Cisco WAN :: 2821 Disaster Recovery / Redundant VPN Tunnels
Aug 1, 2011
We are setting up a disaster recovery site which will host redundant copies of our servers and critical data in Kansas City. In the case of a disaster, our headquarters site would be totally gone.
Currently we have 7 branch offices that communicate to our HQ via VPN tunnels (either over an Internet circuit, or over a Cox Communications Ethernet WAN circuit). The branch sites each have a 2821 Cisco ISR Router. At the headquarters and at the DR site, we use a Cisco ASA 5510 to terminate the VPN tunnels and do all of our backbone routing. Routing on the ASA and on the branch routers is all static, using a routing protocol would be a nice upgrade in the future..? We use lan-2-lan IPSEC VPN tunnels, no GRE/VPN is in use because the ASA does not terminate it. What is the best way to setup my branch routers to automatically or manually fail-over to connect to a different ASA at the DR site?
Also, if my Headquarters site is still up, but either my Internet circuit or the Cox ethernet circuit at the headquarters goes down. How can I re-route all traffic in a loop back to the headquarters over the one good remaining circuit?
Is there a better way to do what I want to accomplish? BGP is not an option at this point due to its complexity.
View 6 Replies
ADVERTISEMENT
Mar 14, 2013
My questions is in relation to disaster recovery, for wireless. We have our main data center, in the US, with two 5508 controllers. We have a DR location, in Europe, with two 5508 controller. We're upgrading our 5508's to the 7.4 code, so that we can take advantage of the RP port for our controllers. With that said, is there a way to make the US and Europe controllers redundant?
If there's a disaster, in the US, would the AP licensing, and AP's attach to the European controllers? Our AP's are set up with HA. I'm more concerned about the licensing flipping over to the DR controllers. I've tried researching this topic, and can't really find anything on it.
View 4 Replies
View Related
Feb 9, 2012
We have to make disaster recovery site EasyVPN tunnels on Cisco 5505 ASA firewalls. Now there is only one main site and 3 remote sites.For DR we have to use the same subnet as it is on the main site because the Vmware virtual machines will be replicated to DR.For DR we are using Double Take software.What is the best solution for this? I think that we could use Destination NAT on ASAs. The other sites (HQ and remote) will se only the NAT address of theDR and not the real one which is the same as on the main site.We are using IPSec VPN? In packet-tracer on ASA I see that the packet is first NATed and then encrypted, so it should work, yes?
View 2 Replies
View Related
Jun 7, 2012
i am using cisco 2821 router at the edge in my network where the WAN link is terminated.i want to configure Redundancy . So will 2821 support ? If yes what is the another router .Is it the same series or different for redundant configuration.
View 2 Replies
View Related
Aug 22, 2011
Recently I have bought a 2821 router from an auction. The router did have some configuration and password on it. I tried to break into it by restating it and pressing control and pause break signal. Old cisco method. Now when I try this method on my 2821. It does say that password recovery is disabled on the router. After this message router proceed with normal boot process. How to break the password ? Even if I loose the configuration.
View 4 Replies
View Related
Apr 1, 2013
I am currently running a 2821 to terminate vpn links from all our branch offices over a WAN. I need to add a second interface in order to facilitate a move to a different WAN provider. seeing as the 2800 models are EOL I was looking for an upgrade. My local retailer wants to sell me the following:CISCO3925E-SEC/K9 IS Router 3925E security bundle SEC license pack,HWIC-2T 2 port serial WAN card,MEM-3900-1GU2GB Upgrade to 2GB 1,now my question is why can't i use the 2900 models in order to save some money?All I need is a router that will accept 2 different incoming WANs and the ability to create vpn tunnels over them..
View 19 Replies
View Related
May 20, 2013
we have made migration from CISCO 2821 to ASR1002-X.Cisco router is used as LNS for our ADSL links, using L2TP protocol. On 2821, everything worked fine. Migrating with same config on ASR1002-X, everything worked except L2P sessions.
