09-10-2013 09:44 AM - edited 03-04-2019 08:59 PM
Hi all
We currently have remote sites with an Mpls wan to the hq, each site also has an Internet connection , I need to have automated backup to the Mpls over the Internet. Each site will have 2 routers, for Mpls and for Internet.
What's the best way of achieving this ?
Solved! Go to Solution.
09-11-2013 05:41 AM
On your spoke sites run HSRP between your two routers (with the MPLS router given a higher priortity) and track received routes / interface state on the MPLS router so if the MPLS goes down the priority is decremented making the other router the master.
On the other (internet) router configure an IPSEC tunnel back to your head office and advertise the spoke subnets into the head office with a worse metric / AD than those advertised from the MPLS router. Your biggest challenge with this kind of deployment is making sure it fails over and fails back automatically and you don't end up with asynchronous routing. Good luck!
09-10-2013 11:43 AM
Hi Carl,
So just to be clear you are going to have an MPLS infrastructure that will centrally connect to your HQ. In parallel each site will also have internet connectivity. I guess my first question would be, what does your perceived traffic pattern look like. I assume you will be implementing an IGP (EIGRP/OSPF) and configuring it to advertise routes among the MPLS sites. Will there be any need to back haul internet traffic through the HQ site?
I have had similar infrastructures like this in the past. Its much easier when all INET traffic demarcs the same central location, usualy a colo. In my case I configured the EIGRP advertisements with a default route from the HQ. At each location I had a backup RTR with INET connectivity also peering EIGRP, however, I redistributed a static default route, allowing the injection locally to implement with an AD of 170. This allowed the MPLS Default Route to natively be implemented at each site. In the event of failure, the EIGRP traffic would converge to then use the local sites INET conneciton and I had IPsec tunnels configured in a hub-spoke off HQ. Each tunnel used Reverse-Route Injection (RRI) to allow all downstream routing to also converge and continue using best path.
When the primary MPLS link came back online, EIGRP would again converge and automatically add the correct default route back in.
One snag was the SA Lifetimes would leave the injected static route from the established tunnel in the Colo, so you may want to tweak lifetime settings very aggressive, or modify keepalives and understand you may manually have to wash the SA.
This is a thought and example of how I have configured this type of toplogy in the past. Your description above is a little vague. I hope this helps some.
Thanks.
09-11-2013 05:31 AM
basically we have a MPLS wan
on each remote site we have ipsec tunnels configured to the HQ, so yes hub and spoke effectivley these are running OSPF.
Each site then has also an internet connection,
I want to have 2 routers at each remote site, one with mpls and one with the internet connection.
what is the best way ?
09-11-2013 05:41 AM
On your spoke sites run HSRP between your two routers (with the MPLS router given a higher priortity) and track received routes / interface state on the MPLS router so if the MPLS goes down the priority is decremented making the other router the master.
On the other (internet) router configure an IPSEC tunnel back to your head office and advertise the spoke subnets into the head office with a worse metric / AD than those advertised from the MPLS router. Your biggest challenge with this kind of deployment is making sure it fails over and fails back automatically and you don't end up with asynchronous routing. Good luck!
09-11-2013 08:12 AM
so dmvpn wouldnt need to be used here ?
09-12-2013 05:00 AM
do I need to advertise the worse metric at the HQ internet router and also the remote internet router ?
cheers
09-12-2013 05:06 AM
No, at the spoke site outbound path selection is controlled by HSRP. You just need the head office to favour the MPLS link for traffic routed towards the spoke site.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide