Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
736
Views
10
Helpful
3
Replies
allalamine
Beginner
Beginner
‎08-02-2018 03:18 AM
‎08-02-2018 03:18 AM

Load-share IPsec traffic over MPLS

Hello,

 

I have an IPsec tunnel going through an MPLS VPN, between two CEs.

 

The IPsec destination is received over 4 links what means that I have 4 active paths to reach the tunnel destination (BGP multipath used)

 

Will the traffic be load shared over the 4 links ? or is it going to be forwarded over one selected path ? in last case, is there any way to load share it ?

 

Thanks all

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
lespejel
Participant
Participant
‎09-12-2018 03:13 PM
‎09-12-2018 03:13 PM

hello @allalamine

 

the short answer, it's not balanced.

 

Load balancing applies usually based on source and destination, sometimes you can add ports or something else to distribute the traffic, however because VPN peers will be sending same source destination packets, the CEF mechanism will always assign same path on one direction (it's same process in the other way).

 

there are mechanisms to distribute traffic, but I don't think it will apply to traffic between a single pair of CE's.

https://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-3_3_S/configuration/guide/3800x3600xscg/swmplsloadbalancing.pdf

 

CCIE 52804

View solution in original post

3 REPLIES 3
lespejel
Participant
Participant
‎09-12-2018 03:13 PM
‎09-12-2018 03:13 PM

hello @allalamine

 

the short answer, it's not balanced.

 

Load balancing applies usually based on source and destination, sometimes you can add ports or something else to distribute the traffic, however because VPN peers will be sending same source destination packets, the CEF mechanism will always assign same path on one direction (it's same process in the other way).

 

there are mechanisms to distribute traffic, but I don't think it will apply to traffic between a single pair of CE's.

https://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-3_3_S/configuration/guide/3800x3600xscg/swmplsloadbalancing.pdf

 

CCIE 52804

View solution in original post

allalamine
Beginner
Beginner
In response to lespejel
‎09-13-2018 04:02 AM
‎09-13-2018 04:02 AM

Many thanks @lespejel.

 

I think the only solution is to use IPsec in transport mode.

We'll expose the end hosts IPs, but that's not a high risk as in this scenario we're running IPsec on top of MPLS network.

0 Helpful
lespejel
Participant
Participant
In response to allalamine
‎09-13-2018 07:43 AM
‎09-13-2018 07:43 AM

you can also user multiple loopbacks for IPSec peers, then balancing will distribute among multiple paths using different source-dest. pairs.

Limitation here is, you cannot establish multiple GRE tunnels in the same VRF between 2 routers, it should use crypto maps or something alike, and then you have to split your traffic among several tunnels, which could happen with PBR and even consider QoS separation, it's a nice experiment to try.

CCIE 52804
Latest Contents
Crosswork Cloud - Crosswork Traffic Analysis - FAQ
Created by Martin Thygesen on 03-24-2021 04:56 AM
0
0
0
0
Crosswork Cloud - Crosswork Traffic Analysis - FAQ Crosswork Cloud - Crosswork Traffic Analysis is a Cloud-hosted Software as a Service platform that provides Netflow based Traffic Analytics. The Crosswork Traffic Analysis platform Traffic Analysis, Peeri... view more
**New Episode** Cisco Champion Radio: S8|E9 Innovations to A...
Created by aalesna on 03-02-2021 08:04 PM
0
0
0
0
Cisco Champion Radio · S8|E9 Innovations to Achieve a Trustworthy Infrastructure How do you know for certain that a router in your network has not been altered with since you deployed it? Wouldn’t it be great if you can cryptographically challenge your r... view more
ASR9XX Rommon Upgrade
Created by mapandey on 02-18-2021 11:00 PM
0
0
0
0
IOS upgrade on asr9xx mandates rommon upgrades sometimes while they can be optional at other times. You may land up in unwanted situation if proper procedure is not followed during upgrades.   This article will include complete details about rommon ... view more
How to make sure to run latest FPD on NCS560
Created by dpacific on 02-08-2021 10:20 AM
0
0
0
0
The Need In some situation NCS560 RP become unresponsive after reload or powercycle. In many NCS560 deployments are in remote location, deployment might be large and human intervention should be kept at minimum Engineering team have been working on a str... view more
BGP Churn Identification on IOS-XR: ASR9000 use-case
Created by Rajat Chauhan on 01-27-2021 05:30 AM
0
0
0
0
In simple terms, 'Route Churn' is defined as the 'rate of change of prefixes'. Different XR versions across 4.x to 7.x have differing behavior & support for the BGP churn handling and some enhancements made from 6.5.3 onwards (listed in appendix) mak... view more
Content for Community-Ad

This widget could not be displayed.