We wanted to debug but no debug is displayed about L2TP or PPP in console with commands :
- debug aaa authentication
- debug aaa authorization
- debug radius
- debus vpdn l2x-events
- debus vpdn l2x-errors
- debus vpdn l2x-packet
- debug ppp negotiation
- debug ppp authentication
We don't understand why no debug log ??? Is it a bug in IOS XE ?show vpdn session all and show vpdn tunnel all gave "%No active L2TP tunnels"
Here our configuration :
sh ver
Cisco IOS Software, IOS-XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 1
5.2(4)S1, RELEASE SOFTWARE (fc3)
Technical Support: [URL]
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Sat 06-Oct-12 13:03 by mcpre
[code]....
View 23 Replies
View Related
May 1, 2012
i need to recover a router Cisco 2801. I lost the password and the "no service password-recovery" is configured. I have done many attempts with the procedure in this link :URL
View 9 Replies
View Related
Aug 3, 2009
In ASA 8.0,I have following queries related to redundant interfaces
a)While configuring redundant interface can the redundant interface again be divided into logical interface like red1.1 , red1.2 ?
b)Is Redundant interface supported in the Multiple context mode
View 4 Replies
View Related
Aug 16, 2012
My ASA's have the follwing Versions: ASA Version 8.4(3) ASDM Version 6.4(7)Have I a chance to configure a site-to-site tunnel with a hostname as peer address when I will use Identity and CA Certificates?
View 2 Replies
View Related
Nov 30, 2012
Can someone give me a sample router config (Cisco801) for the below scenario. Not familiar with networking.Server with 2 nic, connected to 2 different switches, each switch connected two lan interfaces of Same cisco801 for redundancy.Server must be able to reach gateway IP (in router) in case of either switch failure/server NIC failure.I also have 2 vlans, going to use same link for management vlan and application vlan.
View 11 Replies
View Related
Feb 24, 2012
Does OSPF work between a VSS L3 MEC & an ASA Redundant Interface? Both 6509 are in VSS and a L3 MEC is formed to the ASA.Both ASA ports are a part of a L3 Redundant Interface. Please note there is only a single ASA in this topology. [code] Now, the OSPF neighboring does occur and go into the FULL state on this device, however soon enough, the state enters INIT/DROTHER state.But as soon as I disconnect the physical connection 6509(Standby) The OSPF adjacency goes into FULL mode.
View 5 Replies
View Related
Dec 5, 2010
What is the purpose of Redundant Port that says "future use RJ45" on the Cisco WLC 5508?
View 3 Replies
View Related
Dec 7, 2010
We need rededunt uplink in Cisco 2960 from Cisco 3550 , one uplink is primary and one is for backup.As per current scenerio one uplink in Cisco 2960 interface fe0/1 from Cisco 3550 int fe0/1 through OFC cable configuration 2960 int fe0/1 interface fe0/1desciption *** Connect to Cisco 3550 port 1 ***switchport mode accessswitchport access vlan 2spanning-tree guard loop Configuration Cisco 3550 int fe0/1desciption *** Connect to Cisco 2960 port 1 ***switchport mode accessswitchport access vlan 2spanning-tree guard loop We have facing the problem when OFC cable down , so now we are considering anather OFC via anather route to connect same Cisco 2960 Switch in Fe0/2 from Cisco 3550 int fe0/2 so when primary uplink goes down then backup uplink which is connect to Cisco 2960 fe0/2 from Cisco 3550 fe0/2 it's up.what is the command we need configure as per my require in both the Cisco 2960 and 3550 swith in interface and global mode also.
View 10 Replies
View Related
Jun 11, 2012
Q: a client has a network with 60 AP's controlled by a AIR-CT5508-50-K9 (+ L-LIC-CT5508-25A) with a redundant power supply. Can he get full redundancy by purchasing a second controller? If he purchases one, can he bring it into the network? What about the extra license for 25 extra AP's installed on the first controller?
View 4 Replies
View Related
May 29, 2013
We are small transit ISP for other downlinks. And currently have such setup 7201 and 7206NPE-G1, as core and edge routers also we have connected to IXP. Downlinks usually BGP connected to one of border router which is terminated via VLAN, thus sub interface. IXP are also connected via VLAN on router.
What I don't like about this is when one borderd goes down downlink will lose connectivty, also recently we start growing and getting more downlinks, so balancing between borders become problem. So my question is, how to make setup less fragile and more redudant.
View 1 Replies
View Related
Mar 22, 2012
Where I can find ACS 5.X recovery DVD. I have vm ware and want to make .iso to recover lost system password.I am not able to find in any Cisco downloads.
