03-11-2008 02:04 AM - edited 03-03-2019 09:04 PM
Hi Pro's!
Is it possible to load balance MPLS and internet VPN? We have MPLS/VPN for our private connection and I want to make VPN using Internet and load balance the two connection. Is that possible? if yes, can someone provide me a link for my refference?
tnx and regards to all!
03-11-2008 03:54 AM
We need to know more about your network topology
It is possible to set the routing in such a way that the internet is used as a backup for your MPLS connection
Narayan
03-11-2008 05:32 AM
Do you know any link for me to read?
tnx!
03-11-2008 06:10 AM
Hi,
If you have two sites each currently connected to internet using an EDGE Router and a INTERNET Firewall behind it, you can add a NEW Router (capable of running IPSec) and an INTERNET Switch (or use existing switch and create a VLAN, you only need three interface anyway). Connect the EDGE Router, INTERNET Firewall, and the NEW Router to INTERNET Switch. This is a triangle, the subnet within this triangle is a Public IP Address. The NEW Router has another interface to connect to the INTERNET Firewall (for filtering).
For example, each Site (SiteA and SiteB) should have...
EDGE Router WAN0 Interface: Connects to ISP using Public IP Address (/30 minimum)
EDGE Router LAN0 Interface: Connects to INTERNET Switch VLAN999 using Public IP Address (/29 minimum, i.e. a.b.c.1/29)
NEW Router LAN0 Interface: Connects to INTERNET Switch VLAN999 using Public IP Address (/29 minimum, i.e. a.b.c.2/29)
NEW Router LAN1 Interface: Connects to INTERNET Firewall LAN1 Interface using Private IP Address (/30 minimum, i.e. 192.168.0.1/30)
NEW Router WAN0 Interface: Connects to MPLS
INTERNET Firewall LAN0 Interface: Connects to INTERNET Switch VLAN999 using Public IP Address (/29 minimum, i.e. a.b.c.3/29)
INTERNET Firewall LAN1 Interface: Connects to NEW Router LAN1 Interface using Private IP Address (/30 minimum, i.e. 192.168.0.2/30)
INTERNET Firewall LAN2-onwards Interface: Connects to your other LAN Segment behind the firewall
Configure IP GRE Tunnel through MPLS between two sites in NEW Router
Configure IP GRE Tunnel over IPSec through Internet between two sites in NEW Router
Configure ACL in SiteA NEW Router LAN0 Interface to accept connection from SiteB NEW Router LAN0 Interface only (vice versa)
Configure IPSec ACL that the tunnel will be triggered only by IP GRE tunnel
Configure routing through IP GRE Tunnels
Since Internet bandwidth is not guaranteed, you can configure floating static route and use IP GRE Tunnel through MPLS as primary and IP GRE Tunnel over IPSec through Internet as backup. Else, you can configure OSPF and use equal path load balancing.
This will work and secure. However, it depends on resources at both site, i.e. NEW Router, EDGE Router, INTERNET Firewall, INTERNET Switch, Public IP Address, Interfaces needed in NEW Router and INTERNET Firewall
NOTE: Don't forget to put "keepalive 5 4" in the IP GRE Tunnel interface. I'm not sure if "keepalive" is enabled by default in newer IOS, but when I did this configuration 3 years ago, "keepalive" is disabled by default in 12.2 IOS on 2600 series router (I think). Oh, if you have VPN Accelerator Card installed in your router, don't forget to enable it.
Regards,
Dandy
03-11-2008 09:08 AM
Tnx Dandy! I will give it a try...
03-11-2008 07:09 AM
You didn't mention how you're routing across the MPLS/VPN.
I work with a client that uses BGP across their MPLS/VPN. Their Internet VPN uses GRE/IPSec, also uses BGP between sites. Works find as long as you handle the difference in AS hops between Internet VPN and MPLS/VPN.
Earlier same client was using OSPF across various WAN technologies (p-2-p, frame-relay, ATM) and OSPF across Internet VPN using GRE/IPSec. VPN path usage was dependent on costing, usually configured for equal costing.
Both of the above worked easily as long as VPN GRE/IPSec just appeared as another path. I.e., from routing perspective, treating it as such too.
03-11-2008 09:11 AM
Hi josephdoherty,
We're only using static route for our MPLS/VPN.
03-11-2008 09:30 AM
Well you can static route across GRE/IPSec tunnels too.
03-11-2008 11:50 PM
can someone point me to a link were i can use it as referrence. i want to implement this one...tnx all!!!
03-12-2008 07:05 AM
Which one? My recommendation? I combined multiple example from Cisco Technical Documentations to make it happen.
03-12-2008 09:12 AM
I have the same requirements but I want to just use the GRE tunnel in case the MPLS goes down. I also want to keep both links up at the same time, however I am running BGP on my MPLS link and EIGRP on my tunnel. So far in my test enviroment, my EIGRP take precedence over my BGP and I don't even see the BGP routes. But when I shut down my tunnel, I can see my BGP routes. Is there any way to have BGP take precedence over my EIGRP routes?
The only other way I see to do this is using EEM with ping object tracking, but if possible I'd like to find out if the above is possible.
Thanks.
03-12-2008 05:24 PM
You could adjust the administrative distance of one or both.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: