04-11-2016 04:26 PM
Hello PAN Live Community,
I'm looking at having a redundant link to a given set of destination (servers) over an IPSEC tunnel when primary WAN link goes down.
What is the best way to do this ?
PBF ?
04-12-2016 06:19 AM
Yes, once the PBF rule will be disabled when the primary link goes down, static route will take over immediately. But you need to have such static route for directing desired traffic into correct tunnel interface.
04-12-2016 02:24 AM
Ok, something is confusing: you have non-IPSEC connection to destination on primary WAN link and when that one goes down you want IPSEC connection to that destination on secondary WAN link? So backup connection will be more secure than primary connection?
But yes, PBF rules are for such scenarios. Or in case with tunnel interfaces you can also use tunnel monitor functionality.
04-12-2016 03:25 AM
yopu can set up a end to end IPSec tunnel on your secondary link and then have a pbf rule that directs all traffic to your primary link with a monitoring profile that disabled the pbf if the monitor fails, then have a static route (or a second pbf rule) direct traffic into the IPSec tunnel
04-12-2016 05:28 AM
@santonic wrote:
Ok, something is confusing: you have non-IPSEC connection to destination on primary WAN link and when that one goes down you want IPSEC connection to that destination on secondary WAN link? So backup connection will be more secure than primary connection?
But yes, PBF rules are for such scenarios. Or in case with tunnel interfaces you can also use tunnel monitor functionality.
IPSEC tunnel to that destination over Internet for backup.. not WAN link.
So it's for connectivity sake.. not security sake.
04-12-2016 05:30 AM
@reaper wrote:
yopu can set up a end to end IPSec tunnel on your secondary link and then have a pbf rule that directs all traffic to your primary link with a monitoring profile that disabled the pbf if the monitor fails, then have a static route (or a second pbf rule) direct traffic into the IPSec tunnel
If I disable the pbf when primary/WAN link goes down (via monitor configuration), won't the IPSEC site-to-site then immediately take over (without any configuration/traffic engineering such employing another pbf or static route) as that route will be the only available/remaining in the routing table for the given destination networks ?
04-12-2016 06:19 AM
Yes, once the PBF rule will be disabled when the primary link goes down, static route will take over immediately. But you need to have such static route for directing desired traffic into correct tunnel interface.
04-12-2016 06:39 AM
@santonic wrote:
Yes, once the PBF rule will be disabled when the primary link goes down, static route will take over immediately. But you need to have such static route for directing desired traffic into correct tunnel interface.
Makes sense.. Thanks so much !
04-12-2016 06:43 AM
Or... even easier.. not do a PBF.. and just do a floating static (influence administrative distance) over the IPSec site-to-site... ?
04-12-2016 11:09 PM
Yes, bu what will make primary route be deleted? You can lose connectivity but interface status remains up.
04-12-2016 11:18 PM
@santonic wrote:
Yes, bu what will make primary route be deleted? You can lose connectivity but interface status remains up.
Understood.. given the fault scenario and permutations/combinations of fault.
Floating static alone might be enough.. and in other scenario's monitoring on a PBF might be needed.
I have enough to build my traffic engineering anyhow.. Thanks all.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
