VPN backup to MPLS

Unanswered Question
Apr 3rd, 2010
User Badges:

Hey guys,


I need to implement a VPN backup for an MPLS network (running ibgp). I would like to concurrently run a VPN tunnel from a branch office to HQ alongside a MPLS. When the MPLS goes down I'd like traffic to go over the VPN, but only then. I was thinking of setting up the VPN tunnel and doing something like an IP SLA to monitor the MPLS, and maybe add a static for the VPN if it's detected down-- though truthfully, I get it in concept but I'm not sure how I'd implement it. Any ideas? Much appreciated.


Thanks,

Dan   

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Sat, 04/03/2010 - 10:35
User Badges:
  • Green, 3000 points or more

Hi,


The easiest way is to have the MPLS cloud as the primary preferred connection and having the VPN tunnel as a backup.

The way to accomplish this is with dynamic routing or floating static routes.


By means of routing, you decide to use the MPLS connection and only if it goes down, to bring up the VPN.


What equipments would be handling these connections?


Federico.

Giuseppe Larosa Sat, 04/03/2010 - 10:37
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Dan,

I would suggest you  to consider the use of a point to point GRE tunnel protected by IPSec: it will allow you to run a routing protocol over it, or to use GRE keepalive to detect if the neighbor is alive.


In this way you can easily build a backup link that will be used to route traffic only during primary link outage.


Hope to help

Giuseppe

dmurray14 Sat, 04/03/2010 - 10:45
User Badges:


Federico,


I would like to do this between two 2800 routers.


Guiseppe,


I'm not familiar with GRE and how that would work, but I will look into it - thank you!

Federico Coto F... Sat, 04/03/2010 - 10:52
User Badges:
  • Green, 3000 points or more

If you run an IGP it will be easier since the routing protocol will decide automatically which path to use (MPLS or VPN) and you decide that MPLS has priority).


If you use STATIC routes, you can as well configure this redundancy.


A GRE tunnel is a way to encapsulate any kind of traffic in unicast GRE packets, so that they can travel inside an IPsec tunnel or any other media.

GRE allows to run an IGP through it and still be protected by IPsec.


Federico.

dmurray14 Sat, 04/03/2010 - 10:50
User Badges:

Federico,


I like the idea of a floating static, it seems easy enough to implement. My only concern is how to detect the MPLS going down. What would the reaction time be? Should/could I still implement an IP SLA?


Thank you    

Federico Coto F... Sat, 04/03/2010 - 10:55
User Badges:
  • Green, 3000 points or more

An example of floating static routes:

ip route 0.0.0.0 0.0.0.0 MPLS 1
ip route 0.0.0.0 0.0.0.0 VPN 100


In this way, the route through MPLS will be preferred over VPN.
The problem with static routes is that they won't change unless the next-hop fails, so to overcome this problem you should track
the route.


Here you can use the IP SLA feature to track both routes and in this way, when the MPLS route goes down, the VPN tunnel will
establish and if the MPLS comes back, it will again become the primary connection.


Federico.

dmurray14 Sat, 04/03/2010 - 10:59
User Badges:

Thanks Federico. Could I use a floating static in combination with the IBGP routes learned from the MPLS? So that I could have for instance 10.0.0.0/24 learned from BGP with admin distance 20, and 10.0.0.0/24 static with admin distance 100. And then somehow make the static have lower admin distance when the IP SLA fails?


Thanks again for your help.

Jon Marshall Sat, 04/03/2010 - 11:10
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

dmurray14 wrote:


Thanks Federico. Could I use a floating static in combination with the IBGP routes learned from the MPLS? So that I could have for instance 10.0.0.0/24 learned from BGP with admin distance 20, and 10.0.0.0/24 static with admin distance 100. And then somehow make the static have lower admin distance when the IP SLA fails?


Thanks again for your help.


Dan


Just a quick question. Are you doing this all on the same router ie. does the VPN and the BGP connection go from the same router ?


Jon

dmurray14 Sat, 04/03/2010 - 11:13
User Badges:

Hi Jon,


Yes, as of now the plan is to run this on the same 2800 on both ends. Is this not OK?

