cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
736
Views
10
Helpful
3
Replies
allalamine
Beginner

Load-share IPsec traffic over MPLS

Hello,

 

I have an IPsec tunnel going through an MPLS VPN, between two CEs.

 

The IPsec destination is received over 4 links what means that I have 4 active paths to reach the tunnel destination (BGP multipath used)

 

Will the traffic be load shared over the 4 links ? or is it going to be forwarded over one selected path ? in last case, is there any way to load share it ?

 

Thanks all

1 ACCEPTED SOLUTION

Accepted Solutions
lespejel
Participant

hello @allalamine

 

the short answer, it's not balanced.

 

Load balancing applies usually based on source and destination, sometimes you can add ports or something else to distribute the traffic, however because VPN peers will be sending same source destination packets, the CEF mechanism will always assign same path on one direction (it's same process in the other way).

 

there are mechanisms to distribute traffic, but I don't think it will apply to traffic between a single pair of CE's.

https://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-3_3_S/configuration/guide/3800x3600xscg/swmplsloadbalancing.pdf

 

CCIE 52804

View solution in original post

3 REPLIES 3
lespejel
Participant

hello @allalamine

 

the short answer, it's not balanced.

 

Load balancing applies usually based on source and destination, sometimes you can add ports or something else to distribute the traffic, however because VPN peers will be sending same source destination packets, the CEF mechanism will always assign same path on one direction (it's same process in the other way).

 

there are mechanisms to distribute traffic, but I don't think it will apply to traffic between a single pair of CE's.

https://www.cisco.com/c/en/us/td/docs/switches/metro/me3600x_3800x/software/release/15-3_3_S/configuration/guide/3800x3600xscg/swmplsloadbalancing.pdf

 

CCIE 52804

View solution in original post

Many thanks @lespejel.

 

I think the only solution is to use IPsec in transport mode.

We'll expose the end hosts IPs, but that's not a high risk as in this scenario we're running IPsec on top of MPLS network.

you can also user multiple loopbacks for IPSec peers, then balancing will distribute among multiple paths using different source-dest. pairs.

Limitation here is, you cannot establish multiple GRE tunnels in the same VRF between 2 routers, it should use crypto maps or something alike, and then you have to split your traffic among several tunnels, which could happen with PBR and even consider QoS separation, it's a nice experiment to try.

CCIE 52804
Content for Community-Ad

This widget could not be displayed.