01-16-2009 10:59 AM - edited 03-04-2019 12:52 AM
I am trying to setup a VPN backup solution for one of our MPLS connected branch offices. I've configured the tunnel interfaces as required and that is working as expected, however I'm looking for suggestions on which direction to go with the routing.
The MPLS routers at both sites are running EIGRP (different AS's) and redistributing into BGP to traverse the provider MPLS network (both using same private AS number).
My original thought was to just use BGP and setup peering between the tunnel interfaces, but since the AS numbers are the same the routes learned via the backup path become iBGP and are prefered over the eBGP learned routes of the primary MPLS path.
Does anyone have any suggestions? Are there any best practices when it comes to GRE tunnel interfaces and routing?
Thanks,
Aaron
01-16-2009 11:43 AM
I believe you can only use three routing protocols through a GRE tunnel: OSPF, EIGRP, and RIP. I've used EIGRP at another company I was at, and it does work well over tunnel interfaces. OSPF is big, but harder to setup, IMHO, so I would opt for EIGRP. And of course, RIP has it's own drawbacks. :-)
HTH,
John
01-19-2009 10:59 AM
BGP runs over the tunnel it's just that both routers are using the same AS so the routes learned over the tunnel are iBGP and are preferred over the eBGP routes learned from the MPLS network.
My issue with EIGRP is that I'm already using EIGRP locally at each site with different AS's. If I was to use the same AS in both sites I believe I would run into the same problem, EIGRP routes learned via the tunnel being preferred to the routes being redistributed from BGP into the local EIGRP AS.
I am still experimenting with different options.
01-19-2009 11:09 AM
BGP runs over the tunnel it's just that both routers are using the same AS so the routes learned over the tunnel are iBGP and are preferred over the eBGP routes learned from the MPLS network.
I suggest going with BGP as you initially stated. You can alter the route preference by using the correct BGP attribute.
In your case, the iBGP route is chosen over the eBGP because the length of the AS_PATH.
If you review the BGP Best Path Selection, WEIGHT and Local_Pref go before the AS_PATH on the route selection so if you manipulate those attributes, eBGP/MPLS route will be preferred, please refer to the documentation:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431.shtml
HTH,
__
Edison.
Please rate helpful posts
01-19-2009 05:30 PM
If possible (i.e. supported by your MPLS vendor), you might also consider using different BGP AS numbers at your sites. Since your doing eBGP with your MPLS vendor, you could then also do eBGP across the VPN and would only require adjusting AS paths longer across VPN so MPLS would be preferred path. Going with different site BGP ASs, might make it easier to add additional sites later.
01-19-2009 05:56 PM
I definitely considered that as an option. In fact in the lab I was able to get it to work using the "local-as" command which allowed me to change the AS on one of the routers (at the central site for example) while spoofing the original AS that the provider is expecting.
router bgp 65002
neighbor 192.168.1.2 remote-as xxxxx
neighbor 192.168.1.2 local-as 65001 no-prepend replace-as
Trying to manipulate the iBGP routes the way I want is proving to be rather challenging and seems to require not only weighting of the preferred eBGP routes, but extensive route filtering as well to keep routes from looping all over the place. Not to mention the challenges of redistributing iBGP routes into an IGP.
01-29-2009 01:36 PM
hi
what do you think of floating static routes?
Cheers
01-30-2009 05:23 PM
Floating static routes were not something I was familiar with until you mentioned them. Certainly seems simple enough. I suppose I would have to redistribute both BGP and the floating statics into the IGP at each site to achieve the desired results.
The only downside I can see would if later down the road new networks were added to BGP without the corresponding floating statics being added as well.
Thanks for the suggestion.
01-31-2009 10:28 AM
Hi
this will depend on your overall network design.
We use as primary network a dmvpn network with most sites connected with a simple rip setup and for backup we use isdn with floating statics. the sites have only one route for LAN and WAN, so the setup is simple. for sites with higher demands we have a second dmvpn network with eigrp running and all sites have two wan routers and redundant LAN routers
so we have load sharing and failover.
the management of the floating statics are not so complicated because from the remote site only one route is needed an and in the datacenter also. management is done by tools like the rme from cisco or with scripts like rancid.
for your situation it may be a solution to use mpls as transport for some kind off vpn and to ignore the provider bgp. or use bgp over the vpn.
it highly depends on what your requirements are.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide