How to run a failover VPN over a complex network?

K

Konstantin Frank2019-01-11 20:52:44

Computer networks

Konstantin Frank, 2019-01-11 20:52:44

Hello!
Need advice on implementing a small scheme. Accordingly, first I will tell you what the problem is -
a5322f2baa33acf67b4884aaa0f51f94-full.pn
2 data centers and 1 branch. It is required between PC 3 and PC 1/2 (different networks) to create IPSEC over the entire working network. All Cisco equipment. K9 licenses have only FW-1, FW-2, R-1, R-2.
Initially, I planned to raise 2 tunnels on each router R-1 and R-2 to FW-1 and FW-2. Create static routes with a metric on the routers (on R-1, priority to DPC 1, on R-2, priority to DPC 2). Raise HSRP on R-1/2. And in order for the traffic to return correctly, I will use NAT (each tunnel = its own address). I forgot to draw on the diagram that the data center switches are also interconnected, so it’s a little difficult here according to the traffic flow pattern.
I hope I explained clearly. The scheme is a crutch and temporary, but you need to make it fail-safe. Please help with advice.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

R

Rodion Kudryavtsev, 2019-01-11
@rodkud

In the direction of 2-head dmvpn, you should look like

V

Valentin, 2019-01-11
@vvpoloskin

If you don’t need balancing (and here it’s easier without it), you don’t need any identical metrics, there is a risk of getting asymmetry (unless, of course, this is a problem for you). Networks on PC1 and PC2 are best terminated on routers with a red circle. Static is not needed, more reliable than GRE + OSPF (well, or any other dynamics).

R

rPman, 2019-01-13
@rPman

I have a question, but cisco routers do not know how to bond (I'm talking about linux capabilities)? when two channels are combined into one based on some algorithm, including both redundancy and balancing, i.e. raise 2 vpn connections (through different providers) and combine them into one