How do you guys handle remote client site to redundant VPN server

[oddyager]

To give you a visual of my current setup, I have two VPN routers, one in each data center. Both of these routers connect to a core switch (EIGRP peering between the two) in their respective centers and the two core switches are connected by a point to point link (EIGRP peering between these two cores). I have a remote site with basic IPSEC lan to lan tunnel that connects to one router as a primary, and will failover to the second router. Wherever the tunnel is up on one router, we add a static to point traffic destined for the remote site to the tunnel interface. Each VPN router is then configured to redistribute statics into EIGRP. This is painful since whenever the tunnel fails to the other we need an admin to log into one router to remove the static and its entry in the redistribute list and then add those into the other router.

Now my goal is to try to do this more dynamically. Any recommendations off the top of your head whats easiest and best way to do this?

Thanks!

 

[drebo]

Use GRE tunnels and configure the remote router for EIGRP as well.

 

[Cooky]

Have you looked into DMVPN?

 

[drebo]

Have you looked into DMVPN?

I considered suggesting that, but he's only got two "sites"...one of which has two points of entry. At least if I'm understanding his topology, anyway.

 

[cmetz]

First off, dump EIGRP. Terminate with extreme predjudice. Use OSPF.

Now that you've done that, try using IOS's Virtual Tunnel Interface (VTI) feature. Using that, it can treat each VPN tunnel as a routed interface, which you can then run any normal routing protocol over.

 

[oddyager]

I considered suggesting that, but he's only got two "sites"...one of which has two points of entry. At least if I'm understanding his topology, anyway.

It looks like this:

DC1 Core -------- DC1 VPN router
=
=
P2P Link
=
=
DC2 Core --------- DC2 VPN Router

So if the VPN is terminated to DC2 VPN, anyone from DC1 can cross over the P2P into DC2 and reach that remote site. I have considered moving to GRE tunnels, too.

First off, dump EIGRP. Terminate with extreme predjudice. Use OSPF.

Now that you've done that, try using IOS's Virtual Tunnel Interface (VTI) feature. Using that, it can treat each VPN tunnel as a routed interface, which you can then run any normal routing protocol over.

What about adding that reverse-route subcommand under crypto maps? Would that work the same way? If the tunnel is up it creates the static route for that remote network and I can redistribute that using prefixes to advertise what would be the remote site subnets back to the cores? Any potential pitfalls?

Thanks everyone for your help.

 

[cmetz]

oddyager, why would you have the OS create a reverse static route and then redistribute it into your routing protocol when you can just run your routing protocol? I'm not familiar with the reverse static route approach, but it sounds like it might work - it would just be a more complex and error prone way to accomplish the same thing. Route redistribution is important and powerful, but dangerous.

 

[m1ldslide1]

First off, dump EIGRP. Terminate with extreme predjudice. Use OSPF.

Methinks you sir are a routing protocol fanboy with little design experience. Both EIGRP and OSPF have their strengths and weaknesses depending on the environment and hardware used. It's really odd to tell someone to reconfigure their entire routing protocol and all the headaches associated when you don't know the first thing about their environment.

As for the OP, would it be possible to leave both static routes active and redistributed, but on the secondary router configure it to advertise a higher metric for redistributed statics? You could use a route-map to call an ACL and only adjust the metric for this one prefix if you want to get granular.

It sounds like you've pointed your static route at your tunnel interface. I'm making one assumption with my above suggestion - a static route that points at an interface will be removed from the routing table (and thus from consideration for redistribution) if the interface it points at goes down. I seem to remember thats in fact the case, but I would need to test. If I'm right then I think this would be a pretty easy solution that doesn't require you to turn on any more protocols or add a significant amount of complexity to your configuration.

 

[oddyager]

oddyager, why would you have the OS create a reverse static route and then redistribute it into your routing protocol when you can just run your routing protocol? I'm not familiar with the reverse static route approach, but it sounds like it might work - it would just be a more complex and error prone way to accomplish the same thing. Route redistribution is important and powerful, but dangerous.

Well dumping EIGRP is not an option. I see no need for us to do so. That being said, I can run dynamic routing over gre tunnels but that would involve changes on both ends. I lied when I said 1 remote site. This would actually involve around 20 or so site. I'm weighing the benefits and downtime of doing either option.

 

[Emulex]

Bgp4

 

[drebo]

Well dumping EIGRP is not an option. I see no need for us to do so. That being said, I can run dynamic routing over gre tunnels but that would involve changes on both ends. I lied when I said 1 remote site. This would actually involve around 20 or so site. I'm weighing the benefits and downtime of doing either option.

If there's 20 remote sites, then the most logical option is DMVPN, by far.