Networking Guru's

Associate
Joined
8 Jul 2004
Posts
2,392
Location
Le Norfolk
Am I barking up the wrong tree?

Let me just draw you a simplistic picture of the current set up.

Site A - Headquarters
Firewall
Core Switch

Site B - Branch Office
Firewall
Core switch

Now Site A and B are connected two ways, one is a 100 MB site to site fibre connection that terminates on the core switches and the other is a site to site VPN that terminates at the firewalls. Now obviously the site to site 100 MB link is the fastest and currently its the default route for traffic intended for each site on the core switches. What I'm trying to do is essentially automate fail over.

If the 100 MB site to site link fails I would like the core switches to route the traffic over the VPN without me having to modify the core switch config and manually change the IP routes.

Is RIP the answer I'm looking for here? If I enabled RIP on both the core switches and firewalls will this do what I want?

Thanks for your help
 
Last edited:
Hi Hulkster

The site to site fibre connection is indeed layer 2, all machines in the sites use their local core switch as the default gateway.

the core switch then routes internal traffic over the site to site link and anything else to the firewall. It's a fairly simple setup.
 
- Does each site have it's own Internet connection? Should each site use it's own internet connection?
- Is each site on it's own subnet or have you left flat layer 2?
- If own own subnet, how are you routing between the two?

I dont know your switches but they appear to be layer 3.

Yes each site has its own internet connection
Each site is on its own subnet
The core switches are indeed layer 3 and routing traffic between vlans.

I think I'm going to change the setup of the network, make the firewalls the default gateways and use them to control the IP routes.
 
I've set it up pretty much like #Chri5# has suggested. The static route is set up to direct traffic intended for the other site over the LES but I've assigned a network probe to it. If the probe fails the route is disabled and the firewall should route the traffic over the VPN....in theory.

Will need to run a few tests.
 
Back
Top Bottom