Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MPLS failover with VPN?

Hi all,

We currently have an MPLS with BGP for interoffice connectivity. I want to have the ability to have one of the branch offices failover to a VPN to the main office through another internet link if the MPLS goes down (which it does often). Whats the best way to accomplish this?

Thanks

Everyone's tags (3)
23 REPLIES
Hall of Fame Super Blue

Re: MPLS failover with VPN?

dmurray14 wrote:

Hi all,

We currently have an MPLS with BGP for interoffice connectivity. I want to have the ability to have one of the branch offices failover to a VPN to the main office through another internet link if the MPLS goes down (which it does often). Whats the best way to accomplish this?

Thanks

A lot depends on the exsiting kit you have and how your branch office is setup.

So a couple of questions -

1) will you have a separate router for the ADSL connection ? - assume so as if you have a redundant link but on the same router you still have a single point of failure.

2) how does the routing work in your network ie. you use BGP to connect to the MPLS network. But how do you then distribute the BGP learned routes into your internal LANs in each office.

3) At the main office, is there a dedicated VPN device where you are going to terminate the tunnel ?

Jon

New Member

Re: MPLS failover with VPN?

Thanks for the response Jon. There is an 1800 in both locations handing the routing.

1) No separate router. This office is in a rural location and the primary concern is that the internet keeps dropping due to poles down and no redundant link. There is only one loop in the area so the backup link will be a 4G wireless device.

2) Each office advertises its route over the MPLS on a private AS, the provider handles the rest.

3) There is already an 1800 there at the main office handling VPN clients, I'd like to use this but if need be could get a separate device.

I was thinking a failover to VPN would be the easiest, but I'm open to any other ideas.

Thanks for the help!

Hall of Fame Super Blue

Re: MPLS failover with VPN?

dmurray14 wrote:

Thanks for the response Jon. There is an 1800 in both locations handing the routing.

1) No separate router. This office is in a rural location and the primary concern is that the internet keeps dropping due to poles down and no redundant link. There is only one loop in the area so the backup link will be a 4G wireless device.

2) Each office advertises its route over the MPLS on a private AS, the provider handles the rest.

3) There is already an 1800 there at the main office handling VPN clients, I'd like to use this but if need be could get a separate device.

I was thinking a failover to VPN would be the easiest, but I'm open to any other ideas.

Thanks for the help!


2) So the routes are received via BGP at each site and it is only one router per site ?

If so then if you are advertising each sites specific subnets into BGP the easiest thing to do is just add a default-route to each router pointing the backup link interface ie.

ip route 0.0.0.0 0.0.0.0

what happens here is that the default route will not be used if the more specific routes are still received by BGP. If the MPLS link goes down then each site will stop receiving the BGP routes and the less specific default-route will then be used pointing to the backup interface.

Does this sound feasible or am i misunderstanding your setup ?

Jon

New Member

Re: MPLS failover with VPN?

Jon,

You've got it, only one router per site, and each site advertises it's subnet.

I understand what you're saying, but the problem will be that the backup interface will be a direct connection to the internet. My concern is always having access to the main office, from one of the remote offices. So I assume I'll need to set up a VPN (since I can't hop on the MPLS from outside my providers network) and have the remote office failover to the VPN if the MPLS goes down. Just don't know the best way to accomplish this.

Make sense?

Thanks!

Hall of Fame Super Blue

Re: MPLS failover with VPN?

dmurray14 wrote:

Jon,

You've got it, only one router per site, and each site advertises it's subnet.

I understand what you're saying, but the problem will be that the backup interface will be a direct connection to the internet. My concern is always having access to the main office, from one of the remote offices. So I assume I'll need to set up a VPN (since I can't hop on the MPLS from outside my providers network) and have the remote office failover to the VPN if the MPLS goes down. Just don't know the best way to accomplish this.

Make sense?

Thanks!

Yes you will need to setup a VPN between the 2 sites and add the default-routes pointing to the local backup interface. On that interface you would apply the crypto map although it sounds like this is what you already have in your main office.

Remember that if the MPLS link goes at one of the sites not only does that site stop receiving the other sites routes but it also cannot advertise it's own so each site will see the other sites routes disappear and both routers should then use the default-route.

If i am still not understanding your concerns then please clarify.

Jon

Blue

Re: MPLS failover with VPN?

How important are these remote sites?

Is your company really that cheap they dont want to spring for a secondary 1800 router as a backup?

If you had another DSL router, you would run eBGP on the primary router, iBGP to the backup and IPSec over the DSL link.

The primary router will local pref the routes to, say, 500 and the backup router will use the primary to get to the central site.

If the primary link dies, primary BGP routes get withdrawn, so the tunnel gets used.

HTH


Victor

New Member

Re: MPLS failover with VPN?

Nope, not at all. In fact I have an extra 1800 sitting here waiting to

be used. Like I said I'm not too well versed in this, so that was the

best I could think of. Your idea sounds perfect, but I'll have to do

some more research to figure out how to implement it. Any extra

specifics you coul provide would be much appreciated.

Thanks!!

On Feb 25, 2010, at 6:17 PM, lamav

New Member

Re: MPLS failover with VPN?

Can I maybe do this with a IPSec tunnel and an IP SLA? Have the tunnel always up but have it less preferred until the MPLS goes down? Whats the best way to do that, can the static routes be present with the BGP-learned routes?

New Member

Re: MPLS failover with VPN?

Anyone comment on the last post?

Hall of Fame Super Blue

Re: MPLS failover with VPN?

Sorry for dropping out of this post but after Victor mentioned using another router wasn't sure what you were planning to do. Have you decided which hardware you are going to be using ?

