 2005 11:50 AM
> >>>> To: 'cisco-nsp'
> >>>> Subject: [c-nsp] VPN failover / load sharing using IOS?
> >>>>
> >>>>
> >>>> Has anyone done any type of VPN failover and/or load balancing using
> >>>> IOS?
> >>>>
> >>>> For example something like a 2 1700 routers, each with 2 T1 cards in
> >>>> them,
> >>>> Each T1 card would be connected to a different ISP, each with its  
> >>>> own
> >>>> IP space
> >>>> (no BGP).  Either T1 would be able to go down, and the VPN could
> >>>> re-establish
> >>>> itself over the remaining T1.  Both T1's would be load balanced over
> >>>> for VPN
> >>>> connectivity.
> >>>>
> >>>> Is it possible to establish 2 VPN's, 1 over each link, with the same
> >>>> source/destination private networks defined, and have the router  
> >>>> load
> >>>> balance these and also work in failover?
> >>>>
> >>>> Another thought, which is kind of ugly (but maybe not), is 2 GRE
> >>>> tunnels, and then dual static routes over the tunnels:
> >>>>
> >>>> Router 1 T1 #1  <----------------------- GRE Tunnel #1
> >>>> -------------------> Router 2 T1 #1
> >>>> Router 2 T1 #2 <------------------------ GRE Tunnel #2
> >>>> -------------------> Router 2 T1 #2
> >>>>
> >>>> ip route <insert vpn endpoint ip> 255.255.255.255 Tunnel1
> >>>> ip route <insert vpn endpoint ip> 255.255.255.255 Tunnel2
> >>>>
> >>>> Then establish the VPN on top of the above.  I don't particular like
> >>>> the idea of building a tunnel on top of 2 other tunnels, so if  
> >>>> anyone
> >>>> has experience in doing this type of setup, please share what you
> >>>> used
> >>>> to do it.
> >>>>
> >>>> Brian
> >>>>
> >>>>
> >>>>
> >>>> Brian Feeny, CCIE #8036, CISSP
> >>>> Network Engineer
> >>>> ShreveNet Inc.
> >>>>
> >>>> _______________________________________________
> >>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>>
> >>>>
> >>>> ******************************************************************** 
> >>>> *
> >>>> **
> >>>> *******
> >>>>  - NOTICE FROM DIMENSION DATA AUSTRALIA
> >>>> This message is confidential, and may contain proprietary or legally
> >>>> privileged information.  If you have received this email in error,
> >>>> please notify the sender and delete it immediately.
> >>>>
> >>>> Internet communications are not secure. You should scan this message
> >>>> and any attachments for viruses.  Under no circumstances do we  
> >>>> accept
> >>>> liability for any loss or damage which may result from your receipt
> >>>> of
> >>>> this message or any attachments.
> >>>> ******************************************************************** 
> >>>> *
> >>>> **
> >>>> *******
> >>>>
> >>>> _______________________________________________
> >>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>>
> >>>
> >>> Brian Feeny, CCIE #8036, CISSP
> >>> Network Engineer
> >>> ShreveNet Inc.
> >>>
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >


More information about the cisco-nsp mailing list