Hi All
How would you deal with this situation? We have 4 ISP links that we use for SDWAN. But we need to configure a VPN tunnel between our two sites. Each ISP would have their own public IP. We have a /24 public IP block that we can advertise out of one ISP at a time. We cant split this /24 up into subnets and advertise them out to the different ISPs. I was thinking of configuring a loopback interface with one of our public IPs for the VPN interface and route. But what if a link is unstable how can you automatically chose a better path for the VPN like you can for SDWAN? (all the IPs in the diagram is made up)
You would setup one VPN from each ISP, then use VPN virtual interfaces as SDWAN members in one SDWAN zone.
There is no diagram, so my question is: Is your /24 different from the public IP you have from each ISP? I assume so, because otherwise you’d have issues with overlapping subnets.
It also isn’t clear what your actual problem is, because I see at least three different problems in this post, but you haven’t said where exactly you are having issues. For example, “better path for the VPN”. Better path for what?
Fabric Overlay Orchestrator is what you’re looking for. Set it up in Health Check mode and thank me later.
Requirements are :
- Security Fabric enabled
- Firmware 7.2.7 or higher.
It setups 2 overlays (1 for each WAN link assuming 2 for redundancy) and uses SD-WAN with SLAs to automatically use the best WAN to route data between hub and spoke. It also automatically setup spoke to spoke tunnels based on traffic flow.
How critical is the VPN traffic? Does it need to be shaped all the time? Or can you just configure VPN with FQDN so it fails over in the event of a failure but otherwise just uses the active link?
I added the diagram. The issue is how do I get he VPN to dynamically chose between the ISPs? If the primary ISP fails then traffic for the VPN gateway is routed via the next best ISP because of BGP. But what happens in a situation where there is packet loss on the link but BGP is still up.
Look through these docs and they should help. You can use performance SLAs with BGP communities to ensure traffic goes the way you want with the threshold you want to set. If you don’t know it well, you might want to get a day or so of PS to help you get it right because a badly designed SDWAN will create more headaches than solutions.
