Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

MPLS failover to Internet.

Customer has 3750x switches routing on an MPLS network today. They are asking for a failover option to the internet and connect to the DR site via VPN. I need help with the design, please.

4 REPLIES
New Member

Hi Todd,How about deploying

Hi Todd,

How about deploying ISR routers connected to the 3750X switches at each site, and implement a VPN solution in between the ISR's - such as FlexVPN or DVTI/SVTI.

Using a dynamic routing protocol would allow you to advertise routes within the "Internet VPN cloud" and redistribute to and from the 3750X switches.

Depending on which routing protocol you would choose, you could tweak the "VPN routes" so that the third-party MPLS routes are preferred before the "Internet VPN" ones.

-- 

Sincerely,

Søren Elleby Sørensen

New Member

Hi Soren,I appreciate the

Hi Soren,

I appreciate the prompt response! 

I'm not familiar with FlexVPN. Would this allow for failover? If it was up to you, how would you deploy in this scenario using the 3750's on the backend? Would you use two ISR routers?

 

Regards,

Todd

 

New Member

Hi Todd, FlexVPN offers

Hi Todd,

 

FlexVPN offers several VPN deployment models, so you might consider it a VPN frame-work.

It might not be a term Cisco would use, but it offers all the various IPsec VPN deployments models under one umbrealla so to speak.

If a Cisco representative reads this, please correct me if I'm wrong :)

 

Here's a few configuration examples:

http://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

 

I would deploy ISR G2's or ASR 1K's at each branch office and the hub, depending on whether you want a hub-and-spoke topology or a full-mesh. Your router of choice of course also depends the amount of crypto you need to forward.

 

I would you use OSPF in between the 3750X's and the branch/hub routers across the tunnels, but that kinda depends on what flavour of IGP you'd prefer. BGP is also an option, but if you have several sites, you might want to look into route-reflection, as configuring a BGP full-mesh with tons of routers can get rather .. dull :) 

 

Cheers

New Member

Soren, you've been fantastic!

Soren, you've been fantastic! Thank you for your help. I'm much more comfortable in a design now. I was leading toward two ISR Routers for redundancy and failover capabilities. Along with 2 ASA 5515's and still use the 3750x's on the backend with the necassary VLAN's.

125
Views
0
Helpful
4
Replies
CreatePlease to create content