We currently have a 1.5 mb MPLS connection to a remote site. Also at this site we have a 20 mb broadband connection. We want to create a VPN tunnel over the broadband connection back to our primary location and make the mpls a secondary line and have it fail over if the VPN tunnel goes down. we have purchased a new 1900 series router withthe VPN and Security bundle. I am know being told by our VAR that this cannot be done?? Has anyone scene a vpn tunnel failover to an mpls before?
I am not sure that I have seen this done before, but I think it should be possible. It would be helpful if you could provide some more information. In particular how is the MPLS working? Are you exchanging route information over the MPLS (are you running a dynamic routing protocol, or using static routes, or what)?
If you are running a dynamic routing protocol over the MPLS then I would expect that you would want to also run a dynamic routing protocol over the VPN, and then it is a question of how to prefer the routes learned over the VPN over the routes learned over MPLS. If you are using static routes on MPLS then you probably want to use static routes over the VPN and then you probably need something like IP SLA/track to detect when connectivity is lost over VPN and to remove the VPN static routes from the routing table.
The solution may be a bit complex. But I believe that there should be ways to get it to work.
We are currently running static routes over the MPLS, but I am not against ospf or eigrp, I know we could do it with the MPLS as the Primary, but the issue we are running into is we want the MPLS as the secondary route and the broadband VPN Tunnel as the primary. I will look into the IP SLA/track..
There are advantages in both approaches. Dynamic routing may be simpler and especially helpful if more than one router is involved at either end (more likely at the head end than the remote). Static routes are fine especially if a single router is handling both the MPLS and VPN connections.
If you are currently doing static routes over the MPLS then let us take a look at how static routes can be used to make the VPN primary and the MPLS backup. This assumes that both the VPN and MPLS are configured and working. You would configure a normal static route(s) for whatever address space is reachable at the other end. The next hop for these routes would be through the VPN which will make the VPN the preferred way to reach the other end. You configure a floating static route(s) (static route which has a higher administrative distance specified) for this address space with the next hop through the MPLS. Then you configure IP SLA and tracking for the preferred/normal static route(s). You would track connectivity to some address that is reached specifically through the VPN. (Since you will probably need a static route that always reaches this address through the VPN pick an address that will not have an impact if it becomes unreachable - you will not be able to get to this address when you have failed over to MPLS) As long as the tracked address is reachable then the normal static routes are used and traffic flows through the VPN. If the tracked address becomes not reachable then the normal static routes are withdrawn from the routing table, the floating static routes go into the routing table, and traffic flows through MPLS.
Yes the IP SLA does continue to try to ping and when the destination IP does become reachable again then the primary static routes will go back into the routing table and traffic will go through VPN again.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...