Jump to content


VPN Backup link

VPN Backup

  • Please log in to reply
3 replies to this topic

#1 larabasha

larabasha

    Member

  • Members
  • PipPip
  • 140 posts
  • Gender:Male
  • Location:Bangalore

Posted 22 October 2012 - 08:20 PM

Hello Experts,

I need a small help in configuring the VPN Backup link connection from Small office to Head office.

Scenario: We have 2 Mbps MPLS connection from ISP (Reliance ) in Head office (Location : Bangalore) to sales office (Location :Chennai) and need to create a backup connectivity with internet connection if the MPLS down.

From Interent ISP i have a Public IP.


Can any one suggest me what the things i need and what i have to configure in Router to reach the my network with Internet VPN.

Thanks

Lara Basha
  • 0

#2 MarkinManchester

MarkinManchester

    Village Elder

  • Veterans
  • PipPipPipPipPip
  • 3976 posts
  • Gender:Male
  • Location:Manchester

Posted 22 October 2012 - 09:37 PM

You just need a P2P Ipsec vpn, you can configure DMVPN but it sounds to much for what you need. You can manage the link by using EEM!!

This is an example of how someone else configured theirs

Today I faced a routing-loop with one of our customers, which is multihomed to our company and another one. Our link was their BACKUP link if their BGP neighborship to the other ISP failed. What I had done was configuring AS-path prepending, but today, when for the first time the primary link changed state to DOWN and UP again, my prepended advertisement was still being selected as the BEST by some part of the world. But the worse things was that, the primary link advertisement was also the BEST in some parts. I checked the in so many looking-glasses. As a matter of fact the path via our ISP should not be best anywhere.
The problem was that, the router which I’m advertising to, has no BGP relation with the router which the Primary ISP is advertising to!
So, I did some SLA and EEM as below:
  • ip sla 100
    icmp-echo 172.16.100.2
    frequency 10
    ip sla schedule 100 life forever start-time now
  • track 1 ip sla 1 reachability
  • event manager applet SLA_DOWN
    event sysl pattern “sla 100 state Up->Down”
    action 1 cli command “enable”
    action 2 cli command “conf t”
    action 3 cli command “route-map CHNG_GW permit 10″
    action 4 cli command “no set ip next-hop 188.75.64.10″
    action 5 cli command “set ip next-hop 188.75.64.13″
    action 6 cli command “exit”
  • event manager applet SLA_UP
    event sysl pattern “sla 100 state Down->Up”
    action 1 cli command “enable”
    action 2 cli command “conf t”
    action 3 cli command “route-map CHNG_GW permit 10″
    action 4 cli command “no set ip next-hop 188.75.64.13″
    action 5 cli command “set ip next-hop 188.75.64.10″
    action 6 cli command “exit”
  • event manager applet PARDIS_DOWN
    event sysl pattern “Up->Down”
    action 1 cli command “enable”
    action 2 cli command “conf t”
    action 3 cli command “router bgp 49689″
    action 4 cli command “network 150.100.12.0 mask 255.255.255.0″
    action 5 cli command “network 150.100.13.0 mask 255.255.255.0″
  • event manager applet PARDIS_UP
    event sysl pattern “Down->Up”
    action 1 cli command “enable”
    action 2 cli command “conf t”
    action 3 cli command “router bgp 49689″
    action 4 cli command “network 150.100.12.0 mask 255.255.255.0″
    action 5 cli command “network 150.100.13.0 mask 255.255.255.0″
So when the “%TRACKING-5-STATE: 1 rtr 1 state Up->Down” or “%TRACKING-5-STATE: 1 rtr 1 state Down->Up” appears, the applet runs automatically and advertise or dis-advertise the networks.
There are so many other solutions for such situation, maybe with communities, doing some PBR or etc, but this one is easier for the router to be handled. And also more fun for me Posted Image
  • 1

#3 tazacar

tazacar

    Cisco Routing & Switching Expert

  • Technical Experts
  • PipPipPip
  • 315 posts
  • Gender:Male
  • Location:U.A.E.

Posted 28 October 2012 - 11:24 PM

You need to have a Public Static IP on your HQ terminated might be on the same router with the MPLS link. On your branch side, you need to have a static or dynamic ip but i would highly suggest to have a static ip for the purpose of monitoring and ease of troubleshooting. As what Mark mention, dmpvn could do that.
Just make sure you have the advnc.enterprise w/k9 loaded on both of your routers in HQ and in branch.

HTH
  • 1

#4 larabasha

larabasha

    Member

  • Members
  • PipPip
  • 140 posts
  • Gender:Male
  • Location:Bangalore

Posted 31 January 2013 - 06:09 PM

Thanks Mr. Markin and Mr. Tazacar.

 

But in our network the Internet connected to a Juniper Firewall and how can i assign Public static ip to Hub router.

 

Can i map a ip from Juniper Firewall or do i need to connect a cable to Hub Router?

 

Thank

Lara Basha


  • 0





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users