8

I have a network with resilient gateways whereby Customer sites use a default gateway to reach the internet edge routers and the primary route for traffic uses a lower metric.

ipsec tunnels are initiated from vpn concentrators behind the edge routers and are statically configured to the destination tunnel endpoints which are 3rd party data centers. I am not able to use a dynamic routing protocol with the 3rd party. Network Topology

The problem is that the peering address range that the 3rd party is using periodically changes and brings down the primary tunnel and a manual switch to the secondary tunnel is being cumbersomely carried out.

  1. Can how can I most efficiently failover between tunnels in this scenario if the destination IPs are not reliable for the static ipsec configuration?
  2. How would I pre-empt the primary tunnel once the endpoint becomes available?
MattE
  • 2,087
  • 4
  • 24
  • 34
  • 1
    First thing that comes to my mind is this: if your 3rd party DC provider is randomly changing their peer address often enough that this is a problem, look elsewhere for services. It may not be easy/feasible to change, but if they can't get this right, what else in the infrastructure you've trusted them with could break at any time. Also, they should be willing to help you with this scenario. They're causing the pain, they should help remediate if. – Brett Lykins Dec 24 '13 at 13:55
  • Completely agree and looking at that but contracts take a long time to change so need an alternative approach in the meantime – MattE Dec 24 '13 at 14:06
  • What manufacturer and model are the VPN concentrators and Edge routers? – Brett Lykins Dec 24 '13 at 14:36
  • Questions: Can you configure the gateway routers to have two tunnels, one to each data center? And what brand of routers are they? – Ron Trunk Dec 24 '13 at 16:57
  • For the vpn then service modules are used on Cisco 6509 switches that connect to Cisco 7600 routers at the edge. – MattE Dec 24 '13 at 17:24
  • @Ron, yes should be ok to setup 2 tunnels – MattE Dec 24 '13 at 17:25

1 Answers1

5

One solution is to use Performance routing (PfR) on the gateway routers. PfR can test connectivity to each data center and then route traffic to whichever one is responding. So if a tunnel goes down, PfR will automatically route traffic through the other tunnel to the other data center.

PfR can do this by pinging (or using IP SLA) each of the data centers. If the London tunnel fails, PfR will route traffic through the New York tunnel, and vice versa.

I would like to give you a configuration, but I need to see more details about your network. In the meantime, you can look at a couple of things:

http://blog.ine.com/2011/11/01/cisco-performance-routing-pfr-optimized-edge-routing-oer/

http://www.netcraftsmen.net/archived-documents/c-mug-article-archive/7-20090922-cmug-understanding-performance-routing/file.html

Here's a video if you're more of a visual learner.

http://www.cisco.com/en/US/prod/iosswrel/ps6537/ps6554/ps6599/ps8787/pfr_configure_video.html

Ron Trunk
  • 66,852
  • 5
  • 65
  • 126