I need some help regarding network design. We have 40 branches , each other connected by MPLS and also to the data centre. Now we want redundant link to connect other branches with the data centre. Each branches and data centre also having internet link.
We want to use IPsec/GRE tunnel to the other branches with the DC.Now the questions are..
1)Is it possible to use VPN tunnel as a redundant link so that when MPLS goes down the only tunnel comes up?
2)If MPLS and tunnel both work simultaneously is there any chances to formed loop in the network?
3)How much internet link BW generally require for branches to connect with DC?
1. Yes, its possible, but if you mean can you make it so that the tunnel only activates when the MPLS fails then I wouldn't recommend that. You are better going with both MPLS and tunnels up at the same time, which leads toâ¦
2. Yes, they can both be active at the same time - just use your routing protocols to make sure the MPLS is preferred over the VPN tunnel. If your MPLS links happen to use BGP, then using something like EIGRP on your VPN links will work very easily - eBGP has an admin distance of 20, meaning its always 'trusted' more than EIGRP which is 90. So, under normal operation, you will always use BGP MPLS routes if they're available, and not use the VPN until your MPSL link fails. Yes you should be careful in case of loops. In the above scenario, you would be ok if you do not redistribute the BGP routes into EIGRP and vice versa, but if you redistribute at the DC be careful - use route tags to stop any loops.
3. I couldn't really say how much BW is needed - start with the same size as your MPLS link, internet is cheap?
We have two Routers one for MPLS and other for Internet. Before Internet Router Cisco ASA 5520 is connected. In core switches one default route is given to firewall inside interface (0.0.0.0 0.0.0.0 10.x.x.3)
Another route is pointed toward MPLS router inside interface. (10.x.0.0 255.255.0.0 10.x.x.12)
In MPLS router also default Route is given to the ISP router.
In this scenario how to set the priority so that when MPLS goes down then only tunnel goes up.
If you want to do it that way you could track a route on the MPLS router to that next hop - basically ping 10.x.x.12 and if it doesnt respond remove the route from the routing table and use the backup route to the ASA:
type echo protocol ipIcmpEcho 10.x.x.12
rtr schedule 1 life forever start-time now
track 1 rtr 1 reachability
ip route 10.x.0.0 255.255.0.0 10.x.x.12 track 1 name via_mpls
ip route 10.x.0.0 255.255.0.0 10.x.x.ASA 100 name backup_via_asa
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...