- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
Hello Joni,
In your scenario, there doesn't seem to be detail concerning the set-up of the 'shared' subnet. So, I would appreciate any corrections on my interpretation.
You can use BGP to route the traffic as described, using the VPN A connection as the primary, failing over to the VPN B connection in the event of complete failure of the primary CGW (Cisco router DC) or VPN Connection. However, please be advised that each Site-to-Site VPN connection is comprised of two tunnels for redundancy. When one tunnel becomes unavailable traffic is automatically routed to the available tunnel for that specific Site-to-Site VPN connection (e.g VPN A). Both tunnels would have to fail in order to shift traffic to VPN B.
It seems like you are looking for more robust redundancy by adding a second VPN Connection, VPN B, terminating on a secondary CGW (Cisco router DR). It would be good if you could provide additional detail about the Customer Premise side of the scenario. It would help clarify configuration options.
There is additional documentation on this topic: https://docs.aws.amazon.com/vpn/latest/s2svpn/Examples.html
Site-to-Site multiple VPN connection examples
There are several configuration options for the Cisco/On-Prem side of this scenario.
AS Path Prepending
As previously mentioned, you could advertise a prepended route from the backup Cisco router over VPN B connection. The traffic from the VPC would only use this traffic when the unmodified route being advertised over VPN A disappeared due to a malfunction.
Less specific CIDR range for Backup Path
You could also advertise a less specific CIDR range from the backup Cisco router over VPN B connection. The traffic from the VPC would only use this traffic when the more specific route being advertised over VPN A disappeared due to a malfunction.
In both of these cases, the VPN B Connection is active, but not used for traffic from the VPC to the Customer because the VPN A Connection is considered the better path in terms of route priority.
Hello.
I think it's possible if you use BGP for VPN routing.
As stated in the document below, the one with the shortest AS Path is prioritized, so you can configure the Active side router to shorten the AS Path.
Since the AS Path uses the shorter route, normally Cisco VPN A should be used, but if a failure occurs, Cisco VPN B should be used.
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html#vpn-route-priority
- BGP propagated routes from an AWS Direct Connect connection
- Manually added static routes for a Site-to-Site VPN connection
- BGP propagated routes from a Site-to-Site VPN connection
- For matching prefixes where each Site-to-Site VPN connection uses BGP, the AS PATH is compared and the prefix with the shortest AS PATH is preferred.
https://repost.aws/knowledge-center/vpn-configure-tunnel-preference
please provide specific configuration
Contenuto pertinente
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata un anno fa
This information is very helpful. Please provide more specific example and configuration detail that will be helpfull
Hello Joni, In your scenario, there's not enough detail concerning the existing set-up of the 'shared' subnet.
Please review the following: https://community.cisco.com/t5/networking-blogs/bgp-as-path-prepending-configuration/ba-p/3819334 It contains details for configuring a route map (on R4) to AS Path prepend your advertisements to the VGW.