[c-nsp] MPLS/BGP - want to add backup IPSEC VPN

[Ivan Pepelnjak]

If you're the customer (having only CE routers), this is a classic
primary/backup problem, only this time using BGP as the core routing
protocol. 

If you're the provider (using MPLS between your BGP routers to offer
whatever services), you can run MPLS over GRE over IPSec on the backup link
(just watch for MTU issues). We built a pretty large network using it and
after the initial kinks it works perfectly.

Ivan
 
http://www.ioshints.info/about
http://blog.ioshints.info/

> -----Original Message-----
> From: Peter Rathlev [mailto:peter at rathlev.dk] 
> Sent: Tuesday, June 30, 2009 11:51 PM
> To: ChrisSerafin
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN
> 
> On Tue, 2009-06-30 at 14:11 -0500, ChrisSerafin wrote:
> > I have a few MPLS routers running BGP as the routing protocol.
> > 
> > I added a public IP'ed interface on a free ports on the 
> same router, 
> > and I'm able to get to it and use it for Internet bound 
> traffic if I 
> > wish. I would like to configure an IPSEC VPN to provide 
> backup if the 
> > MPLS provider fails. I'm having a hard time with Cisco TAC on this, 
> > mainly them getting back to me.
> > 
> > dumb'ed down diagram is at: http://chrisserafin.com/design.jpg
> > 
> > I just want a basic split tunnel VPN in the event the 
> primary MPLS/BGP 
> > link goes down. I'm assuming let BGP take care of the MPLS side and 
> > add static routes with a very high weight for the VPN failover?
> 
> And the VPN-link needs to carry MPLS traffic too? MPLSoGRE 
> could be an option, but support is very limited AFAIK.
> 
> Otherwise some extra equipment doing L2TPv3 might work. 
> Performance limitations might very well rule this out.
> 
> If MPLS isn't needed a simple GRE tunnel would of course do. 
> You could even create a new tunnel per VRF if you need 
> reachability in several of these. It scales bad concerning 
> administration though.
> 
> 
> Regards,
> Peter
> 
> 
> 
>