Thanks for the response Jon. There is an 1800 in both locations handing the routing.

1) No separate router. This office is in a rural location and the primary concern is that the internet keeps dropping due to poles down and no redundant link. There is only one loop in the area so the backup link will be a 4G wireless device.

2) Each office advertises its route over the MPLS on a private AS, the provider handles the rest.

3) There is already an 1800 there at the main office handling VPN clients, I'd like to use this but if need be could get a separate device.

I was thinking a failover to VPN would be the easiest, but I'm open to any other ideas.

Thanks for the help!

dmurray14 wrote:
Thanks for the response Jon. There is an 1800 in both locations handing the routing.
1) No separate router. This office is in a rural location and the primary concern is that the internet keeps dropping due to poles down and no redundant link. There is only one loop in the area so the backup link will be a 4G wireless device.
2) Each office advertises its route over the MPLS on a private AS, the provider handles the rest.
3) There is already an 1800 there at the main office handling VPN clients, I'd like to use this but if need be could get a separate device.
I was thinking a failover to VPN would be the easiest, but I'm open to any other ideas.
Thanks for the help!

2) So the routes are received via BGP at each site and it is only one router per site ?

If so then if you are advertising each sites specific subnets into BGP the easiest thing to do is just add a default-route to each router pointing the backup link interface ie.

ip route 0.0.0.0 0.0.0.0

what happens here is that the default route will not be used if the more specific routes are still received by BGP. If the MPLS link goes down then each site will stop receiving the BGP routes and the less specific default-route will then be used pointing to the backup interface.

Does this sound feasible or am i misunderstanding your setup ?

Jon

Jon,

You've got it, only one router per site, and each site advertises it's subnet.

I understand what you're saying, but the problem will be that the backup interface will be a direct connection to the internet. My concern is always having access to the main office, from one of the remote offices. So I assume I'll need to set up a VPN (since I can't hop on the MPLS from outside my providers network) and have the remote office failover to the VPN if the MPLS goes down. Just don't know the best way to accomplish this.

Make sense?

Thanks!

dmurray14 wrote:
Jon,
You've got it, only one router per site, and each site advertises it's subnet.
I understand what you're saying, but the problem will be that the backup interface will be a direct connection to the internet. My concern is always having access to the main office, from one of the remote offices. So I assume I'll need to set up a VPN (since I can't hop on the MPLS from outside my providers network) and have the remote office failover to the VPN if the MPLS goes down. Just don't know the best way to accomplish this.
Make sense?
Thanks!

Yes you will need to setup a VPN between the 2 sites and add the default-routes pointing to the local backup interface. On that interface you would apply the crypto map although it sounds like this is what you already have in your main office.

Remember that if the MPLS link goes at one of the sites not only does that site stop receiving the other sites routes but it also cannot advertise it's own so each site will see the other sites routes disappear and both routers should then use the default-route.

If i am still not understanding your concerns then please clarify.

Jon

How important are these remote sites?

Is your company really that cheap they dont want to spring for a secondary 1800 router as a backup?

If you had another DSL router, you would run eBGP on the primary router, iBGP to the backup and IPSec over the DSL link.

The primary router will local pref the routes to, say, 500 and the backup router will use the primary to get to the central site.

If the primary link dies, primary BGP routes get withdrawn, so the tunnel gets used.

HTH

Victor

Nope, not at all. In fact I have an extra 1800 sitting here waiting to

be used. Like I said I'm not too well versed in this, so that was the

best I could think of. Your idea sounds perfect, but I'll have to do

some more research to figure out how to implement it. Any extra

specifics you coul provide would be much appreciated.

Thanks!!

On Feb 25, 2010, at 6:17 PM, lamav

Anyone comment on the last post?

Sorry for dropping out of this post but after Victor mentioned using another router wasn't sure what you were planning to do. Have you decided which hardware you are going to be using ?

Jon

No problem, thanks for the response. At this point i just want to stick with the two 2800s for simplicity's sake...again the issue we are fighting is the local loop going down thanks to idiots slamming into the poles out in a rural location. Adding another router is on my list, but at this point I want to work on the actual connection issue first.

The MPLS itself works great with BGP, and I'm thinking I can set up a tunnel alongside it (which will run over a separate internet connection), my confusion is with how to get it to automatically fail over. I want to keep it as simple as possible while still being effective. I was thinking of having an IP SLA on the main MPLS to detect a down condition, but I'm not quite sure what to do after that...and what the best way is to prefer the MPLS until it goes down, then prefer the IPSec tunnel. Any hints on this?

Thanks again.

Dan

Dan

I've already suggested a solution of using a default-route pointing to the backup link and having the more specific routes received through the MPLS connection via BGP. If the MPLS link goes down or the BGP peering fails the BGP routes will fail to come through and so the default route will be used to bring up the VPN tunnel.

If the MPLS link or the BGP peering come back up the more specific routes will be used.

Is there a reason you think this won't work ?

Jon

Jon,

I guess I'm just not sure how that would work out. What would automatically trigger the VPN to start? What would prevent it from being started previous to the MPLS going down? And how will the other end of the link know that the route back to that office is no longer over the MPLS?

Thanks again for your help, much appreciated.

Dan

dmurray14 wrote:
Jon,
I guess I'm just not sure how that would work out. What would automatically trigger the VPN to start? What would prevent it from being started previous to the MPLS going down? And how will the other end of the link know that the route back to that office is no longer over the MPLS?
Thanks again for your help, much appreciated.
Dan

Dan

A router will always use the most specific match in the routing table to route the packet. The default-route is the least specific match. So the default route would only be used if there were no more specific routes in the routing table.

So assuming that you are advertising more specific routes via BGP then once the MPLS link goes down or the BGP peering is lost then the only thing left is the default-route which points to the VPN. And if the MPLS link or BGP peering is lost at your remote site then those routes will no longer be advertised to your head office.

However if you have a default-route at your remote site already for internet traffic pointing via the MPLS link then yes you will need to look into IP SLA to change the default-route should the link fail.

Jon