Jon Marshall Sat, 04/03/2010 - 11:18
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

dmurray14 wrote:


Hi Jon,


Yes, as of now the plan is to run this on the same 2800 on both ends. Is this not OK?


No that actually makes it easier. As federico says you don't need to use IP SLA because if you have 2 routes on the 2800 ie.


10.1.1.0/24 learnt from BGP - is it EBGP or IBGP ?  either way this route is only learnt as long as the MPLS connection is up


10.1.1.0/24 added as a static route ie. ip route 10.1.1.0 255.255.255.0 250 <-- make this AD higher than 200 if IBGP. This route will not be inserted into the routing table unless the EBGP/IBGP route is lost.


then if the MPLS connection fails you lose the EBGP/IBGP route and the static route would be used. If the MPLS connection comes back up you learn the route again and as it has a lower AD than your static route it is now used. So because you are using a dynamic routing protocol you dont need to worry about IP SLA.


Jon

dmurray14 Sat, 04/03/2010 - 11:20
User Badges:

Great thanks, Jon. My only concern is, what would the reaction time be on this? Assuming the local loop went down, or anything else in between, how long would it take for that route to clear? Would and IP SLA speed up the reaction time?


Thanks again!

Federico Coto F... Sat, 04/03/2010 - 11:04
User Badges:
  • Green, 3000 points or more

Exactly.


You can use the floating static routes in conjunction with the iBGP-learned routes.

By setting the administrative distance (lower or higher), you tell the router to either prefer or not the static routes over  the iBGP routes.


Federico.

Federico Coto F... Sat, 04/03/2010 - 11:29
User Badges:
  • Green, 3000 points or more

No, here's an example for your reference:


ip sla 53
icmp-echo x.x.x.x
timeout 500
frequency 3
ip sla schedule 53 life forever start-time now


ip sla 54
icmp-echo y.y.y.y
timeout 500
frequency 3
ip sla schedule 54 life forever start-time now


track 1 rtr 53 reachability
track 2 rtr 54 reachability


ip route 0.0.0.0 0.0.0.0 MPLS 1 track 1
ip route 0.0.0.0 0.0.0.0 VPN 100 track 2


x.x.x.x and y.y.y.y will be a reachable IP via the MPLS and VPN links respectively.


This is if the VPN and MPLS reside on the same router as Jon said.


Federico.

dmurray14 Sat, 04/03/2010 - 11:33
User Badges:

Wouldn't that be 2 statics though? My MPLS routes are advertised via BGP.

Jon Marshall Sat, 04/03/2010 - 11:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

dmurray14 wrote:


Wouldn't that be 2 statics though? My MPLS routes are advertised via BGP.

That's the reason you don't need IP SLA ie. because you are not using 2 statics.


If you want to reduce the BGP convergence you could reduce the BGP timers. What would be an acceptable failover time for you ?


Jon

dmurray14 Sat, 04/03/2010 - 12:05
User Badges:

Jon,


I'd like to shoot for a couple minutes - any more than that and I'll still get called at 3am!


Quick edit: looks like the cisco default is 60 seconds, or am I reading this wrong? That would be great.

Jon Marshall Sat, 04/03/2010 - 12:25
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

With default BGP timers of 60seconds and 180seconds it could be longer but you can reduce the timers. We used 10 and 30 on our MPLS network and it worked fine.


Jon

dmurray14 Sat, 04/03/2010 - 12:27
User Badges:

Thanks Jon. I just discovered GNS3, so it looks like I have some messing around to do...

Federico Coto F... Sat, 04/03/2010 - 11:36
User Badges:
  • Green, 3000 points or more

You're right sorry.


In that case, changing the AD of the STATIC route, the iBGP routes will always be preferred over the static floating route.

Just use the example I gave you for the VPN connection.


Federico.

dmurray14 Thu, 04/29/2010 - 14:39
User Badges:

I'm almost ready to deploy this, but I came up with one last question -- how do I handle the internet? I already have a default static route pointing to the MPLS gateway. How do I switch this over to the backup internet connection when it goes down? Is it enough just to put in another default static with the backup link gateway, with a higher admin distance? I'm just not sure when the original static will be taken out.


Thanks!

Actions

This Discussion

Related Content