Load Balance and High Availability.

Hi, I am going to setup VPN in two 2821 with IOS 12.3(14)T1. I want to setup two 2821 routers and do both Load Balance and High Availability with one ISP and configure the same VPN setup in both routers. Is IPSec Load Balance and High Availability possible? If so how to do it? Is any othere special hardware/module need?

Insufficient explanation - two 2821's at one site (in which case what is at the other end of the VPN) or one at each end of the VPN?

Is your goal HA to your ISP? HA to the Internet? or HA to the other end of the VPN? All of the preceeding? Something else?

Yes.

Very carefully, with a solid set of requirements (and budget) for what service must be HA and where the bandwidth must be shared (and how well). However, as a general guideline...

Load Balancing -- High Availability -- Cost/Complexity You only get to pick two out of three.

Unable to determine based on the vagueness of the specifications.

Good luck and have fun!

Hi, Thankyou very much for the reply. The two 2821 is in H.O and other end B.O is 1800 and 2800 series routers. My goal is Load Balance and High Availability between two 2821 is in H.O for IPSec. I pick Load Balancing -- High Availability from the three options. The two ISR 2821 is also having AIM-VPN/EPII-PLUS module.

My IPSec setup dosent have any dynamic routing protocol configured and also not using DMVPN.

Can you please give some details on how to configure.

This answer implies an unlimited budget, so why not just hire a competent consultant to do the job for you rather than looking for a freebie off of Usenet? (Hint: If the "consultant" comes in and says here's your solution--before spending time finding out what your problem really is--grab your wallet and run. You hired a salesman rather than a consultant.)

This is typically not an appropriate approach to HA. You can't select an alternate route unless you have a mechanism to detect the need for an alternate route. Of course, simply turning on a routing protocol is rarely sufficient to meet significant HA goals, although it is usually part of the solution.

If I were you, I would start by hiring a consultant who understands HA and can walk you through the definition of your REAL requirements. HA per se is NOT a meaningful design goal. You need to define not only what average availability is necessary (aka, how many nines), but also what duration of downtime is acceptable, what time is available for testing and maintenance, what network management facilities are available, what skills are accessible with what delay, how the applications which are paying for the high availability react to various failure modes, and so on and so forth.

Once the requirements are known, the design can start, which could range from a simple load sharing of two VPNs with automated failover to a full soup to nuts redesign of the entire network to ensure no single point of failure anywhere in the network (which includes switches, servers, locations, as well as VPN set up). Frequently, changes to the critical applications to allow them to be more fault tolerant are a crucial part of the solution.

If you grab a copy of my book and spend some time reading it, you'll see why I'm saying that providing "some details on how to configure" is premature at this point. If you were my client, I would spend some time with you (up to several days, if your HA needs turn out to be serious) to define the real requirements so that the appropriate trade offs can be made in the design. Once the requirements (which include budget constraints) are known, the design and implementation (and testing thereof) can begin.

A solid HA with load sharing design takes considerable (typically days) of effort to ensure that the design actually improves the network availability. Adding redundancy only improves availability if the design and implementation and management are all done correctly. Getting four or more nines of availability, even without load sharing, requires a significant commitment beyond the design to include the process of running the network on a day-to-day basis. You're not going to get that kind of effort out of Usenet as a freebie.

Good luck and have fun!

Hi, Thank you very much for the explanation. I was reading some of your White Papers. Was able to get some more design details from it. I am studying Load Balance and High Availability and created a scenario for my test lab. My test lab devices are Cisco and one device is not Cisco, it support VPN, but no support for dynamic routing protocol. So I was thinking how to design the Load Balance and High Availability between Cisco and other non-Cisco device.

I think between Cisco device, with HSRP and RRI, the HA can be achieved, but for load-balancing between two routers for vpn traffic.......??? Please correct if it is wrong.

I won't say that you are "wrong" but I will say that you are going to learn a lot playing with what you have and simulating various failure modes in the lab. HSRP and RRI can both contribute to detecting and responding to various failure modes, but each has significant limitations.

Remember as you experiment that when a failure occurs, you need to adjust the paths used for both directions and what counts is the two end systems being able to continue to communicate. Also keep in mind that between the time a failure occurs and the time when that failure is detected by all concerned, the network is down. Also keep in mind that you not only need a mechanism to switch from primary path to backup path, but also a mechanism to switch back from the backup path to the primary path when said primary path is restored. Also note that all of these comments ignore the issue of providing useful load balancing or working around Cisco bugs in how the IOS does its thing on various platforms in various feature sets and release trains.

For a better learning experience, start by experimenting with load balancing and redundant link failover independently. Once you master both in isolation, you can try combining them in the same configuration.

God luck and have fun!