I faced simple task to do and found I'm not sure if my choice is right. Please advice:
- We have 2 remote ROS devices (R1 and R2), both has 2 uplinks each (so R1-U1, R1-U2 and R2-U1, R2-U2). We need to connect them via VPN links (any type, no limitations on this). There are 4 tunnels possible (R1-U1 <-> R2-U1, R1-U1 <-> R2-U2, R1-U2 <-> R2-U1, R1-U2 <-> R2-U2), and these links are of different speed and priority. That is, We'd like to use it (asn an example) like this:
- if R1-U1 <-> R2-U1 available, then use it,
- else if R1-U1 <-> R2-U2 available then use it
- else etc.
To add things up, we actually have several remote devices (not just two), so the one is the "center" one (hub), and others are spokes. Full mesh is not really needed, and a bit hard to maintain, but possible.
I tried to use static route priority to sort this thing but I'm not sure I'll work best. Maybe there is a way to employ dynamic routing to have this scheme work nice?
-
-
JimmyNyholm
Member Candidate
- Posts: 248
- Joined:
- Location: Sweden
Re: Choose right VPN tunnel when both peers are dual-homed
Hi. If both sides have static ip's this is easy.
If you need L3 only then setup meshed gre tunnels with configured ipsec secret then the gre traffic is encrypted and all is well. You may then assign links ip's and loopback and enable ospf and set the weight. Using carefull settings and only routing you can do ecmp as well.
If some links are dynamic you will ned to have scripting in place to react to the ip changes and update your config but it is still doable.
All depends on your skill and will to learn so if it is by your definition manageable or not is not up to me to answer.
L2 is doable even with lacp for the eoip ipsec tunnels.
Designing redundancy over other office comes "free" when you do l3 and dynamic routing and can cope with intermediate as to intermediate as problems where office1 can't reach corp main but office2 can and in the mean time office1 and office2 can reach each other. This error case is suboptimal path but as I often advocade its better with some connectivity than no connectivity.
How you do it is upp to you depending on what you are trying to solve.
If you need L3 only then setup meshed gre tunnels with configured ipsec secret then the gre traffic is encrypted and all is well. You may then assign links ip's and loopback and enable ospf and set the weight. Using carefull settings and only routing you can do ecmp as well.
If some links are dynamic you will ned to have scripting in place to react to the ip changes and update your config but it is still doable.
All depends on your skill and will to learn so if it is by your definition manageable or not is not up to me to answer.
L2 is doable even with lacp for the eoip ipsec tunnels.
Designing redundancy over other office comes "free" when you do l3 and dynamic routing and can cope with intermediate as to intermediate as problems where office1 can't reach corp main but office2 can and in the mean time office1 and office2 can reach each other. This error case is suboptimal path but as I often advocade its better with some connectivity than no connectivity.
How you do it is upp to you depending on what you are trying to solve.
Re: Choose right VPN tunnel when both peers are dual-homed
All I need is L3, so OSPF looks like the solution, and it's good point that redundancy will add up for free. Will try to, thank you!
P.S. Once (quite a long ago) I tried to use OSPF but there was some problems and later I learned there was some ROS problems that may given me that effect, so I drop the idea. Hope this time it'll be better time to! Will see for decent howto just in a case!
P.S. Once (quite a long ago) I tried to use OSPF but there was some problems and later I learned there was some ROS problems that may given me that effect, so I drop the idea. Hope this time it'll be better time to! Will see for decent howto just in a case!
Who is online
Users browsing this forum: GoogleOther [Bot], sinaaram and 12 guests