Is it possible to load balance MPLS and internet VPN? We have MPLS/VPN for our private connection and I want to make VPN using Internet and load balance the two connection. Is that possible? if yes, can someone provide me a link for my refference?
tnx and regards to all!
We need to know more about your network topology
It is possible to set the routing in such a way that the internet is used as a backup for your MPLS connection
If you have two sites each currently connected to internet using an EDGE Router and a INTERNET Firewall behind it, you can add a NEW Router (capable of running IPSec) and an INTERNET Switch (or use existing switch and create a VLAN, you only need three interface anyway). Connect the EDGE Router, INTERNET Firewall, and the NEW Router to INTERNET Switch. This is a triangle, the subnet within this triangle is a Public IP Address. The NEW Router has another interface to connect to the INTERNET Firewall (for filtering).
For example, each Site (SiteA and SiteB) should have...
EDGE Router WAN0 Interface: Connects to ISP using Public IP Address (/30 minimum)
EDGE Router LAN0 Interface: Connects to INTERNET Switch VLAN999 using Public IP Address (/29 minimum, i.e. a.b.c.1/29)
NEW Router LAN0 Interface: Connects to INTERNET Switch VLAN999 using Public IP Address (/29 minimum, i.e. a.b.c.2/29)
NEW Router LAN1 Interface: Connects to INTERNET Firewall LAN1 Interface using Private IP Address (/30 minimum, i.e. 192.168.0.1/30)
NEW Router WAN0 Interface: Connects to MPLS
INTERNET Firewall LAN0 Interface: Connects to INTERNET Switch VLAN999 using Public IP Address (/29 minimum, i.e. a.b.c.3/29)
INTERNET Firewall LAN1 Interface: Connects to NEW Router LAN1 Interface using Private IP Address (/30 minimum, i.e. 192.168.0.2/30)
INTERNET Firewall LAN2-onwards Interface: Connects to your other LAN Segment behind the firewall
Configure IP GRE Tunnel through MPLS between two sites in NEW Router
Configure IP GRE Tunnel over IPSec through Internet between two sites in NEW Router
Configure ACL in SiteA NEW Router LAN0 Interface to accept connection from SiteB NEW Router LAN0 Interface only (vice versa)
Configure IPSec ACL that the tunnel will be triggered only by IP GRE tunnel
Configure routing through IP GRE Tunnels
Since Internet bandwidth is not guaranteed, you can configure floating static route and use IP GRE Tunnel through MPLS as primary and IP GRE Tunnel over IPSec through Internet as backup. Else, you can configure OSPF and use equal path load balancing.
This will work and secure. However, it depends on resources at both site, i.e. NEW Router, EDGE Router, INTERNET Firewall, INTERNET Switch, Public IP Address, Interfaces needed in NEW Router and INTERNET Firewall
NOTE: Don't forget to put "keepalive 5 4" in the IP GRE Tunnel interface. I'm not sure if "keepalive" is enabled by default in newer IOS, but when I did this configuration 3 years ago, "keepalive" is disabled by default in 12.2 IOS on 2600 series router (I think). Oh, if you have VPN Accelerator Card installed in your router, don't forget to enable it.
You didn't mention how you're routing across the MPLS/VPN.
I work with a client that uses BGP across their MPLS/VPN. Their Internet VPN uses GRE/IPSec, also uses BGP between sites. Works find as long as you handle the difference in AS hops between Internet VPN and MPLS/VPN.
Earlier same client was using OSPF across various WAN technologies (p-2-p, frame-relay, ATM) and OSPF across Internet VPN using GRE/IPSec. VPN path usage was dependent on costing, usually configured for equal costing.
Both of the above worked easily as long as VPN GRE/IPSec just appeared as another path. I.e., from routing perspective, treating it as such too.
I have the same requirements but I want to just use the GRE tunnel in case the MPLS goes down. I also want to keep both links up at the same time, however I am running BGP on my MPLS link and EIGRP on my tunnel. So far in my test enviroment, my EIGRP take precedence over my BGP and I don't even see the BGP routes. But when I shut down my tunnel, I can see my BGP routes. Is there any way to have BGP take precedence over my EIGRP routes?
The only other way I see to do this is using EEM with ping object tracking, but if possible I'd like to find out if the above is possible.