MPLS and Internet VPN Load Balancing

Unanswered Question
Mar 11th, 2008
User Badges:

Hi Pro's!


Is it possible to load balance MPLS and internet VPN? We have MPLS/VPN for our private connection and I want to make VPN using Internet and load balance the two connection. Is that possible? if yes, can someone provide me a link for my refference?


tnx and regards to all!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
royalblues Tue, 03/11/2008 - 03:54
User Badges:
  • Green, 3000 points or more

We need to know more about your network topology


It is possible to set the routing in such a way that the internet is used as a backup for your MPLS connection


Narayan

Danilo Dy Tue, 03/11/2008 - 06:10
User Badges:
  • Blue, 1500 points or more

Hi,


If you have two sites each currently connected to internet using an EDGE Router and a INTERNET Firewall behind it, you can add a NEW Router (capable of running IPSec) and an INTERNET Switch (or use existing switch and create a VLAN, you only need three interface anyway). Connect the EDGE Router, INTERNET Firewall, and the NEW Router to INTERNET Switch. This is a triangle, the subnet within this triangle is a Public IP Address. The NEW Router has another interface to connect to the INTERNET Firewall (for filtering).


For example, each Site (SiteA and SiteB) should have...

EDGE Router WAN0 Interface: Connects to ISP using Public IP Address (/30 minimum)

EDGE Router LAN0 Interface: Connects to INTERNET Switch VLAN999 using Public IP Address (/29 minimum, i.e. a.b.c.1/29)

NEW Router LAN0 Interface: Connects to INTERNET Switch VLAN999 using Public IP Address (/29 minimum, i.e. a.b.c.2/29)

NEW Router LAN1 Interface: Connects to INTERNET Firewall LAN1 Interface using Private IP Address (/30 minimum, i.e. 192.168.0.1/30)

NEW Router WAN0 Interface: Connects to MPLS

INTERNET Firewall LAN0 Interface: Connects to INTERNET Switch VLAN999 using Public IP Address (/29 minimum, i.e. a.b.c.3/29)

INTERNET Firewall LAN1 Interface: Connects to NEW Router LAN1 Interface using Private IP Address (/30 minimum, i.e. 192.168.0.2/30)

INTERNET Firewall LAN2-onwards Interface: Connects to your other LAN Segment behind the firewall


Configure IP GRE Tunnel through MPLS between two sites in NEW Router

Configure IP GRE Tunnel over IPSec through Internet between two sites in NEW Router

Configure ACL in SiteA NEW Router LAN0 Interface to accept connection from SiteB NEW Router LAN0 Interface only (vice versa)

Configure IPSec ACL that the tunnel will be triggered only by IP GRE tunnel

Configure routing through IP GRE Tunnels


Since Internet bandwidth is not guaranteed, you can configure floating static route and use IP GRE Tunnel through MPLS as primary and IP GRE Tunnel over IPSec through Internet as backup. Else, you can configure OSPF and use equal path load balancing.


This will work and secure. However, it depends on resources at both site, i.e. NEW Router, EDGE Router, INTERNET Firewall, INTERNET Switch, Public IP Address, Interfaces needed in NEW Router and INTERNET Firewall


NOTE: Don't forget to put "keepalive 5 4" in the IP GRE Tunnel interface. I'm not sure if "keepalive" is enabled by default in newer IOS, but when I did this configuration 3 years ago, "keepalive" is disabled by default in 12.2 IOS on 2600 series router (I think). Oh, if you have VPN Accelerator Card installed in your router, don't forget to enable it.


Regards,

Dandy

Joseph W. Doherty Tue, 03/11/2008 - 07:09
User Badges:
  • Super Bronze, 10000 points or more

You didn't mention how you're routing across the MPLS/VPN.


I work with a client that uses BGP across their MPLS/VPN. Their Internet VPN uses GRE/IPSec, also uses BGP between sites. Works find as long as you handle the difference in AS hops between Internet VPN and MPLS/VPN.


Earlier same client was using OSPF across various WAN technologies (p-2-p, frame-relay, ATM) and OSPF across Internet VPN using GRE/IPSec. VPN path usage was dependent on costing, usually configured for equal costing.


Both of the above worked easily as long as VPN GRE/IPSec just appeared as another path. I.e., from routing perspective, treating it as such too.

cmadiam82 Tue, 03/11/2008 - 09:11
User Badges:

Hi josephdoherty,


We're only using static route for our MPLS/VPN.

Joseph W. Doherty Tue, 03/11/2008 - 09:30
User Badges:
  • Super Bronze, 10000 points or more

Well you can static route across GRE/IPSec tunnels too.

cmadiam82 Tue, 03/11/2008 - 23:50
User Badges:

can someone point me to a link were i can use it as referrence. i want to implement this one...tnx all!!!

Danilo Dy Wed, 03/12/2008 - 07:05
User Badges:
  • Blue, 1500 points or more

Which one? My recommendation? I combined multiple example from Cisco Technical Documentations to make it happen.

agonza07 Wed, 03/12/2008 - 09:12
User Badges:

I have the same requirements but I want to just use the GRE tunnel in case the MPLS goes down. I also want to keep both links up at the same time, however I am running BGP on my MPLS link and EIGRP on my tunnel. So far in my test enviroment, my EIGRP take precedence over my BGP and I don't even see the BGP routes. But when I shut down my tunnel, I can see my BGP routes. Is there any way to have BGP take precedence over my EIGRP routes?


The only other way I see to do this is using EEM with ping object tracking, but if possible I'd like to find out if the above is possible.


Thanks.

Joseph W. Doherty Wed, 03/12/2008 - 17:24
User Badges:
  • Super Bronze, 10000 points or more

You could adjust the administrative distance of one or both.

Actions

This Discussion