I am trying to plan a VPN solution and need a little assistance. The plan is to have Site A and Site B as main hubs running active directory, exchange ,etc.
We have multiple remote sites with cisco 831s and the main sites with
3825s and one concentrator. The goal is to have a hardware VPN tunnel setup with Site A and in the event of an outage to the connection to Site A the connection to Site B would be utilized instead. Enabling no down time for the end user.
What I don't want is traffic to Site B until Site A is offline. The switchover must be transparent to the end user. I've tried to call cisco but the rep was less than helpful.
Does anyone hear have any ideas or can lend a hand? Please let me know.
Tricky. I suggest you switch to comp.dcom.sys.cisco and that you read Vincent C. Jones' white papers
formatting link
Switching to a different site upon failure of one has some pitfalls but those can be overcome without -too- much hair loss if you read Vincent's works.
"No down time for the end user" is rather harder:
- if "stateful" firewalls are being used, then the firewalls at the two sites must be kept in sync
- you have to decide whether it is acceptable to lose some UDP (and other non-TCP) during the failover
- you have to be careful about "flapping" as site A comes back up
- you have someone re-synchronize the facilities at A and B as A comes back up, such as replicating the new state of the Active Directory tables -- and you have to either be *very* careful about that, or else you have to pause all transactions so that a packet sent to B can be replied to by A with exactly the same information it would have received at B
- contrawise, as long as A is up, you have to have A be sending it detailed synchronization updates so that B can take over with no notice.
Does it really have to be done exactly the way you indicate? Losing active TCP connections is often considered an acceptable tradeoff for the costs and difficulties involved in the full replication.
Would HSRP / VSRP be an acceptable alternative approach to resource replication? (I don't know those well; I believe they require that the alternative resources be on the same segment -- but you might be able to fake that with Layer 2 Transparent VPNs.)
What are the potential sources of "outage" that you are trying to protect against, and what are their probabilities? For example, I notice you indicate "a concentrator", which implies you have only one there instead of a failover pair. If maintenance or hardware or power problems on the concentrator is a noticable risk, then a failover pair of concentrators might improve the situation... but if not done carefully will make the probability of failure -higher-.
Some packet loss is acceptible. What we are trying to avoid is having
1-2 hour outages. We are looking at purchasing an additional concentrator for additional redundancy. The down and dirty of it is I'm looking for a highly reliable, redundant VPN solution without buying too much additional equipment.
I'm basic at best with networking setups. I'm going to check out that link you sent over with Jone's white papers. Any additional resources you may have would be greatly appreciated.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.