[c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet

Thu Jan 28 01:27:25 EST 2010

OK, it looks like I've over-engineered the solution ;)

The best solution (if you can make it work) would be to run BGP over the backup links and use BGP attributes to make backup links a less desirable BGP path.

Running OSPF on backup links and BGP on MPLS VPN can be made to work ... barely. I did a workshop once using almost exactly the same network. Each site was fully redundant with two routers, one connected to Internet, the other one to MPLS VPN network. I was able to make it work after a lot of tweaking and two-way redistribution, but I'm not sure anyone in the audience got all the details ;) 

Your situation might be easier as you're using default routing from the central site, but do try to go for "BGP everywhere".

Ivan Pepelnjak
blog.ioshints.info / www.ioshints.info

> -----Original Message-----
> From: Jason LeBlanc [mailto:jasonleblanc at gmail.com]
> Sent: Wednesday, January 27, 2010 11:12 PM
> To: Ivan Pepelnjak
> Cc: 'Luan Nguyen'; 'Cisco-nsp'
> Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
> Internet
> 
> Exactly.  This is a secondary form of calling back home if the MPLS Link
> or BGP breaks.  We have static routes at the remote site pointing traffic
> over the IPSEC tunnel if it fails.  If MPLS is lost we want the remote
> campus to be able to communicate with the main datacenter which is also
> where the main MPLS router exists.  We currently have a VPN devices at the
> Datacenter that runs OSPF on the home end.
> 
> 
> 
> MPLS Router 7200----------------------->  {AT&T MPLS Cloud} -->
> 
> /
> \
> Core 6500 --> Distribution Router 6500 --
> -- Campus Router Cisco or Juniper SSG
> 
> \
> /
> 
> Site to site VPN Juniper ISG-1000 --> {ISP IPSEC VPN}-------->
> 
> 
> 
> 
> On Jan 27, 2010, at 11:22 AM, Ivan Pepelnjak wrote:
> 
> > Jason, are you trying to solve only the remote site problem? Is the main
> campus receiving specific routes for each remote site through the MPLS VPN
> cloud?
> >
> >> -----Original Message-----
> >> From: Jason LeBlanc [mailto:jasonleblanc at gmail.com]
> >> Sent: Wednesday, January 27, 2010 1:48 AM
> >> To: Luan Nguyen
> >> Cc: 'Cisco-nsp'
> >> Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
> >> Internet
> >>
> >> Current topology is pretty simple.  AT&T drops an MPLS circuit either
> PPP
> >> Multilink Bundled T1's or an Ethernet hand off.  On another interface
> we
> >> generally have an ethernet hand off from another ISP.  We run BGP to
> move
> >> all the traffic around on one 172.x.x.x/30's and then our LAN is on
> >> 10.x.x.x.  We have an outside IP address on another ethernet port which
> is
> >> the IPSEC termination point.  BGP from our main campus injects a
> default
> >> route which we receive.  Currently we just manually added static
> 0.0.0.0
> >> routes out the tunnel interfaces with a metric of 32000.  So when BGP
> >> drops off we will route over the IPSEC VPN Tunnel back home.
> >>
> >> Headquarters 172.1.1.1/30 --> ATTMPLS 172.1.1.2/30 -->
> >>
> >> ATTMPLS 172.2.2.1/30 --> Remote Campus 172.2.2.2/30 (running BGP) -->
> >> 10.1.1.1/24
> >>
> >> ISP-X Ethernet 200.1.1.1/30 --> Remote Campus 200.1.1.2/30 --> IPSEC
> VPN
> >> Tunnel.1 10.1.1.20/24 --> Headquarters Tunnel.1 10.1.1.21/24
> >>
> >> BGP Provides default route
> >> Static 0.0.0.0 0.0.0.0 Tunel.1 Metric 32000
> >>
> >> It is my assumption that if the traffic cant get to its destination
> >> because BGP has lost it our backup link the IPSEC VPN with the higher
> >> metric will become the new default route.
> >