VPN as a redundant link for MPLS

Unanswered Question
Nov 1st, 2008

Hi,

I need some help regarding network design. We have 40 branches , each other connected by MPLS and also to the data centre. Now we want redundant link to connect other branches with the data centre. Each branches and data centre also having internet link.

We want to use IPsec/GRE tunnel to the other branches with the DC.Now the questions are..

1)Is it possible to use VPN tunnel as a redundant link so that when MPLS goes down the only tunnel comes up?

2)If MPLS and tunnel both work simultaneously is there any chances to formed loop in the network?

3)How much internet link BW generally require for branches to connect with DC?

Please guide in this issue..

Thanks

som

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
des.mckee Mon, 11/03/2008 - 08:41

1. Yes, its possible, but if you mean can you make it so that the tunnel only activates when the MPLS fails then I wouldn't recommend that. You are better going with both MPLS and tunnels up at the same time, which leads to…

2. Yes, they can both be active at the same time - just use your routing protocols to make sure the MPLS is preferred over the VPN tunnel. If your MPLS links happen to use BGP, then using something like EIGRP on your VPN links will work very easily - eBGP has an admin distance of 20, meaning its always 'trusted' more than EIGRP which is 90. So, under normal operation, you will always use BGP MPLS routes if they're available, and not use the VPN until your MPSL link fails. Yes you should be careful in case of loops. In the above scenario, you would be ok if you do not redistribute the BGP routes into EIGRP and vice versa, but if you redistribute at the DC be careful - use route tags to stop any loops.

3. I couldn't really say how much BW is needed - start with the same size as your MPLS link, internet is cheap?

Thanks

somnath21 Tue, 11/04/2008 - 01:33

Thanks!!

Regarding point no. 2 :

We have two Routers one for MPLS and other for Internet. Before Internet Router Cisco ASA 5520 is connected. In core switches one default route is given to firewall inside interface (0.0.0.0 0.0.0.0 10.x.x.3)

Another route is pointed toward MPLS router inside interface. (10.x.0.0 255.255.0.0 10.x.x.12)

In MPLS router also default Route is given to the ISP router.

In this scenario how to set the priority so that when MPLS goes down then only tunnel goes up.

som

des.mckee Tue, 11/04/2008 - 08:30

If you want to do it that way you could track a route on the MPLS router to that next hop - basically ping 10.x.x.12 and if it doesnt respond remove the route from the routing table and use the backup route to the ASA:

so

rtr 1

type echo protocol ipIcmpEcho 10.x.x.12

rtr schedule 1 life forever start-time now

track 1 rtr 1 reachability

ip route 10.x.0.0 255.255.0.0 10.x.x.12 track 1 name via_mpls

ip route 10.x.0.0 255.255.0.0 10.x.x.ASA 100 name backup_via_asa

Actions

This Discussion