Jon

New Member

Re: MPLS failover with VPN?

No problem, thanks for the response. At this point i just want to stick with the two 2800s for simplicity's sake...again the issue we are fighting is the local loop going down thanks to idiots slamming into the poles out in a rural location. Adding another router is on my list, but at this point I want to work on the actual connection issue first.

The MPLS itself works great with BGP, and I'm thinking I can set up a tunnel alongside it (which will run over a separate internet connection), my confusion is with how to get it to automatically fail over. I want to keep it as simple as possible while still being effective. I was thinking of having an IP SLA on the main MPLS to detect a down condition, but I'm not quite sure what to do after that...and what the best way is to prefer the MPLS until it goes down, then prefer the IPSec tunnel. Any hints on this?

Thanks again.


Dan

Hall of Fame Super Blue

Re: MPLS failover with VPN?

Dan

I've already suggested a solution of using a default-route pointing to the backup link and having the more specific routes received through the MPLS connection via BGP. If the MPLS link goes down or the BGP peering fails the BGP routes will fail to come through and so the default route will be used to bring up the VPN tunnel.

If the MPLS link or the BGP peering come back up the more specific routes will be used.

Is there a reason you think this won't work ?

Jon

New Member

Re: MPLS failover with VPN?

Jon,

I guess I'm just not sure how that would work out. What would automatically trigger the VPN to start? What would prevent it from being started previous to the MPLS going down? And how will the other end of the link know that the route back to that office is no longer over the MPLS?

Thanks again for your help, much appreciated.

Dan

Hall of Fame Super Blue

Re: MPLS failover with VPN?

dmurray14 wrote:

Jon,

I guess I'm just not sure how that would work out. What would automatically trigger the VPN to start? What would prevent it from being started previous to the MPLS going down? And how will the other end of the link know that the route back to that office is no longer over the MPLS?

Thanks again for your help, much appreciated.

Dan

Dan

A router will always use the most specific match in the routing table to route the packet. The default-route is the least specific match. So the default route would only be used if there were no more specific routes in the routing table.

So assuming that you are advertising more specific routes via BGP then once the MPLS link goes down or the BGP peering is lost then the only thing left is the default-route which points to the VPN. And if the MPLS link or BGP peering is lost at your remote site then those routes will no longer be advertised to your head office.

However if you have a default-route at your remote site already for internet traffic pointing via the MPLS link then yes you will need to look into IP SLA to change the default-route should the link fail.

Jon

New Member

MPLS failover with VPN?

Hi Dan,

Here is how I've always set this up. Use IP SLA to ping the far side, let it decide how to remove the route or leave it in i.e if the pink is successful, then maintain a route internally, if it fails pull the route and allow the default out i.e 0.0.0.0 outside to take over.

As for the primary router and/or switch, just use a floating static. If your using bgp your ad will be 20 and if you look at your routing table using sh ip bgp, you should be able to figure out what floating statics you will need.

ip route 250 name TOASA

Above it shows that the cost of the route will be higher and should you lose the mpls on either side, it will use the floating static to re-route the traffic out to the ASA.

The ASA will pull the route to inside by failing to ping the far side router via IP SLA.

Then the route to that network will now use the default route. This should be routing outside 0.0.0.0 0.0.0.0

Next it needs to not be natted using a nonat acl etc on the ASA.

Last it will hit the crypto map and peer to the other side. Viola! You have redundancy

Let me know if this helps.

IP SLA config. on ASA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

New Member

MPLS failover with VPN?

Hi All,

I have hub-spoke network. Every spoke is connected to hub via MPLS Data Line. And also every spoke have separate internet link which terminates to firewall directly. Hub also have separate internet link which terminates to firewall.

I want to configure VPN tunnel between spoke and hub for redundancy. How can i configure this VPN tunnel to automatically trigger when MPLS link fails.

Your replies are much appreciated.

MPLS failover with VPN?

you can use BGP for MPLS and VPN tunnels and using different neighbor  weights

New Member

MPLS failover with VPN?

Thanks ttemirgaliyev for the reply.

But i want to configure the VPN tunnel using the Separate internet link which terminates to firewall.

MPLS is configured using BGP on separate 1800 router. Is it possible to automatically trigger the VPN tunnel (between firewalls at hub & spoke) when MPLS link fails?

Re: MPLS failover with VPN?

your network is like this?

           --------- fw1-------vpn over internet------fw2--

         /                                                                          \

        /                                                                              \

    int tunn1       ---  bgp over vpn  ------                int tunn2

hub ------------------------bgp over mpls -----------------------    spoke

it will automatikaly trigger to VPN over Internet when MPLS fail

provided correct BGP neighbor  weights

dont forget to rate post

New Member

MPLS failover with VPN?

Yes, my newtork is like this. Only BGP over vpn is not there.

Just BGP over mpls and vpn over internet are there.

Thanks for the reply.

MPLS failover with VPN?

how to do it

1. configure vpn over internet from fw1 to fw2

2. configure static routes from hub to fw1 and from spoke to fw2

3. configure tunnel interfaces on hub and spoke

4. ping from int tunn1 on hub to int tunn2 on spoke

5. on hub add bgp neighbor spoke and write less neighbor  weight

6. on spoke add bgp neighbor hub and write less neighbor  weight

dont forget to rate post

New Member

MPLS failover with VPN?

Thanks ttemirgaliyev.

Really appreciate it.

 hi really is very nice

 hi really is very nice conversation , what is difference between the two scenario of using default route

and of using the BGP over MPLS tunnel

does only the second scenario only automatic trigger for the Mpls if connection down

what about using only default route only does it also give the same result

6876
Views
10
Helpful
23
Replies