[c-nsp] Redundant VPN w/ Cisco Routers

tkapela at gmail.com tkapela at gmail.com
Sat May 29 17:38:31 EDT 2010


+1 to KISS principal using virtual-template ints and statics, however next-hop reachability is somewhat obtuse unaided by gre keepalives or other end to end reachability determination.

Also, +2 to DMVP (which is multipoint gre aided by nhrp) + some flavor of IGP on top. Everyone knows that one working remote site vpn invites more, especially when the bossman learns of how well it all works.

Imho, working igp + handy, simple metrics (for when you add multiple hubs and have some HA for the end sites) is worth the extra mtu and related overhead.

-Tk

-----Original Message-----
From: "Sercan Aktas" <saktas at thrupoint.net>
Date: Sat, 29 May 2010 18:15:08 
To: <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] Redundant VPN w/ Cisco Routers

Hi Garry,

If you have only two sites, you can consider VTIs, which will help you get
rid of the additional GRE overhead and provide you with pretty much the same
functionality as GRE over IPSec.

On the local router you can setup two static VTI tunnels. The remote site
router with static IP can also have a static VTI and the other remote router
with dynamic IP can have dynamic VTI. The only drawback of VTI's compared to
GRE is that they only support IP (unicast & multicast), whereas GRE can
support non-IP protocols.

If you don't have too many networks to be advertised, go for static routing.
If you have multiple networks to then RIPv2 would be the best solution. 

One other thing to consider from the remote site perspective is which router
would actively be forwarding traffic. GRE keepalives could help you on that,
but they are not compatible with tunnel protection. So you can rely on
dynamic routing with a floating static route (with a high AD) that could
point towards the standby router, hence the second tunnel.

I hope this helps and can give you some ideas.

Sercan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Garry
Sent: Saturday, May 29, 2010 8:19 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Redundant VPN w/ Cisco Routers

Hi,

I've received a request about setting up a redundant VPN between two
sites ... remote site has two routers connected to two separate lines,
one with static IP, the other dynamic. Local site has a single router
with two links, both static IPs. HW used is a 1841 locally, remote has
an 887 and 878 ...

As I can't use the same internal IP ranges for both VPNs, I was thinking
about setting up something along this idea:

- put in some loopback IP, e.g.: 10.0.0.1 for local site, 10.0.1.1 for
remote router 1, 10.0.1.2 for remote router 2
- set up IPSEC VPNs for 10.0.0.1-10.0.1.1 and 10.0.0.1-10.0.1.2
- run GRE tunnels over those IPSEC tunnels
- use some IGP over the tunnel (and between the two remote routers) to
route the actual LANs

Does this sound like a feasible solution, or is there a better way to
set this up? I've looked around a bit on the 'net, but apart from some
people asking for similar solutions (and usually not getting an answer)
I couldn't find anything ...

Tnx, Garry
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



Note:The information contained in this message may be privileged and confidential and protected from disclosure . If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any 
dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer. Thankyou. ThruPoint Ltd.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list