cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1073
Views
5
Helpful
4
Replies

Can both IPsec tunnels & MPLS be used for redundant site to site traffic?

Hawk
Level 1
Level 1

We have 4 sites that all connect through private MPLS/BGP.  All 4 sites also have a broadband internet connection availble & I am wondering if I can have all site to site traffic use the MPLS connection as a primary but also build IPsec tunnels to be automatically used as a back up if an MPLS circuit goes down?  All sites have a cisco ISR4221 router with just the base license.

1 Accepted Solution

Accepted Solutions

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

You have a Cisco License issue with your router. As you mentioned that you have an only BASE license means IP Base License.

IPSec will only possible with SECK9 license. It is not looking possible without upgrading license. 

Here is the License guide: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html

 

Now coming on your point which you have mentioned that you are looking backup of MPLS. Yes, it is possible as IPsec VPN as a backup of MPLS. You can use as Static floating routing/BGP etc. You can also use IGP with GRE tunnel with IPSec protection. 

 

If you are not much worry about the security of your data then you can use a GRE tunnel as a backup without upgrading your current license.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

View solution in original post

4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

yes you can use that setup alternative backup. with IP SLA.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Based on the fact that you have a site to site tunnel established there are several ways to achieve automatic redundancy.

1 Weighted static routes, this allows you to use one or a series to static routes that will not be visible within the routing table unless your primary route fails.

 

If you are using eBGP your Administrative distance will be 20 so your static route to get to a destination of 172.17.1.0/24 via a gateway of 172.16.1.1 would look something like this : ip route 172.17.1.0 255.255.255.0 172.16.1.1 25

25 being the weight of that static route that is higher that your current eBGP AD of 20

2. You may also look at implementing BGP or any other IGP whichever you are most comfortable working with to establish  dynamic fail-over for these locations.

 

Note : IGPs such as OSPF and EIGRP relies on multicast so this will be dependent on the type of vpn tunnel you have established.

Feel free to provide config samples if you  require more direct assistance.

 

Cheers

 

****Rate This Post Once it Is Helpful****

 
P.Williams

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

You have a Cisco License issue with your router. As you mentioned that you have an only BASE license means IP Base License.

IPSec will only possible with SECK9 license. It is not looking possible without upgrading license. 

Here is the License guide: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html

 

Now coming on your point which you have mentioned that you are looking backup of MPLS. Yes, it is possible as IPsec VPN as a backup of MPLS. You can use as Static floating routing/BGP etc. You can also use IGP with GRE tunnel with IPSec protection. 

 

If you are not much worry about the security of your data then you can use a GRE tunnel as a backup without upgrading your current license.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Joseph W. Doherty
Hall of Fame
Hall of Fame
As the other posters have noted, the answer is yes, and they've also noted there are different ways to accomplish routing across a backup path.

One item I wanted to expand upon was Deepak's suggestion that you might use just an unencrypted GRE tunnel. If you feel that's very insecure, consider your (in transit) data really isn't much more at risk than whatever you send your data across the private MPLS/BGP network. In both cases data is exposed to your carrier(s), but it's difficult for others to access it (more so within an MPLS network). What would be much more of a risk is the router, itself, with an Internet connected interface, perhaps regardless whether the tunnel is encrypted or not.
Review Cisco Networking for a $25 gift card