[c-nsp] VPN failover / load sharing using IOS?

Rodney Dunn rodunn at cisco.com
Wed Feb 9 12:26:00 EST 2005 

On Wed, Feb 09, 2005 at 10:32:32AM -0600, Brian Feeny wrote:
> 
> Luan,
> 
> thanks for sharing that.  It definitely helps to look at a config and  
> visualize whats going on.
> Its a twist from what I am familiar with in the sense that your  
> encrypting the GRE traffic, and
> therefore all the stuff inside the GRE will be secure as well, making  
> encrypted GRE tunnels.

That is the easiest way to do it because your crypto ACL
just matches on GRE between the IPSEC endpoints.  I think
it's even easier now with the tunnel protect where you just
configure it on the tunnel.  I forgot exactly what that looks
like.  I think it removes the need to put the ACL matches in there
and just implicitly says if anything goes out the tunnel just
encrypt it.


a> 
> This does seem like a nice way to do it, since either circuit could go  
> down, and both are available
> for use.  As far as per-packet......I am thinking that may not work  
> well, since these are really two very
> seperate paths (2 ISP's) and there would be lots of re-ordering of  
> packets that could lead to serious
> QoS issues.  GRE and IPSEC are available on simple 1700 hardware, which  
> makes it attractive too.

You have all the qos pre-classify options to handle the QOS.

> 
> Some vendors sell VPN appliances that do this behind the scenes (maybe  
> not this exact same way), but
> simplify configuration and then advertise that its doing load sharing  
> and failover, and I am trying to create
> a solution where I need to provide that kind of functionality, and I  
> think this would work well.  Its possible to
> integrate the OER into this I would suspect, but I don't know much  
> about that.  Alot of times with OER they
> are showing multiple routers at one end communicating to a main router.  
>   In what I am doing here I have
> just one router at each end.

I've never had a chance to work on a setup like that just yet
so I don't know if it will work.  Eventually I need to try it.

> 
> Thanks again,
> 
> Brian
> 
> On Feb 9, 2005, at 9:41 AM, Luan Nguyen wrote:
> 
> > I put a sample config for you to look at.  My definition of a VPN is  
> > the
> > IPSEC transport mode( or tunnel) over the GRE.  So if you have dual T1  
> > with
> > their own address from different ISP, then you could build 2 VPNs, one  
> > for
> > each link.  The LAN side - most of the time will be 1918 address?   
> > Then just
> > use EIGRP or static to create 2 routes equal cost over the 2 GRE  
> > tunnels.
> > If you only have one host talking to one host on the LAN side, then  
> > there
> > will not be load sharing per-destination.  Per packet would do the job
> > though.  These are T1 so you don't need that object tracking thing.   
> > If you
> > only have one host to one host then maybe do policy base routing base  
> > on the
> > type of traffics so you could load share somewhat.
> ------------------------------------------------------------------------ 
> ------
> Brian Feeny, CCIE #8036, CISSP    	e: signal at shreve.net
> Network Engineer           			p: 318.213.4709
> ShreveNet Inc.             			f: 318.221.6612

More information about the cisco-nsp mailing list