View 2 Replies
View Related
Dec 14, 2011
I set up a full mesh LAN-to-LAN VPN for a client with 4 sites. Each site has an ASA 5505 running 8.2(5). Site-to-site VoIP traffic runs in the VPN tunnels, as well as traffic to/from a file-server located at the main site. There are two back-up servers, one at the main site and one at a remote site. The main site has 2 bonded T1s and the other three sites have a single T1. How should I go about setting up my QoS?
My top requirement is that VoIP traffic will never be pushed out of the way for data traffic. My secondary consideration is to give more preference to file-server traffic than to web traffic and to make back-up traffic the least important. I'm currently researching to see if the VoIP provider is DSCP marking EF on the VoIP traffic, but I am going to assume they are for now. I know the IP of the file-server and back-up servers.
View 3 Replies
View Related
Feb 20, 2013
Is there a recommended number of GRE tunnels that Cisco 2921 ISR router with default configuration (512MB DDR2 ECC DRAM) can support?
View 5 Replies
View Related
Jun 5, 2011
I have read that the cisco 1841 can handle up to 100 VPN tunnels by default. Can this IOS version handle SSL VPN tunnels as well?
View 3 Replies
View Related
May 7, 2008
Configuring MPLS over GRE tunnels. I did not find any proper configuration example. I need to do this for encrypt the traffic between two PE routers. I have 7609 routers.
View 20 Replies
View Related
Jun 20, 2012
I am trying to setup a VPN tunnel between a PIX and an ASA. I went through the IPSec Site to site wizzard using the same settings but I cannot ping hosts from either side.
Here is the setup
ASA 5520
Device Manager 6.4(5)106
Software version 8.0(5)
Inside network 10.0.0.0/24
Inside IP 10.0.0.1
[code]....
View 3 Replies
View Related
Sep 10, 2012
I have an ASA5515 and our remote sites which have a mesh topology of VPN. At some times of the day router to particular links are down do to the ISP core, but the tunnels from the same firewall can communicate to other sites. Is it possible to have a way where you could route traffic to another ASA which has a connection to both the ASA which want to communicate and have the traffic hairpinned, I know this is possible but is it possible to make this automated.
View 5 Replies
View Related
Jul 8, 2012
VPN Tunnels Monitoring on ASA5510 with IOS 7.0 (Monitoring through Nagios Server).I want to use Nagios to monitor each of the S2S Tunnels built on ASA 5510. I can use the icmp on Nagios by adding Nagios host in IPSEC network of each tunnel but in that case the change needs to be done at other end of Tunnel as well.
View 2 Replies
View Related
Jul 7, 2011
I have a Cisco 1921 and it has 2 VPN IP-sec site-to-site tunnels up and running. Lets say the tunnels goes from the Cisco to Site A and Site B.
Now i want Site A to reach Site B through the existing tunnels. I'm guessing that static routes maybe the answer but i cant seem to get it working.
The LAN networks is as follows:
Cisco: 192.168.15.0/24Site A: 192.168.0.0/24Site B: 10.27.27.0/24
At Site A i have set up a static route as follows:
Traffic destined for 10.27.27.0/24 Go to gateway 192.168.15.1 (the default gateway of Cisco LAN)
At Site B i have set up a static route as follows:
Traffic destined for 192.168.0.0/24 Go to gateway 192.168.15.1 (the default gateway of Cisco LAN)
View 9 Replies
View Related
Jun 13, 2012
We have multiple sites that have either fiber 20mb d/u or cable 50/10 d/u. Recently we have upgraded our head end router to a 2921 security based router and noticed that no matter if we are sending or receiving the most we can push is 1.6Mb. I would expect this number to be at least 8Mb for uploading and at least 18mb for downloading from other sites.I have included parts of my config and screen shots of bandwidth usage for troubleshooting. [code]
View 3 Replies
View Related
Jul 17, 2012
I am having an issue where the GRE tunnels are up/up but are not pingable. The GRE tunnels are on a cisco 1811 and cisco 2811 routers The tunnel source and destination IP addresses are private addresses. These private addresses are pingable to each other and they are connected via IPSEC. The IPSEC tunnels are generated from the ASA to which the cisco routers connect. Probably the tunnels are up/up because keepalives are not configured. But I am still not able to see why I cnt ping the end points. The ACL for IPSEC in ASA includes the "permit gre host <Private IP 1> hist <Private IP 2>" commands.
