[c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet

Gert Doering gert at greenie.muc.de
Wed Jan 27 05:27:26 EST 2010


Hi,

On Wed, Jan 27, 2010 at 07:53:50AM +0100, Ivan Pepelnjak wrote:
> * Configure EBGP sessions over IPSec between remote sites and central site.
> * On remote sites use EEM to detect MPLS VPN EBGP neighbor loss (either default route is gone or you might rely on SNMP traps)
> * When the MPLS VPN EBGP neighbor is down, enable IPSec tunnel. Only then will the EBGP session be established and you'll get more specific routes over IPSec.

> This will ensure that the IPSec tunnel on remote sites is operational only when the connectivity with the MPLS VPN cloud is gone and so the central site uses default route into MPLS VPN cloud unless it has a more specific one over IPSec due to failure at one of the remote sites.

The drawback of this is that you are not going to notice if the IPSEC
tunnel is broken unless you need it, in which case it's too late.

This is why I suggested to make this much more simple - treat all links,
IPSEC and MPLS, as "AS internal" links, run an IGP over them, and let 
protocols handle end-to-end keepalive and failover that are built to do
this.  One can do this with BGP, of course, but it tends to be less
convenient/helpful in these scenarios.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20100127/e2ec01a2/attachment.bin>


More information about the cisco-nsp mailing list