Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4370
Views
0
Helpful
25
Replies

Cisco router to route traffic through MPLS priority or through Internet secondly

Go to solution
Damien Duchenne
Level 1
Level 1

‎01-16-2014 02:31 AM - edited ‎03-04-2019 10:05 PM

Hi Everybody,

We would like to implement a solution on a remote site where there is a MPLS connection and a Internet connection. In fact, we have a permanent VPN tunnel between this site and a central site. We would like to install a Cisco router which will be between the firewall and Internet/MPLS and which will take the decision to use the MPLS link in priority and the Internet connection when the MPLS is not available to route the VPN.

Therefore, I need your help to find a solution. We think to buy 1921 models to make it happen (two devices for redundancy). My idea was to create a transition LAN between the firewall where the VPN is established and the router. On the router, it will have both Internet and MPLS connections and will check the MPLS connection to verify if the link is UP to route the VPN through it, but if not, the VPN should pass through the Internet link. The problem I see is that the VPN can use private IP address to pass through the MPLS, but not for VPN. So if the VPN has to go through Internet, traffic will have to be natted, but not for the MPLS use. How can I do that? By using SLA track, is it possible? And how to configure NAT only if trafic pass through Internet?

Is there a way to proceed? Is the Cisco model well adapted?

Thank you very much for your answers.

Best regards,

Damien

Labels:
0 Helpful
25 Replies 25

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7
In response to Damien Duchenne

‎01-23-2014 01:58 AM

Hi.

ip sla is not a good solution if you have dynamic routing as an option.

You need 2 routers for Office (for redundancy) and 1 router per branch (unless you need redundancy).

0 Helpful

Go to solution
Damien Duchenne
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎01-23-2014 02:02 AM

Hi,

OK great, thank you.

Do you have an example of such a configuration for routers in Office and router for Remote Site?

Thank you very much once again.

Best regards,

Damien

0 Helpful

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7

‎01-23-2014 02:07 AM

I guess first of all you need to discuss the design internally.

If it would be approved, then you need to plan migration plan.

Currently you could try to build the design in GNS3 or IOU.

Are you familiar with Cisco routers? If you are not, then who will be implementing the design?

PS: tunnel configuration is like:

int tu1

ip add ... 255.255.255.252

tunnel souce ...

tunnel dest ....

keep 5 3

0 Helpful

Go to solution
Damien Duchenne
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎01-23-2014 03:24 AM

My management has already approved the fact that we will need maybe 4 routers, and as I'm the project manager for this topic, I don't need further approuval (while we are in the budget of 3.000$).

I will implement the design. I'm familar with Cisco but I don't have a huge knowledge as you certainly understood it. But if I have the solution and that I understand it, it will be very easy for me to implement it.

Implementing GRE tunnels will not be a problem, but what have you in mind for the dynamic routing?

0 Helpful

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7
In response to Damien Duchenne

‎01-24-2014 01:27 AM

Hello, Damien.

The easiest would be to implement EIGRP.

The best practise is to use EIGRP stub for spokes and announce summary from Hub[s].

You configure equal bandwidth per Tunnel (unless you need QoS) and manage prefered interface by better delay.

Your Firewall would be a gateway of last resort (for router[s]), but default gateway is not needed to be advertised over WAN.

If you want your firewall to take part in routing protocol, then OSPF would be your choice.

Office routers should be in area 0; every spoke could be in different area type [for example] nssa.

In this case prefered interface would be chosen by bandwidth (ospf cost).

! Actually your firewall (if they only implement encryption for GRE + NAT) is not required to join routing protocol. It will be enough if it has static for 10.0.0.0/8 toward closest router and default gateway toward internet. WAN router needs default gateway toward firewall + route for GRE peer.

PS: as far as I remember, PFR doesn't have overall support for OSPF.

0 Helpful

Go to solution
Damien Duchenne
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎01-24-2014 02:20 AM

Hello,

Thank you very much for your solution.

So the final design after all our discussion will be:

  • 2 x Cisco routers 1921 or 1941 seem to be enough for main office (one for the main site and the other one for the DRP, but only one MPLS connection will exist in the main site)
  • 2 x Cisco routers 892 for the remote site (the MPLS connection will be 2M, so it will be enough)

I've tried to create the design into Boson NetSim, but the above models are not in it and moreover, the IOS version is 12.3. So when I've tried to configure the EIGRP on the tunnel interface, it was not working (ip summary-address eigrp 1 192.168.0.0 255.255.252.0). This command works on a physical interface, but not on a tunnel interface. But maybe that this is due to the version of the IOS. I've tried to use GNS3, but I'm not familiar at all with this software.

The OSPF is indeed not needed as I don't need to include firewalls in the routing.

Thank you again.

Regards,

Damien

0 Helpful

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7
In response to Damien Duchenne

‎01-24-2014 03:00 AM

Hello, Damien.

For Main office take 1941 (don't think about 1921), but calculate port count you need. Surely it's possible to configure sub-interfaces, but that is not always good. Make sure you meet ISP's (MPLS) requiremement for port type.

For branch - 881 could be enough up to 4M. Surely 892 is better.

PS: pay attention to Smartnet you need.

PS2: if you want to encrypt traffic by routers you will need SEC license (but, looks like, it's not your case).

0 Helpful

Go to solution
Damien Duchenne
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎01-24-2014 03:08 AM

Hello,

OK great, I will take 1941 models with a HWIC card of four ports and 881 models (or 892 if the price is not a huge difference from the 881) with no HWIC while it has four onboard ports.

Thank you again for your followup and all information you gave, I really appreciate.

Best regards,

Damien

0 Helpful

Go to solution
Damien Duchenne
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎01-24-2014 03:44 AM

Just one more question, why did you say that I don't have to think about 1921 model?

Thank you.

0 Helpful

Go to solution
Vasilii Mikhailovskii
Level 7
Level 7
In response to Damien Duchenne

‎01-24-2014 12:10 PM

Hello.

1941 has better performance and expansion options.

If you can - buy 892 instead of 881 (the same cause).

Have you understood the routing? Have you tried it in GNS/IOU first?

0 Helpful

Go to solution
Damien Duchenne
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎01-27-2014 06:53 AM

Hello,

OK, thank you for this information.

Yes I've understood the routing but in my tool NetSim from Boson, I can't test it due to wrong version of IOS as explained earlier in this discussion.

I've tried with GNS but I don't have the IOS yet and I'm not familiar with this tool.

Best regards,

Damien

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card