Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Routing vs IPSEC

Hi,

I have a scenario in which I need to configure IPSEC VPN as a failover to the existing MPLS connection between any branch and the HO.

My question is how do I give more priority to the routing traffic and less priority to the VPN traffic. The tunnel will only establish when the MPLS connection fails.

Regards,

SH.

3 REPLIES
Hall of Fame Super Blue

Re: Routing vs IPSEC

Hi

It all depends on your topology. Are you creating the VPN from the same router that connects you to the MPLS network ?

Could you please give a few more details ie. which devices you use, routing protocol in use etc.

Jon

New Member

Re: Routing vs IPSEC

Hi Marshall,

Thanks for the reply.

We have a router at the branch upon which both the MPLS and the internet connections are being terminated.

In case of MPLS failure all the data going out to the internet will be encrypted after the tunnel is formed. Encrypted traffic is sent to the HO from where traffic goes to the servers or the internet.

On the router at the branch we will have to use the static routes and I am not sure as of now which routing protocol the ISP is going to use for connectivity to the HO. It could be the MPLS or the frame-relay.

At the HO client do have a ASA firewall. Upon which both the MPLS/frame-relay and the internet connection terminates.

There could be some 35 to 40 locations connected as the MPLS spokes. And we have to confire IPSEC VPN as the failover to the MPLS connection.

Regards,

SH.

New Member

Re: Routing vs IPSEC

Hi,

For MPLS, you will probably have BGP learned routes in the routing table with AD of 20. When the MPLS link fails all these routes will disapear. So you have two options:

1. configure static routes for eeah remote branch with a higher distance poiting to the internet (routers DG)

2. or you could have GRE encrypted tunnels to the branches that would be up all the time and run e.g OSPF over it.

if BGP reoutes are removed the OSPF routes will get installed.

The GRE solution is more probably more elegant, especially now when you can use ipsec profiles instead of full crypto map which for 30 location would be a bit of a pain to configure :)

100
Views
4
Helpful
3
Replies