[c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet

Ivan Pepelnjak ivan.pepelnjak at zaplana.net
Wed Jan 27 01:53:50 EST 2010


* Configure EBGP sessions over IPSec between remote sites and central site.
* On remote sites use EEM to detect MPLS VPN EBGP neighbor loss (either default route is gone or you might rely on SNMP traps)
* When the MPLS VPN EBGP neighbor is down, enable IPSec tunnel. Only then will the EBGP session be established and you'll get more specific routes over IPSec.

This will ensure that the IPSec tunnel on remote sites is operational only when the connectivity with the MPLS VPN cloud is gone and so the central site uses default route into MPLS VPN cloud unless it has a more specific one over IPSec due to failure at one of the remote sites.

Note: You might want to use something else to detect MPLS VPN failure, for example IP SLA between remote router and central router. This will detect a failure anywhere in the end-to-end path.

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info

> -----Original Message-----
> From: Jason LeBlanc [mailto:jasonleblanc at gmail.com]
> Sent: Tuesday, January 26, 2010 10:20 PM
> To: Cisco-nsp
> Subject: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet
> 
> Team,
> 
> This questions was put out there before in another chain but I wasn't able
> to figure out the best solution.  We have multiple campuses connecting to
> an MPLS VPN cloud running BGP internally.  At some locations we have
> backup ISP services and an IPSec VPN tunnel over that.  Currently BGP
> provides a default route to each campus as external BGP / Pref 40 / Metric
> 0.  Our backup IPSec is in as a Static / Pref 20 / Metric 32000.  When we
> lose BGP/MPLS VPN we want the IPSec tunnel to begin routing traffic
> between the campus and our main datacenter.  What is the best way to
> achieve this?
> 
> Thanks,
> 
> //LeBlanc
> 
> 
> 




More information about the cisco-nsp mailing list