I've done this configuration before. It's relatively painless.
If you're using Cisco-to-Cisco equipment, you can create GRE tunnels at the
endpoints and encrypt them. On the far-end, you'll have 2 tunnel
interfaces, one to each central site router.
If you run an IGP over the tunnels, then your routing protocol will make the
proper decisions regarding routes from the remote site.
At the Central site, you can have standby track the Tunnel interface - they
break (interface up, line protocol down) if the end-to-end connectivity
between them disappears, in which case HSRP moves the standby address to the
next priority router.
If you're running BGP on your central (and remote) site internet access
routers, it makes the configuration more complex because you'll have to
redistribute your (default) BGP route into your IGP tables. And you can
really only redistribute your BGP default at the Central site - at the
remote, you'll have to depend on the IGP.
IPSec does not carry routing protocols. I've tried that, and there's no way
to peer your protocol over IPSec unless you use a GRE tunnel around it.
Beware MTU problems when you use GRE tunnels ;-) That was the most
difficult thing to overcome, because many applications in their Microsoft
implementations set the DF bit.
-e-
NetEng <[EMAIL PROTECTED]> wrote in message
985n0a$j8s$[EMAIL PROTECTED]">news:985n0a$j8s$[EMAIL PROTECTED]...
> Thanks to everyone for the help. My questions have been answered (for
now).
> What I'm trying to do is; I have multiple remote offices where I want to
> create a VPN tunnel across one provider to the corporate office. In case
> that the provider goes down, I need to have the second provider take over
> (with a new tunnel of course). The fail-over with BGP is the easy part.
The
> other guy working on this thinks everything should be running in HSRP, and
I
> don't/didn't think HSRP would allow the stand-by router to become active
> with the failure being somewhere in the providers network. I thought that
I
> could run them in parallel and let a dynamic routing protocol do the
> deciding. However, I heard IPSEC breaks routing protocols. I also heard
that
> you can run them throught a GRE tunnel and not encrypt them. This is all
> still theory until we get some equipment in to do the pilot. Has anyone
> tried doing this? I'll try this out (track command) and thanks again for
the
> info.
>
> Collin
>
> P.S. Priscilla your book rocks.
>
> ""NetEng"" <[EMAIL PROTECTED]> wrote in message
> 98423i$l2e$[EMAIL PROTECTED]">news:98423i$l2e$[EMAIL PROTECTED]...
> > Does HSRP work at the interface level or is the entire router on
> > acvtive/stand-by? In other words, if I have two routers working in HSRP
> and
> > a link goes down somewhere down the line, will the first router know to
> > fail-over to the second router (with a good link)? I have one router
> > connected to one ISP and a second router connected to a second ISP. Can
> > these routers be run in HSRP or must they be running in parallel and let
a
> > dynamic routing protocol (BGP on the outside and let's say EIGRP on the
> > inside) decide? TIA.
> >
> >
> > _________________________________
> > FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> > Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
