or whatever reason, our customer has chosen an Internet based VPN as the primary network link between a key location and the main network. This link needs high availability and as such they wish to provide a backup to the Internet/VPN based solution. We have proposed an ISDN connection from this location to the central network of their WAN provider, from which point the WAN provider will route all packets around their network. The VPN is handled by some third party firewall device that is standardised and cant be changed. It simply provides ethernet hand-off to the locations LAN. We are looking at sitting a Cisco product with an ISDN port and 2 ethernet ports to act as a gatway for the LAN. The Cisco product would primarily route everything from the LAN to the VPN box and in the event of Internet failure, bring up the ISDN port as a backup connection.
We are looking for some way to automatically failover from the ethernet based VPN link to the ISDN link.
I thought policy based routing might be appropriate, but this seems to require a fairly high end router. We were looking at a 1700 series product since this location does not have a lot of traffic, just important traffic.
Any comments or suggestions are appreciated.
{ 1 comment… read it below or add one }
I have a couple of comments and suggestions about your question.
If the VPN device is some third party device which can not be changed, and if the VPN device expects to connect to the remote LAN, how are you planning to insert your router? Does the VPN device supply DHCP services for the remote LAN? If so how will you accomodate this on your router?
The essence of your question is how to fail over from the VPN link to the ISDN link. I am not convinced that Policy Based Routing is the best answer.
I would suggest that you configure a default route pointing to the VPN device and configure a floating static default route pointing to the ISDN device. Then you need a way to remove the default route to the VPN if there is a failure in the VPN network. Cisco has a fairly new feature called Object Tracking which can be used with static routes. So you configure object tracking to verify reachability of some address in the VPN network. So long as the address is reachable the default route remains in the table. And if that address becomes unrechable the default route is removed and the floating static defaut route will be used.
You must log in to post a comment.