Which routing protocol to use for VPN backup?

Unanswered Question
Jan 16th, 2009
User Badges:

I am trying to setup a VPN backup solution for one of our MPLS connected branch offices. I've configured the tunnel interfaces as required and that is working as expected, however I'm looking for suggestions on which direction to go with the routing.

The MPLS routers at both sites are running EIGRP (different AS's) and redistributing into BGP to traverse the provider MPLS network (both using same private AS number).

My original thought was to just use BGP and setup peering between the tunnel interfaces, but since the AS numbers are the same the routes learned via the backup path become iBGP and are prefered over the eBGP learned routes of the primary MPLS path.

Does anyone have any suggestions? Are there any best practices when it comes to GRE tunnel interfaces and routing?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Fri, 01/16/2009 - 11:43
User Badges:
  • Purple, 4500 points or more

I believe you can only use three routing protocols through a GRE tunnel: OSPF, EIGRP, and RIP. I've used EIGRP at another company I was at, and it does work well over tunnel interfaces. OSPF is big, but harder to setup, IMHO, so I would opt for EIGRP. And of course, RIP has it's own drawbacks. :-)



aaron.g.smith Mon, 01/19/2009 - 10:59
User Badges:

BGP runs over the tunnel it's just that both routers are using the same AS so the routes learned over the tunnel are iBGP and are preferred over the eBGP routes learned from the MPLS network.

My issue with EIGRP is that I'm already using EIGRP locally at each site with different AS's. If I was to use the same AS in both sites I believe I would run into the same problem, EIGRP routes learned via the tunnel being preferred to the routes being redistributed from BGP into the local EIGRP AS.

I am still experimenting with different options.

Edison Ortiz Mon, 01/19/2009 - 11:09
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

BGP runs over the tunnel it's just that both routers are using the same AS so the routes learned over the tunnel are iBGP and are preferred over the eBGP routes learned from the MPLS network.

I suggest going with BGP as you initially stated. You can alter the route preference by using the correct BGP attribute.

In your case, the iBGP route is chosen over the eBGP because the length of the AS_PATH.

If you review the BGP Best Path Selection, WEIGHT and Local_Pref go before the AS_PATH on the route selection so if you manipulate those attributes, eBGP/MPLS route will be preferred, please refer to the documentation:





Please rate helpful posts

Joseph W. Doherty Mon, 01/19/2009 - 17:30
User Badges:
  • Super Bronze, 10000 points or more

If possible (i.e. supported by your MPLS vendor), you might also consider using different BGP AS numbers at your sites. Since your doing eBGP with your MPLS vendor, you could then also do eBGP across the VPN and would only require adjusting AS paths longer across VPN so MPLS would be preferred path. Going with different site BGP ASs, might make it easier to add additional sites later.

aaron.g.smith Mon, 01/19/2009 - 17:56
User Badges:

I definitely considered that as an option. In fact in the lab I was able to get it to work using the "local-as" command which allowed me to change the AS on one of the routers (at the central site for example) while spoofing the original AS that the provider is expecting.

router bgp 65002

neighbor remote-as xxxxx

neighbor local-as 65001 no-prepend replace-as

Trying to manipulate the iBGP routes the way I want is proving to be rather challenging and seems to require not only weighting of the preferred eBGP routes, but extensive route filtering as well to keep routes from looping all over the place. Not to mention the challenges of redistributing iBGP routes into an IGP.

patrick.preuss Thu, 01/29/2009 - 13:36
User Badges:
  • Bronze, 100 points or more


what do you think of floating static routes?


aaron.g.smith Fri, 01/30/2009 - 17:23
User Badges:

Floating static routes were not something I was familiar with until you mentioned them.  Certainly seems simple enough.  I suppose I would have to redistribute both BGP and the floating statics into the IGP at each site to achieve the desired results.

The only downside I can see would if later down the road new networks were added to BGP without the corresponding floating statics being added as well.


Thanks for the suggestion.

patrick.preuss Sat, 01/31/2009 - 10:28
User Badges:
  • Bronze, 100 points or more


this will depend on your overall network design.

We use as primary network a dmvpn network with most sites connected with a simple rip setup and for backup we use isdn with floating statics. the sites have only one route for LAN and WAN, so the setup is simple. for sites with higher demands we have a second dmvpn network with eigrp running and all sites have two wan routers and redundant LAN routers

so we have load sharing and failover.

the management of the floating statics are not so complicated because from the remote site only one route is needed an and in the datacenter also. management is done by tools like the rme from cisco or with scripts like rancid.

for your situation it may be a solution to use mpls as transport for some kind off vpn and to ignore the provider bgp. or use bgp over the vpn.

it highly depends on what your requirements are.


This Discussion