[c-nsp] MPLS/BGP - want to add backup IPSEC VPN
tkacprzynski at SpencerStuart.com
tkacprzynski at SpencerStuart.com
Wed Jul 1 11:34:07 EDT 2009
Peter
If you are the customer and have multiple sites, then I would suggest
you look at Dynamic Multipoint VPN (DMVPN). With DMVPN you can have each
branch site create a tunnel dynamically when it needs to send traffic to
the other sites in case of the MPLS link failure. DMVPN only works on
routrs, not firewall, as far as I know. With Phase 3 of the DMVPN your
failover to the backup network would work with normal routing protocols
like EIGRP, changing a route..
Let me know if that's something you are looking for ( I could give you
more info on that ) , here are some links I gathered over the time for
DMVPN
http://delicious.com/search?context=userposts&p=dmvpn&lc=1&u=tomek0001
Tom
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ivan Pepelnjak
Sent: Wednesday, July 01, 2009 12:36 AM
To: 'Peter Rathlev'; 'ChrisSerafin'
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN
If you're the customer (having only CE routers), this is a classic
primary/backup problem, only this time using BGP as the core routing
protocol.
If you're the provider (using MPLS between your BGP routers to offer
whatever services), you can run MPLS over GRE over IPSec on the backup
link
(just watch for MTU issues). We built a pretty large network using it
and
after the initial kinks it works perfectly.
Ivan
http://www.ioshints.info/about
http://blog.ioshints.info/
> -----Original Message-----
> From: Peter Rathlev [mailto:peter at rathlev.dk]
> Sent: Tuesday, June 30, 2009 11:51 PM
> To: ChrisSerafin
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN
>
> On Tue, 2009-06-30 at 14:11 -0500, ChrisSerafin wrote:
> > I have a few MPLS routers running BGP as the routing protocol.
> >
> > I added a public IP'ed interface on a free ports on the
> same router,
> > and I'm able to get to it and use it for Internet bound
> traffic if I
> > wish. I would like to configure an IPSEC VPN to provide
> backup if the
> > MPLS provider fails. I'm having a hard time with Cisco TAC on this,
> > mainly them getting back to me.
> >
> > dumb'ed down diagram is at: http://chrisserafin.com/design.jpg
> >
> > I just want a basic split tunnel VPN in the event the
> primary MPLS/BGP
> > link goes down. I'm assuming let BGP take care of the MPLS side and
> > add static routes with a very high weight for the VPN failover?
>
> And the VPN-link needs to carry MPLS traffic too? MPLSoGRE
> could be an option, but support is very limited AFAIK.
>
> Otherwise some extra equipment doing L2TPv3 might work.
> Performance limitations might very well rule this out.
>
> If MPLS isn't needed a simple GRE tunnel would of course do.
> You could even create a new tunnel per VRF if you need
> reachability in several of these. It scales bad concerning
> administration though.
>
>
> Regards,
> Peter
>
>
>
>
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list