[c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet

Luan Nguyen luan at netcraftsmen.net
Tue Jan 26 22:14:43 EST 2010 

At the remote site, yes, if MPLS goes down, the default route over the IPSEC
tunnel will kick in.  But at HQ, does it know how to get back to the remote
site?  Does it also have a default route out of MPLS or does it have
specific subnets from all remotes?  What then if HQ goes down? Remotes only
has default route out of MPLS so they will continue to look for the way home
that way.
Back when I was at VzB managed services, it's EIGRP over the DMVPN/IPSEC
tunnel backing up BGP MPLS.  Too bad I didn't use Dynagen, else I would just
shoot over to you my dot net file.

-------------------------------------
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
[Web] http://www.netcraftsmen.net
[AIM/YIM/GTalk] luancnc
-------------------------------------


-----Original Message-----
From: Jason LeBlanc [mailto:jasonleblanc at gmail.com] 
Sent: Tuesday, January 26, 2010 7:48 PM
To: Luan Nguyen
Cc: 'Cisco-nsp'
Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
Internet

Current topology is pretty simple.  AT&T drops an MPLS circuit either PPP
Multilink Bundled T1's or an Ethernet hand off.  On another interface we
generally have an ethernet hand off from another ISP.  We run BGP to move
all the traffic around on one 172.x.x.x/30's and then our LAN is on
10.x.x.x.  We have an outside IP address on another ethernet port which is
the IPSEC termination point.  BGP from our main campus injects a default
route which we receive.  Currently we just manually added static 0.0.0.0
routes out the tunnel interfaces with a metric of 32000.  So when BGP drops
off we will route over the IPSEC VPN Tunnel back home.

Headquarters 172.1.1.1/30 --> ATTMPLS 172.1.1.2/30 --> 
 
ATTMPLS 172.2.2.1/30 --> Remote Campus 172.2.2.2/30 (running BGP) -->
10.1.1.1/24
 
ISP-X Ethernet 200.1.1.1/30 --> Remote Campus 200.1.1.2/30 --> IPSEC VPN
Tunnel.1 10.1.1.20/24 --> Headquarters Tunnel.1 10.1.1.21/24

BGP Provides default route
Static 0.0.0.0 0.0.0.0 Tunel.1 Metric 32000

It is my assumption that if the traffic cant get to its destination because
BGP has lost it our backup link the IPSEC VPN with the higher metric will
become the new default route.


On Jan 26, 2010, at 4:44 PM, Luan Nguyen wrote:

> What's the topology?  One CPE terminating MPLS and IPSEC tunnel? If this
is
> the case, then if at one site MPLS goes down, it starts to use IPSEC
tunnel,
> when packets get to the other side, the default route to MPLS VPN is still
> there so packets will get routed back into the MPLS cloud. You need more
> specific routes advertised so that when MPLS lost, it will withdraw the
> route and IPSEC will kick in.  Just a default won't work unless you'll be
> doing some creative conditional advertising in the BGP or some fancy EEM
> scripting...or maybe using ip sla to withdraw route...which might be a
> little more complicated than need be.
> 
> Even with specific routes, you still have lots of decision to make like
> whether to switch everything to use IPSEC tunnels once just ONE MPLS
> connection goes down or only that site.  Then you have to make sure not
> running into asymmetric routing...etc.
> With GNS3/Dynagen, you could probably test this whole thing out in your
> labtop.
> 
> ---------------------------------------
> Luan Nguyen
> Chesapeake NetCraftsmen, LLC.
> [Web] http://www.netcraftsmen.net
> ---------------------------------------
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason LeBlanc
> Sent: Tuesday, January 26, 2010 4:20 PM
> To: Cisco-nsp
> Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
> 
> Team,
> 
> This questions was put out there before in another chain but I wasn't able
> to figure out the best solution.  We have multiple campuses connecting to
an
> MPLS VPN cloud running BGP internally.  At some locations we have backup
ISP
> services and an IPSec VPN tunnel over that.  Currently BGP provides a
> default route to each campus as external BGP / Pref 40 / Metric 0.  Our
> backup IPSec is in as a Static / Pref 20 / Metric 32000.  When we lose
> BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic between the
> campus and our main datacenter.  What is the best way to achieve this? 
> 
> Thanks,
> 
> //LeBlanc
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> __________ Information from ESET NOD32 Antivirus, version of virus
signature
> database 4807 (20100126) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 


__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4808 (20100126) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

More information about the cisco-nsp mailing list