We have mpls setup btw 3 sites. i recently setup IPSec tunnel btw 3 sites for backup. Now if i shut the interface on my core where the MPLS router is connected, i lost the connectivity btw sites, even though i have setup static routes.
static route btw sites for MPLS is;
10.1.0.0 255.255.0.0 10.12.0.4
10.2.0.0 255.255.0.0 10.12.0.4
The VPN router IP address is 10.11.0.4 and i have setup below static route
10.1.0.0 255.255.0.0 10.11.0.4 5 (metric)
10.2.0.0 255.255.0.0 10.11.0.4 5(metric)
when i bring down the MPLS router the traffic hits the 10.11.0.4 ACL but not working. the route in VPN router is as under
Do you have DMVPN setup between the sites? If so, the spoke sites need to check in with the Hub site before it can establish a tunnel between the two spoke sites. So here you would either need to set up a second hub router, or configure a full mesh s2s tunnel setup...ie. configure static IPsec tunnels between all sites.
Please remember to select a correct answer and rate helpful posts
Please remember to rate and select a correct answer
It should be the problem with the reverse routing.. Lets say for example, in Site 1 you have done the backup and you made the link down between router and the switch. So the switch takes the floating static route and forward the traffic to VPN router ( thats why you can see the hits) , though VPN might forward the traffic to the destination site -2, their the reverse route is still towards the MPLS router and the traffic drops
There are couple of solution we can do here.. One is to run a protocol over the VPN and make the routing decision dynamic across both MPLS and VPN so that when an MPLS failure occurs , the site-2 will automatically remove the route towards your mPLS router and install the one with VPN router.. It really depends how is your setup and what kind of protocol you r running over MPLS..
we are using EIGRP btw sites, however i have static route to the MPLS router and i don't have access to that MPLS router. Can you send me an example or what i should ask my Vendor to configure on their MPLS router ?
Is it possible to extend the eigrp till your core switch ?.. Please check that with vendor and if that is possible, you will learn mpls-site routes through eigrp and you can also run eigrp over vpn and between core switch and vpn routers .. then all about manipulating the metric ( increase the link delay from core switch to VPN router so that it will be least preferred)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :