Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1431
Views
10
Helpful
3
Replies

Load-share IPsec traffic over MPLS

Go to solution
allalamine
Level 1
Level 1

‎08-02-2018 03:18 AM

Hello,

 

I have an IPsec tunnel going through an MPLS VPN, between two CEs.

 

The IPsec destination is received over 4 links what means that I have 4 active paths to reach the tunnel destination (BGP multipath used)

 

Will the traffic be load shared over the 4 links ? or is it going to be forwarded over one selected path ? in last case, is there any way to load share it ?

 

Thanks all

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
lespejel
Level 3
Level 3

‎09-12-2018 03:13 PM - edited ‎09-13-2018 10:59 AM

hello @allalamine

 

the short answer, it's not balanced.

 

Load balancing applies usually based on source and destination, sometimes you can add ports or something else to distribute the traffic, however because VPN peers will be sending same source destination packets, the CEF mechanism will always assign same path on one direction (it's same process in the other way).

 

there are mechanisms to distribute traffic, but I don't think it will apply to traffic between a single pair of CE's.

https://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-3_3_S/configuration/guide/3800x3600xscg/swmplsloadbalancing.pdf

 

CCIE 52804

View solution in original post

3 Replies 3

Go to solution
lespejel
Level 3
Level 3

‎09-12-2018 03:13 PM - edited ‎09-13-2018 10:59 AM

hello @allalamine

 

the short answer, it's not balanced.

 

Load balancing applies usually based on source and destination, sometimes you can add ports or something else to distribute the traffic, however because VPN peers will be sending same source destination packets, the CEF mechanism will always assign same path on one direction (it's same process in the other way).

 

there are mechanisms to distribute traffic, but I don't think it will apply to traffic between a single pair of CE's.

https://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-3_3_S/configuration/guide/3800x3600xscg/swmplsloadbalancing.pdf

 

CCIE 52804

Go to solution
allalamine
Level 1
Level 1
In response to lespejel

‎09-13-2018 04:02 AM

Many thanks @lespejel.

 

I think the only solution is to use IPsec in transport mode.

We'll expose the end hosts IPs, but that's not a high risk as in this scenario we're running IPsec on top of MPLS network.

0 Helpful

Go to solution
lespejel
Level 3
Level 3
In response to allalamine

‎09-13-2018 07:43 AM

you can also user multiple loopbacks for IPSec peers, then balancing will distribute among multiple paths using different source-dest. pairs.

Limitation here is, you cannot establish multiple GRE tunnels in the same VRF between 2 routers, it should use crypto maps or something alike, and then you have to split your traffic among several tunnels, which could happen with PBR and even consider QoS separation, it's a nice experiment to try.

CCIE 52804
Customers Also Viewed These Support Documents