04-03-2010 09:31 AM - edited 03-06-2019 10:27 AM
Hey guys,
I need to implement a VPN backup for an MPLS network (running ibgp). I would like to concurrently run a VPN tunnel from a branch office to HQ alongside a MPLS. When the MPLS goes down I'd like traffic to go over the VPN, but only then. I was thinking of setting up the VPN tunnel and doing something like an IP SLA to monitor the MPLS, and maybe add a static for the VPN if it's detected down-- though truthfully, I get it in concept but I'm not sure how I'd implement it. Any ideas? Much appreciated.
Thanks,
Dan
04-03-2010 10:35 AM
Hi,
The easiest way is to have the MPLS cloud as the primary preferred connection and having the VPN tunnel as a backup.
The way to accomplish this is with dynamic routing or floating static routes.
By means of routing, you decide to use the MPLS connection and only if it goes down, to bring up the VPN.
What equipments would be handling these connections?
Federico.
04-03-2010 10:37 AM
Hello Dan,
I would suggest you to consider the use of a point to point GRE tunnel protected by IPSec: it will allow you to run a routing protocol over it, or to use GRE keepalive to detect if the neighbor is alive.
In this way you can easily build a backup link that will be used to route traffic only during primary link outage.
Hope to help
Giuseppe
04-03-2010 10:45 AM
Federico,
I would like to do this between two 2800 routers.
Guiseppe,
I'm not familiar with GRE and how that would work, but I will look into it - thank you!
04-03-2010 10:52 AM
If you run an IGP it will be easier since the routing protocol will decide automatically which path to use (MPLS or VPN) and you decide that MPLS has priority).
If you use STATIC routes, you can as well configure this redundancy.
A GRE tunnel is a way to encapsulate any kind of traffic in unicast GRE packets, so that they can travel inside an IPsec tunnel or any other media.
GRE allows to run an IGP through it and still be protected by IPsec.
Federico.
04-03-2010 10:50 AM
Federico,
I like the idea of a floating static, it seems easy enough to implement. My only concern is how to detect the MPLS going down. What would the reaction time be? Should/could I still implement an IP SLA?
Thank you
04-03-2010 10:55 AM
An example of floating static routes:
ip route 0.0.0.0 0.0.0.0 MPLS 1
ip route 0.0.0.0 0.0.0.0 VPN 100
In this way, the route through MPLS will be preferred over VPN.
The problem with static routes is that they won't change unless the next-hop fails, so to overcome this problem you should track
the route.
Here you can use the IP SLA feature to track both routes and in this way, when the MPLS route goes down, the VPN tunnel will
establish and if the MPLS comes back, it will again become the primary connection.
Federico.
04-03-2010 10:59 AM
Thanks Federico. Could I use a floating static in combination with the IBGP routes learned from the MPLS? So that I could have for instance 10.0.0.0/24 learned from BGP with admin distance 20, and 10.0.0.0/24 static with admin distance 100. And then somehow make the static have lower admin distance when the IP SLA fails?
Thanks again for your help.
04-03-2010 11:10 AM
dmurray14 wrote:
Thanks Federico. Could I use a floating static in combination with the IBGP routes learned from the MPLS? So that I could have for instance 10.0.0.0/24 learned from BGP with admin distance 20, and 10.0.0.0/24 static with admin distance 100. And then somehow make the static have lower admin distance when the IP SLA fails?
Thanks again for your help.
Dan
Just a quick question. Are you doing this all on the same router ie. does the VPN and the BGP connection go from the same router ?
Jon
04-03-2010 11:13 AM
Hi Jon,
Yes, as of now the plan is to run this on the same 2800 on both ends. Is this not OK?
04-03-2010 11:18 AM
dmurray14 wrote:
Hi Jon,
Yes, as of now the plan is to run this on the same 2800 on both ends. Is this not OK?
No that actually makes it easier. As federico says you don't need to use IP SLA because if you have 2 routes on the 2800 ie.
10.1.1.0/24 learnt from BGP - is it EBGP or IBGP ? either way this route is only learnt as long as the MPLS connection is up
10.1.1.0/24 added as a static route ie. ip route 10.1.1.0 255.255.255.0 250 <-- make this AD higher than 200 if IBGP. This route will not be inserted into the routing table unless the EBGP/IBGP route is lost.
then if the MPLS connection fails you lose the EBGP/IBGP route and the static route would be used. If the MPLS connection comes back up you learn the route again and as it has a lower AD than your static route it is now used. So because you are using a dynamic routing protocol you dont need to worry about IP SLA.
Jon
04-03-2010 11:20 AM
Great thanks, Jon. My only concern is, what would the reaction time be on this? Assuming the local loop went down, or anything else in between, how long would it take for that route to clear? Would and IP SLA speed up the reaction time?
Thanks again!
04-03-2010 11:01 AM
Use floating static, set static router with different administrative distance.
04-03-2010 11:04 AM
Exactly.
You can use the floating static routes in conjunction with the iBGP-learned routes.
By setting the administrative distance (lower or higher), you tell the router to either prefer or not the static routes over the iBGP routes.
Federico.
04-03-2010 11:12 AM
Great, thank you. What is the best way to insert the static route when the IP SLA fails? Do I have to use the tricky boolean solution described here:
http://blog.ioshints.info/2007/08/install-static-route-when-ip-address-is.html
Or is there a better way?
Thanks again!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: