[c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet

Jason LeBlanc jasonleblanc at gmail.com
Wed Jan 27 17:12:12 EST 2010


Exactly.  This is a secondary form of calling back home if the MPLS Link or BGP breaks.  We have static routes at the remote site pointing traffic over the IPSEC tunnel if it fails.  If MPLS is lost we want the remote campus to be able to communicate with the main datacenter which is also where the main MPLS router exists.  We currently have a VPN devices at the Datacenter that runs OSPF on the home end.

                   
                                                                             MPLS Router 7200----------------------->  {AT&T MPLS Cloud} -->
                                                                           /                                                                                                                  \
Core 6500 --> Distribution Router 6500 --                                                                                                                      -- Campus Router Cisco or Juniper SSG
                                                                           \                                                                                                                  /
                                                                             Site to site VPN Juniper ISG-1000 --> {ISP IPSEC VPN}-------->




On Jan 27, 2010, at 11:22 AM, Ivan Pepelnjak wrote:

> Jason, are you trying to solve only the remote site problem? Is the main campus receiving specific routes for each remote site through the MPLS VPN cloud?
> 
>> -----Original Message-----
>> From: Jason LeBlanc [mailto:jasonleblanc at gmail.com]
>> Sent: Wednesday, January 27, 2010 1:48 AM
>> To: Luan Nguyen
>> Cc: 'Cisco-nsp'
>> Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
>> Internet
>> 
>> Current topology is pretty simple.  AT&T drops an MPLS circuit either PPP
>> Multilink Bundled T1's or an Ethernet hand off.  On another interface we
>> generally have an ethernet hand off from another ISP.  We run BGP to move
>> all the traffic around on one 172.x.x.x/30's and then our LAN is on
>> 10.x.x.x.  We have an outside IP address on another ethernet port which is
>> the IPSEC termination point.  BGP from our main campus injects a default
>> route which we receive.  Currently we just manually added static 0.0.0.0
>> routes out the tunnel interfaces with a metric of 32000.  So when BGP
>> drops off we will route over the IPSEC VPN Tunnel back home.
>> 
>> Headquarters 172.1.1.1/30 --> ATTMPLS 172.1.1.2/30 -->
>> 
>> ATTMPLS 172.2.2.1/30 --> Remote Campus 172.2.2.2/30 (running BGP) -->
>> 10.1.1.1/24
>> 
>> ISP-X Ethernet 200.1.1.1/30 --> Remote Campus 200.1.1.2/30 --> IPSEC VPN
>> Tunnel.1 10.1.1.20/24 --> Headquarters Tunnel.1 10.1.1.21/24
>> 
>> BGP Provides default route
>> Static 0.0.0.0 0.0.0.0 Tunel.1 Metric 32000
>> 
>> It is my assumption that if the traffic cant get to its destination
>> because BGP has lost it our backup link the IPSEC VPN with the higher
>> metric will become the new default route.
> 



More information about the cisco-nsp mailing list