In the previous article, we began our discussion on using VPN tunnels as backup links. In that article, we used static routes and IP SLA tracking to achieve our goal. In this article, we will consider another solution, which uses VTIs and dynamic routing.
Our network diagram is as shown below:
As before, the LANs of Site A and Site B need to communicate. There is a private link between Site A and Site B (192.168.10.0/30) and this link should be used for traffic between the LANs as long as that link is available. If the private link goes down, a VPN tunnel should be established over the Internet between both sites and traffic should flow through that tunnel.
One of the cool things about using tunnel interfaces for creating VPN tunnels is that they can carry multicast traffic, unlike normal VPN tunnels. What this means for us is that we can run a dynamic routing protocol over our VPN tunnel and let this routing protocol take care of which path to forward traffic through, based on its internal calculation mechanism.
In this article, we will create an L2L VPN between Site A and Site B over their Internet connection and we will use virtual tunnel interfaces (VTIs) to achieve this. We could well have used DMVPN but VTIs work well since there are only two sites.
The configuration on the site routers including the L2L VPN configuration is as follows:
hostname SITE_A ! crypto isakmp policy 10 hash md5 authentication pre-share ! crypto isakmp key cisco address 188.8.131.52 ! crypto ipsec transform-set TRANS_SET esp-3des esp-md5-hmac ! crypto ipsec profile MYPROFILE set transform-set TRANS_SET ! interface Loopback0 description ***SITE_A LAN*** ip address 10.10.10.1 255.255.255.0 ! interface FastEthernet0/0 description ***PRIVATE LINK WITH SITE_B*** ip address 192.168.10.1 255.255.255.252 ! interface Ethernet1/0 description ***INTERNET LINK*** ip address 184.108.40.206 255.255.255.252 ! interface Tunnel0 ip address 172.16.1.1 255.255.255.252 tunnel source Ethernet1/0 tunnel destination 220.127.116.11 tunnel mode ipsec ipv4 tunnel protection ipsec profile MYPROFILE ! ip route 0.0.0.0 0.0.0.0 18.104.22.168
hostname SITE_B ! crypto isakmp policy 10 hash md5 authentication pre-share ! crypto isakmp key cisco address 22.214.171.124 ! crypto ipsec transform-set TRANS_SET esp-3des esp-md5-hmac ! crypto ipsec profile MYPROFILE set transform-set TRANS_SET ! interface Loopback0 description ***SITE_B LAN*** ip address 10.10.20.1 255.255.255.0 ! interface FastEthernet0/0 description ***PRIVATE LINK WITH SITE_A*** ip address 192.168.10.2 255.255.255.252 ! interface Ethernet1/0 description ***INTERNET LINK*** ip address 126.96.36.199 255.255.255.252 ! interface Tunnel0 ip address 172.16.1.2 255.255.255.252 tunnel source Ethernet1/0 tunnel destination 188.8.131.52 tunnel mode ipsec ipv4 tunnel protection ipsec profile MYPROFILE ! ip route 0.0.0.0 0.0.0.0 184.108.40.206
Now we can run a dynamic routing protocol between Site A and Site B to carry routing information about their LAN subnets. We want the private link to be preferred when it is available and the tunnel should be used only when that private link is down. Let’s look at two ways we can achieve this.
Different routing protocols
You can use two different protocols for this, e.g., EIGRP on the private link and OSPF on the tunnel. Since EIGRP has a lower AD (90), the EIGRP routes will be preferred over OSPF (AD = 110) routes.
The configuration is as follows:
router eigrp 10 network 10.10.10.0 0.0.0.255 network 192.168.10.0 no auto-summary ! router ospf 1 network 10.10.10.0 0.0.0.255 area 0 network 172.16.1.0 0.0.0.3 area 0 ! interface Loopback0 ip ospf network point-to-point
router eigrp 10 network 10.10.20.0 0.0.0.255 network 192.168.10.0 no auto-summary ! router ospf 1 network 10.10.20.0 0.0.0.255 area 0 network 172.16.1.0 0.0.0.3 area 0 ! interface Loopback0 ip ospf network point-to-point
Hint: Since I am using loopback interfaces to simulate my LAN network, I need to use the ip ospf network point-to-point command under the Loopback interface configuration; if I don’t, OSPF will send that network as a /32 route.
When the private link is up, notice that the LAN network is routable via that link.
Now I will shut down the private link and the OSPF route (via the tunnel) will be installed.
Same routing protocol
The second option is to use one routing protocol over both the private link and the VPN tunnel and let that routing protocol decide which route is the best to use. In our case, I will use EIGRP. The additional configuration on both site routers is as follows:
router eigrp 10 network 172.16.1.0 0.0.0.3
By default, EIGRP uses bandwidth and delay in its best path algorithm. Since the Fa0/0 interface that I am using for the private link has a much higher bandwidth and lower delay than the tunnel interface, the private link will be the preferred path.
If the private link goes down, the tunnel link will be used.
In all this, do not forget that traffic through the tunnel interfaces is actually being encrypted. You will see a high number of encrypted/decrypted packets because the dynamic routing protocol’s packets are also protected by the tunnel.
Another thing to note is that this configuration is actually more of an active/active configuration because both links—the private link and the VPN tunnel—are up at the same time; however, we use the dynamic routing protocol to achieve a primary/standby configuration by sending traffic via one link at a particular time.
In this article, we have configured an L2L VPN to serve as a backup link when the primary link fails. We used VTIs to create our VPN tunnel, which allows us to run dynamic routing protocols over the tunnel. Instead of using IP SLA to determine when to failover to the backup link, as we did in the first article, we relied on the internal failure detection mechanism of the routing protocols to handle this.
Furthermore, we considered two options with regards to routing protocols: using the same routing protocol or using different routing protocols. We were able to achieve our goal with either solution.
In the next article, we will consider another scenario in which VPN tunnels can be used as backup links.
References and Further Reading
Configuring a Virtual Tunnel Interface with IP Security: http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd8029d629_ps6635_Products_White_Paper.html