[c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over Internet

Kenny Sallee kenny.sallee at gmail.com
Thu Jan 28 01:59:23 EST 2010 

Why not an IGP on the backup link, BGP over MPLS, and eBGP peer from your
'MPLS' router to your core network? All of your MPLS routes will be eBGP w/
admin of 20 and depending on what IGP you choose it'll have a higher admin
distance.  Normal ops BGP routes are preferred.  If MPLS goes away IGP route
will be there.

I have something like this setup in a lab and planned for production soon.
 Works great

Or - if you can't run BGP on your core (code versions don't support BGP for
example) - run BGP over MPLS and GRE only.  Redistro BGP into whatever IGP
and tweak the metrics on redistro so backup link looks worse.  If EIGRP
tweak the seed metrics.  If OSPF you can use a route-map to set the OSPF
route-type to E1 for primary and  E2 for backup. I wouldn't do mutual
redistro - use network statements in BGP to originate your routes over MPLS
and GRE.  Makes it a little easier / less error prone methinks.

Kenny

On Wed, Jan 27, 2010 at 10:27 PM, Ivan Pepelnjak <ip at ioshints.info> wrote:

> OK, it looks like I've over-engineered the solution ;)
>
> The best solution (if you can make it work) would be to run BGP over the
> backup links and use BGP attributes to make backup links a less desirable
> BGP path.
>
> Running OSPF on backup links and BGP on MPLS VPN can be made to work ...
> barely. I did a workshop once using almost exactly the same network. Each
> site was fully redundant with two routers, one connected to Internet, the
> other one to MPLS VPN network. I was able to make it work after a lot of
> tweaking and two-way redistribution, but I'm not sure anyone in the audience
> got all the details ;)
>
> Your situation might be easier as you're using default routing from the
> central site, but do try to go for "BGP everywhere".
>
> Ivan Pepelnjak
> blog.ioshints.info / www.ioshints.info
>
>
> > -----Original Message-----
> > From: Jason LeBlanc [mailto:jasonleblanc at gmail.com]
> > Sent: Wednesday, January 27, 2010 11:12 PM
> > To: Ivan Pepelnjak
> > Cc: 'Luan Nguyen'; 'Cisco-nsp'
> > Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
> > Internet
> >
> > Exactly.  This is a secondary form of calling back home if the MPLS Link
> > or BGP breaks.  We have static routes at the remote site pointing traffic
> > over the IPSEC tunnel if it fails.  If MPLS is lost we want the remote
> > campus to be able to communicate with the main datacenter which is also
> > where the main MPLS router exists.  We currently have a VPN devices at
> the
> > Datacenter that runs OSPF on the home end.
> >
> >
> >
> > MPLS Router 7200----------------------->  {AT&T MPLS Cloud} -->
> >
> > /
> > \
> > Core 6500 --> Distribution Router 6500 --
> > -- Campus Router Cisco or Juniper SSG
> >
> > \
> > /
> >
> > Site to site VPN Juniper ISG-1000 --> {ISP IPSEC VPN}-------->
> >
> >
> >
> >
> > On Jan 27, 2010, at 11:22 AM, Ivan Pepelnjak wrote:
> >
> > > Jason, are you trying to solve only the remote site problem? Is the
> main
> > campus receiving specific routes for each remote site through the MPLS
> VPN
> > cloud?
> > >
> > >> -----Original Message-----
> > >> From: Jason LeBlanc [mailto:jasonleblanc at gmail.com]
> > >> Sent: Wednesday, January 27, 2010 1:48 AM
> > >> To: Luan Nguyen
> > >> Cc: 'Cisco-nsp'
> > >> Subject: Re: [c-nsp] MPLS VPN Running BGP w/ failover IPSec VPN Over
> > >> Internet
> > >>
> > >> Current topology is pretty simple.  AT&T drops an MPLS circuit either
> > PPP
> > >> Multilink Bundled T1's or an Ethernet hand off.  On another interface
> > we
> > >> generally have an ethernet hand off from another ISP.  We run BGP to
> > move
> > >> all the traffic around on one 172.x.x.x/30's and then our LAN is on
> > >> 10.x.x.x.  We have an outside IP address on another ethernet port
> which
> > is
> > >> the IPSEC termination point.  BGP from our main campus injects a
> > default
> > >> route which we receive.  Currently we just manually added static
> > 0.0.0.0
> > >> routes out the tunnel interfaces with a metric of 32000.  So when BGP
> > >> drops off we will route over the IPSEC VPN Tunnel back home.
> > >>
> > >> Headquarters 172.1.1.1/30 --> ATTMPLS 172.1.1.2/30 -->
> > >>
> > >> ATTMPLS 172.2.2.1/30 --> Remote Campus 172.2.2.2/30 (running BGP) -->
> > >> 10.1.1.1/24
> > >>
> > >> ISP-X Ethernet 200.1.1.1/30 --> Remote Campus 200.1.1.2/30 --> IPSEC
> > VPN
> > >> Tunnel.1 10.1.1.20/24 --> Headquarters Tunnel.1 10.1.1.21/24
> > >>
> > >> BGP Provides default route
> > >> Static 0.0.0.0 0.0.0.0 Tunel.1 Metric 32000
> > >>
> > >> It is my assumption that if the traffic cant get to its destination
> > >> because BGP has lost it our backup link the IPSEC VPN with the higher
> > >> metric will become the new default route.
> > >
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list