04-03-2010 09:31 AM - edited 03-06-2019 10:27 AM
Hey guys,
I need to implement a VPN backup for an MPLS network (running ibgp). I would like to concurrently run a VPN tunnel from a branch office to HQ alongside a MPLS. When the MPLS goes down I'd like traffic to go over the VPN, but only then. I was thinking of setting up the VPN tunnel and doing something like an IP SLA to monitor the MPLS, and maybe add a static for the VPN if it's detected down-- though truthfully, I get it in concept but I'm not sure how I'd implement it. Any ideas? Much appreciated.
Thanks,
Dan
04-03-2010 11:29 AM
No, here's an example for your reference:
ip sla 53
icmp-echo x.x.x.x
timeout 500
frequency 3
ip sla schedule 53 life forever start-time now
ip sla 54
icmp-echo y.y.y.y
timeout 500
frequency 3
ip sla schedule 54 life forever start-time now
track 1 rtr 53 reachability
track 2 rtr 54 reachability
ip route 0.0.0.0 0.0.0.0 MPLS 1 track 1
ip route 0.0.0.0 0.0.0.0 VPN 100 track 2
x.x.x.x and y.y.y.y will be a reachable IP via the MPLS and VPN links respectively.
This is if the VPN and MPLS reside on the same router as Jon said.
Federico.
04-03-2010 11:33 AM
Wouldn't that be 2 statics though? My MPLS routes are advertised via BGP.
04-03-2010 11:35 AM
dmurray14 wrote:
Wouldn't that be 2 statics though? My MPLS routes are advertised via BGP.
That's the reason you don't need IP SLA ie. because you are not using 2 statics.
If you want to reduce the BGP convergence you could reduce the BGP timers. What would be an acceptable failover time for you ?
Jon
04-03-2010 12:05 PM
Jon,
I'd like to shoot for a couple minutes - any more than that and I'll still get called at 3am!
Quick edit: looks like the cisco default is 60 seconds, or am I reading this wrong? That would be great.
04-03-2010 12:25 PM
With default BGP timers of 60seconds and 180seconds it could be longer but you can reduce the timers. We used 10 and 30 on our MPLS network and it worked fine.
Jon
04-03-2010 12:27 PM
Thanks Jon. I just discovered GNS3, so it looks like I have some messing around to do...
04-03-2010 11:36 AM
You're right sorry.
In that case, changing the AD of the STATIC route, the iBGP routes will always be preferred over the static floating route.
Just use the example I gave you for the VPN connection.
Federico.
04-03-2010 12:04 PM
Thanks Federico!
04-29-2010 02:39 PM
I'm almost ready to deploy this, but I came up with one last question -- how do I handle the internet? I already have a default static route pointing to the MPLS gateway. How do I switch this over to the backup internet connection when it goes down? Is it enough just to put in another default static with the backup link gateway, with a higher admin distance? I'm just not sure when the original static will be taken out.
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide