Filter
Top Products
24-39
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Configuring Dial Backup
You can use dial backup to provide a fallback link for a primary, direct connection when the primary link
becomes unavailable. You can configure dial backup on Cisco IOS security routers that participate in a
point-to-point, Extranet, or full mesh VPN topology, or that are spokes in a hub-and-spoke topology. You
can also configure it on a remote client router running IOS version 12.3(14)T+ in an Easy VPN topology.
Implementation of the dial backup feature is based on the assumption that two static routes exist:
• A primary route through a primary gateway, which has highest priority.
• A secondary route through a secondary gateway, which has lower priority and only appears in the
routing table when the primary gateway is down.
Security Manager configures a logical dialer interface on the spoke. The dialer interface is associated
with a physical backup interface. When the primary route is down, the dialer interface is activated and
traffic is redirected through this backup interface along the secondary route. To ensure that the spoke-hub
traffic is encrypted, Security Manager applies a crypto map to the dialer interface. This crypto map is
identical to the crypto map on the VPN interface (the primary route interface). In Easy VPN, the backup
configuration is attached to the dialer interface.
Depending on the IOS version, Response Time Reporter (RTR) or Service Level Agreement (SLA) IOS
technology is used to detect loss of network performance on the primary route. If the assigned IPsec
technology is DMVPN, Dialer Watch-List (DWL) is used.
ISDN Basic Rate Interface (BRI) and analog modem interfaces can be configured as backup interfaces
to other primary interfaces. In such a case, an ISDN or analog modem connection is made if the primary
interface goes down. Should the primary interface and connection go down, the ISDN or analog modem
interface immediately dials out to establish a connection so that network services are not lost.
Before You Begin
• Configure the dialer interface settings on the Cisco IOS routers. This requires defining the
relationship between the physical BRI and Async interfaces, and the virtual dialer interfaces used
when configuring dial backup. For more information, see Dialer Interfaces on Cisco IOS Routers,
page 59-27.
• Make sure that the primary route is functioning.
• For Extranet VPNs, you can configure dial backup on the local (managed) device only.
Step 1 For most VPN topologies, you configure dial backup when creating or editing a site-to-site VPN. You
can also edit the Peers policy for existing VPN topologies. For Extranet VPNs, you configure dial backup
through the Peers policy only.
Do one of the following:
• In the Create VPN wizard, proceed to the Endpoints page (see Creating or Editing VPN Topologies,
page 24-28 and Defining the Endpoints and Protected Networks, page 24-33).
• In the Edit VPN dialog box, click the Endpoints tab (see Creating or Editing VPN Topologies,
page 24-28 and Defining the Endpoints and Protected Networks, page 24-33).
• For Extranet VPNs, or for editing any other VPN topology, select the Peers policy. For general
information on editing endpoints, see Defining the Endpoints and Protected Networks, page 24-33.
Step 2 Select the router on which you want to configure dial backup and click the Edit (pencil) button. If there
is more than one router that will have the same dialer configuration, you can select and edit them all at
once.