[c-nsp] MPLS/BGP - want to add backup IPSEC VPN

ChrisSerafin chris at chrisserafin.com
Wed Jul 1 12:33:19 EDT 2009


Ivan Pepelnjak wrote:
> If you're the customer (having only CE routers), this is a classic
> primary/backup problem, only this time using BGP as the core routing
> protocol. 
>
> If you're the provider (using MPLS between your BGP routers to offer
> whatever services), you can run MPLS over GRE over IPSec on the backup link
> (just watch for MTU issues). We built a pretty large network using it and
> after the initial kinks it works perfectly.
>
> Ivan
>  
> http://www.ioshints.info/about
> http://blog.ioshints.info/
>
>   
>> -----Original Message-----
>> From: Peter Rathlev [mailto:peter at rathlev.dk] 
>> Sent: Tuesday, June 30, 2009 11:51 PM
>> To: ChrisSerafin
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] MPLS/BGP - want to add backup IPSEC VPN
>>
>> On Tue, 2009-06-30 at 14:11 -0500, ChrisSerafin wrote:
>>     
>>> I have a few MPLS routers running BGP as the routing protocol.
>>>
>>> I added a public IP'ed interface on a free ports on the 
>>>       
>> same router, 
>>     
>>> and I'm able to get to it and use it for Internet bound 
>>>       
>> traffic if I 
>>     
>>> wish. I would like to configure an IPSEC VPN to provide 
>>>       
>> backup if the 
>>     
>>> MPLS provider fails. I'm having a hard time with Cisco TAC on this, 
>>> mainly them getting back to me.
>>>
>>> dumb'ed down diagram is at: http://chrisserafin.com/design.jpg
>>>
>>> I just want a basic split tunnel VPN in the event the 
>>>       
>> primary MPLS/BGP 
>>     
>>> link goes down. I'm assuming let BGP take care of the MPLS side and 
>>> add static routes with a very high weight for the VPN failover?
>>>       
>> And the VPN-link needs to carry MPLS traffic too? MPLSoGRE 
>> could be an option, but support is very limited AFAIK.
>>
>> Otherwise some extra equipment doing L2TPv3 might work. 
>> Performance limitations might very well rule this out.
>>
>> If MPLS isn't needed a simple GRE tunnel would of course do. 
>> You could even create a new tunnel per VRF if you need 
>> reachability in several of these. It scales bad concerning 
>> administration though.
>>
>>     
This sounds like what I'm planning on doing.....GRE for the routing 
protocols....we are on the CE end. If you could, please elaborate on the 
routing that is involved, thanks!


More information about the cisco-nsp mailing list