View 2 Replies
View Related
Oct 29, 2011
How to replace a defective redundant sup. I read on several articles that inserting new redundant sup should not be an issue as the active sup will always send its configuation to the standby. We are running SSO on the Sup720. Should I switch it to RPR before I install the redundant sup? I read a case wherein they switched it to RPR from SSO before inserting the new redundant sup. My concern is the IOS mismatch since Cisco doesn't always send the same IOS on RMAs.What I am planning is this.
1. Save/Backup configuration
2. Remove the redundant sup on slot 8 (since it is a 6513)
3. Insert the new redundant sup on slot 8.
4. Check if all the configurations were synced from slot 7 to slot 8.
5. Copy the IOS from sup-bootflash to slavesup-bootflash. (if the IOS are not the same)
6. Check show bootvar to see if the boot variables are correct.
7. If bootvar is the same, reload slot 8 to boot the new IOS.
Is this a good plan or am I missing something? I am worried with this document if the redundant sup has a different software. If i insert the card in slot8, according to Cisco, it will revert to RPR. If slot 8 boots and it has a different OS, then slot 7 will switch to RPR even if it's active. Would I still be able to access the slavesup-bootflash of slot 8? Is it going to boot 100%? I read that doing a force switchover will cause a flip and RPR would cause the line cards to reinitialize and I don't want that. Well I am not going to do a force switchover since i want slot7 to be active and retain slot 8 as hot.
View 3 Replies
View Related
Sep 21, 2012
We have 3750-X's with dual power supplies. When one of them is disconnected the NMS/Netcool is not picking up the trap. What MIB is needed to monitor the power supplies?
View 1 Replies
View Related
Feb 14, 2012
I am configuring a pix 525,i just found out how to activate the subinterface on it so that's good,the box has a primary unit and secondary unit, both are connected from G0 to redundant switches,if i do a show failover, it says it's using the serial based lan failover, which is fine by me,however, do i need to create a single, regular interface.. or a redundant interface?,i.e. if i create a regular subinterface, will failover still apply to this interface?,or for failover to work, do i need to create a redundant interface (with a redundant id)? i do not seem to have the option to create a subinterface when adding a redundant interface.
View 7 Replies
View Related
Dec 26, 2012
We have a six node MPLS network, all nodes route to our main office for a variety of services (email, core, fire shares, Internet, etc). Therefore, the link to our main office is crucial. In the event that the MPLS link to/from our main office becomes unavailable, we would like to establish a secondary route into our main office via virtual private network. Our main office and two branch offices have redundant broadband internet connectionsWe currently have Cisco 1921 routers as our branch routers and a Cisco 2800 as our “core” router at the main office. We also have two SonicWall TZ-200 series firewalls at the two branch locations and a SonicWall NSA-2400 at our main office. The VPN connection seems to work okay.How would I configure my branch routers to advertise and route traffic out the VPN connection in the event that the MPLS leg to/from our main office is down?
View 3 Replies
View Related
Apr 25, 2012
Currently we are using a single connection to our ISP and in the coming months will be moving to a two seperate connections (to same ISP). In our current setup we utilize active/passive ASA's (5520, single context) and would like to utilize that going forward as well, the reason being is our DMZ's all hang off of these ASA's and we have fiber connectivity between our datacenters.Our main datacenter and DR Datacenter are basically one big LAN with fiber between them, so we have our DMZ networks at both locations currently with both terminating in our ASA's. That way if the ASA at our current site fails the DMZ's are still accessible via the secondary firewall at our DR facility.
View 1 Replies
View Related
Mar 10, 2013
I am setting up two 5508 controllers, one in HA mode, and one the primary for the remote sites in question. I plan to have these units service wireless for MPLS conected regional sites (each with their own local subnet). I was planning on using the cabled hosts network in each site for the wifi addressing and was thinking a different addressing for Guest Access, is this common? I'm obviously concerned with guest access clients but don't know enough how their trafiic is segregated from normal wifi traffic.
Also, when I stand up the controllers the management interface and ap-manager won't be in the same network as where the hosts or LWAP's will reside (routing access will exist though).
View 6 Replies
View Related
