VPN backup to MPLS

dmurray14 · ‎04-03-2010

Hey guys,

I need to implement a VPN backup for an MPLS network (running ibgp). I would like to concurrently run a VPN tunnel from a branch office to HQ alongside a MPLS. When the MPLS goes down I'd like traffic to go over the VPN, but only then. I was thinking of setting up the VPN tunnel and doing something like an IP SLA to monitor the MPLS, and maybe add a static for the VPN if it's detected down-- though truthfully, I get it in concept but I'm not sure how I'd implement it. Any ideas? Much appreciated.

Thanks,

Dan

Federico Coto Fajardo · ‎04-03-2010

Hi,

The easiest way is to have the MPLS cloud as the primary preferred connection and having the VPN tunnel as a backup.

The way to accomplish this is with dynamic routing or floating static routes.

By means of routing, you decide to use the MPLS connection and only if it goes down, to bring up the VPN.

What equipments would be handling these connections?

Federico.

Giuseppe Larosa · ‎04-03-2010

Hello Dan,

I would suggest you to consider the use of a point to point GRE tunnel protected by IPSec: it will allow you to run a routing protocol over it, or to use GRE keepalive to detect if the neighbor is alive.

In this way you can easily build a backup link that will be used to route traffic only during primary link outage.

Hope to help

Giuseppe

dmurray14 · ‎04-03-2010

Federico,

I would like to do this between two 2800 routers.

Guiseppe,

I'm not familiar with GRE and how that would work, but I will look into it - thank you!

Federico Coto Fajardo · ‎04-03-2010

If you run an IGP it will be easier since the routing protocol will decide automatically which path to use (MPLS or VPN) and you decide that MPLS has priority).

If you use STATIC routes, you can as well configure this redundancy.

A GRE tunnel is a way to encapsulate any kind of traffic in unicast GRE packets, so that they can travel inside an IPsec tunnel or any other media.

GRE allows to run an IGP through it and still be protected by IPsec.

Federico.

dmurray14 · ‎04-03-2010

Federico,

I like the idea of a floating static, it seems easy enough to implement. My only concern is how to detect the MPLS going down. What would the reaction time be? Should/could I still implement an IP SLA?

Thank you

Federico Coto Fajardo · ‎04-03-2010

An example of floating static routes:

ip route 0.0.0.0 0.0.0.0 MPLS 1
ip route 0.0.0.0 0.0.0.0 VPN 100

In this way, the route through MPLS will be preferred over VPN.
The problem with static routes is that they won't change unless the next-hop fails, so to overcome this problem you should track
the route.

Here you can use the IP SLA feature to track both routes and in this way, when the MPLS route goes down, the VPN tunnel will
establish and if the MPLS comes back, it will again become the primary connection.

Federico.

dmurray14 · ‎04-03-2010

Thanks Federico. Could I use a floating static in combination with the IBGP routes learned from the MPLS? So that I could have for instance 10.0.0.0/24 learned from BGP with admin distance 20, and 10.0.0.0/24 static with admin distance 100. And then somehow make the static have lower admin distance when the IP SLA fails?

Thanks again for your help.

Jon Marshall · ‎04-03-2010

dmurray14 wrote:
Thanks Federico. Could I use a floating static in combination with the IBGP routes learned from the MPLS? So that I could have for instance 10.0.0.0/24 learned from BGP with admin distance 20, and 10.0.0.0/24 static with admin distance 100. And then somehow make the static have lower admin distance when the IP SLA fails?
Thanks again for your help.

Dan

Just a quick question. Are you doing this all on the same router ie. does the VPN and the BGP connection go from the same router ?

Jon

dmurray14 · ‎04-03-2010

Hi Jon,

Yes, as of now the plan is to run this on the same 2800 on both ends. Is this not OK?

Jon Marshall · ‎04-03-2010

dmurray14 wrote:

Hi Jon,

Yes, as of now the plan is to run this on the same 2800 on both ends. Is this not OK?

No that actually makes it easier. As federico says you don't need to use IP SLA because if you have 2 routes on the 2800 ie.

10.1.1.0/24 learnt from BGP - is it EBGP or IBGP ? either way this route is only learnt as long as the MPLS connection is up

10.1.1.0/24 added as a static route ie. ip route 10.1.1.0 255.255.255.0 250 <-- make this AD higher than 200 if IBGP. This route will not be inserted into the routing table unless the EBGP/IBGP route is lost.

then if the MPLS connection fails you lose the EBGP/IBGP route and the static route would be used. If the MPLS connection comes back up you learn the route again and as it has a lower AD than your static route it is now used. So because you are using a dynamic routing protocol you dont need to worry about IP SLA.

Jon

dmurray14 · ‎04-03-2010

Great thanks, Jon. My only concern is, what would the reaction time be on this? Assuming the local loop went down, or anything else in between, how long would it take for that route to clear? Would and IP SLA speed up the reaction time?

Thanks again!

Carlos Manuel Castro Marquez · ‎04-03-2010

Use floating static, set static router with different administrative distance.

Federico Coto Fajardo · ‎04-03-2010

Exactly.

You can use the floating static routes in conjunction with the iBGP-learned routes.

By setting the administrative distance (lower or higher), you tell the router to either prefer or not the static routes over the iBGP routes.

Federico.

dmurray14 · ‎04-03-2010

Great, thank you. What is the best way to insert the static route when the IP SLA fails? Do I have to use the tricky boolean solution described here:

http://blog.ioshints.info/2007/08/install-static-route-when-ip-address-is.html

Or is there a better way?

Thanks again!