[c-nsp] VPN failover / load sharing using IOS?

Brian Feeny signal at shreve.net
Wed Feb 9 11:32:32 EST 2005 

Luan,

thanks for sharing that.  It definitely helps to look at a config and  
visualize whats going on.
Its a twist from what I am familiar with in the sense that your  
encrypting the GRE traffic, and
therefore all the stuff inside the GRE will be secure as well, making  
encrypted GRE tunnels.

This does seem like a nice way to do it, since either circuit could go  
down, and both are available
for use.  As far as per-packet......I am thinking that may not work  
well, since these are really two very
seperate paths (2 ISP's) and there would be lots of re-ordering of  
packets that could lead to serious
QoS issues.  GRE and IPSEC are available on simple 1700 hardware, which  
makes it attractive too.

Some vendors sell VPN appliances that do this behind the scenes (maybe  
not this exact same way), but
simplify configuration and then advertise that its doing load sharing  
and failover, and I am trying to create
a solution where I need to provide that kind of functionality, and I  
think this would work well.  Its possible to
integrate the OER into this I would suspect, but I don't know much  
about that.  Alot of times with OER they
are showing multiple routers at one end communicating to a main router.  
  In what I am doing here I have
just one router at each end.

Thanks again,

Brian

On Feb 9, 2005, at 9:41 AM, Luan Nguyen wrote:

> I put a sample config for you to look at.  My definition of a VPN is  
> the
> IPSEC transport mode( or tunnel) over the GRE.  So if you have dual T1  
> with
> their own address from different ISP, then you could build 2 VPNs, one  
> for
> each link.  The LAN side - most of the time will be 1918 address?   
> Then just
> use EIGRP or static to create 2 routes equal cost over the 2 GRE  
> tunnels.
> If you only have one host talking to one host on the LAN side, then  
> there
> will not be load sharing per-destination.  Per packet would do the job
> though.  These are T1 so you don't need that object tracking thing.   
> If you
> only have one host to one host then maybe do policy base routing base  
> on the
> type of traffics so you could load share somewhat.
------------------------------------------------------------------------ 
------
Brian Feeny, CCIE #8036, CISSP    	e: signal at shreve.net
Network Engineer           			p: 318.213.4709
ShreveNet Inc.             			f: 318.221.6612

More information about the cisco-nsp mailing list