So, I've got another request for redundancy and failover, this time on a much larger scale. Now, I'm not looking for the solution to the problem...only some kind of confirmation that I'm not way off base. Unfortunately, I don't have a lab I can use to set this up, otherwise I'd have done that already. I'm not afraid to admit that my experience in this area is lacking, and I'd appreciate any guidance.
Here's the scenario: One central site, many remote sites (let's say 5). IPSec VPNs currently exist between the central site and each of the remote sites. Failover is wanted, both at the hardware level and at the internet connection level, at the central site. No failover or redundancy is needed at the remote sites.
The solution I thought of was this: two internet connections at the central site, each to a separate router, with HSRP running between them so that the clients on the inside are not affected if a failover happens. Each remote site would then have an IPSec VPN to each of the two routers at the central site, using Virtual Tunnel Interfaces. I would then run a routing protocol, such as OSPF, between them so that if one of the ISP connections at the main site went down, the remote sites could automatically switch over to using the other VPN connection.
Now, unfortunately, I've had to make a couple of assumptions. In order for HSRP to detect a failed network connection, I need a WAN connection that has a state link, such as a serial connection, and that serial connection cannot be through an external DSU (would an ADSL WIC work too?). Is this first assumption correct? Also, OSPF requires link state as well, does it not? VTIs are always up at the "physical" level, so these will never go down...would OSPF indeed work in this scenario?
Alternatively, I could use BGP to the ISP as that maintains a persistent connection, though that would require registering an AS number and involving the ISP, and the whole idea is to not involve the ISP.
I don't think I'm too off base as far as my solution goes...but I'm making a couple assumptions that I'd like to confirm before I present it as a final solution. So, any input on where to go to research this a little more (google was less than helpful as far as HSRP goes) would be great, or if you could confirm my two assumptions, that's be great too...
Here's the scenario: One central site, many remote sites (let's say 5). IPSec VPNs currently exist between the central site and each of the remote sites. Failover is wanted, both at the hardware level and at the internet connection level, at the central site. No failover or redundancy is needed at the remote sites.
The solution I thought of was this: two internet connections at the central site, each to a separate router, with HSRP running between them so that the clients on the inside are not affected if a failover happens. Each remote site would then have an IPSec VPN to each of the two routers at the central site, using Virtual Tunnel Interfaces. I would then run a routing protocol, such as OSPF, between them so that if one of the ISP connections at the main site went down, the remote sites could automatically switch over to using the other VPN connection.
Now, unfortunately, I've had to make a couple of assumptions. In order for HSRP to detect a failed network connection, I need a WAN connection that has a state link, such as a serial connection, and that serial connection cannot be through an external DSU (would an ADSL WIC work too?). Is this first assumption correct? Also, OSPF requires link state as well, does it not? VTIs are always up at the "physical" level, so these will never go down...would OSPF indeed work in this scenario?
Alternatively, I could use BGP to the ISP as that maintains a persistent connection, though that would require registering an AS number and involving the ISP, and the whole idea is to not involve the ISP.
I don't think I'm too off base as far as my solution goes...but I'm making a couple assumptions that I'd like to confirm before I present it as a final solution. So, any input on where to go to research this a little more (google was less than helpful as far as HSRP goes) would be great, or if you could confirm my two assumptions, that's be great too...
