Floating static routes for VPN backup connectivity

By powder21 ·
I have a central location and four remote locations with a router at each location. I will have private leased lines for main WAN connectivity. I will also be using IPsec over GRE for VPN backups from each location to the central location over the public IP cloud. My plan is to configure EIGRP on each of the routers as well as "floating static routes" for the GRE tunnels.

My questions are:

1. Will this work to ensure that the VPNs are only used in the event that the main WAN connectivity goes down and that the VPNs are not used when the main WAN connectivity comes back up?

2. If the floating routes are configured for the GRE tunnels, will this prevent the EIGRP protocol from using the GRE tunnels as part of its topology?

3. Should this be the other way around (meaning should I configure static routes for the main WAN links and EIGRP for the GRE tunnels?)

4. If I do configure it as mentioned in question 3, won't the static routes have to be manually re-added to the table when the WAN links come back up (as opposed to GRE tunnels which are always considered up so the static routes would never be removed from the table)?

The idea is to get the VPN backups to work transparently without any manual adjustments to the router config. Any thoughts would be greatly appreciated. Thank you.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

HIPAA requirements

by CG IT In reply to Floating static routes fo ...

These are the HIPAA regulations regarding protected ePHI data that are part of the Technical Safeguards. When planning for how ePHI is handled follow the regs outlined in these paragraphs.




The most important on is this:

164.312(b) R= Audit Controls ? Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

If you can't implement some mechanism to record activity and a procedure to examine that activity for access controls as well as to determine if ePHI data was changed, intercepted, or other accessed in an unauthorized manner, then you won't comply.

So your design including any failover design must take that in consideration if you transmit PHI electronically. The regulations don't distinguish between internal and external transmission as each is a potential source of disclosure of PHI.

So if you really want to impress the auditors, you don't transmit data over the network, either LAN or WAN without it being encrypted, even if it's on a seperate subnet or in a seperate vlan.

Collapse -

Thanks for the tip!

by powder21 In reply to HIPAA requirements

I'll have to start thinking about how to add additional encryption.

Collapse -

Anyone else?

by powder21 In reply to Floating static routes fo ...

Still need help with whether or not this configuration will work. Please help.

Related Discussions

Related Forums