01-09-2019 12:47 PM
We have 4 sites that all connect through private MPLS/BGP. All 4 sites also have a broadband internet connection availble & I am wondering if I can have all site to site traffic use the MPLS connection as a primary but also build IPsec tunnels to be automatically used as a back up if an MPLS circuit goes down? All sites have a cisco ISR4221 router with just the base license.
Solved! Go to Solution.
01-09-2019 09:31 PM
Hi,
You have a Cisco License issue with your router. As you mentioned that you have an only BASE license means IP Base License.
IPSec will only possible with SECK9 license. It is not looking possible without upgrading license.
Here is the License guide: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html
Now coming on your point which you have mentioned that you are looking backup of MPLS. Yes, it is possible as IPsec VPN as a backup of MPLS. You can use as Static floating routing/BGP etc. You can also use IGP with GRE tunnel with IPSec protection.
If you are not much worry about the security of your data then you can use a GRE tunnel as a backup without upgrading your current license.
Regards,
Deepak Kumar
01-09-2019 12:51 PM
yes you can use that setup alternative backup. with IP SLA.
01-09-2019 01:12 PM
Based on the fact that you have a site to site tunnel established there are several ways to achieve automatic redundancy.
1 Weighted static routes, this allows you to use one or a series to static routes that will not be visible within the routing table unless your primary route fails.
If you are using eBGP your Administrative distance will be 20 so your static route to get to a destination of 172.17.1.0/24 via a gateway of 172.16.1.1 would look something like this : ip route 172.17.1.0 255.255.255.0 172.16.1.1 25
25 being the weight of that static route that is higher that your current eBGP AD of 20
2. You may also look at implementing BGP or any other IGP whichever you are most comfortable working with to establish dynamic fail-over for these locations.
Note : IGPs such as OSPF and EIGRP relies on multicast so this will be dependent on the type of vpn tunnel you have established.
Feel free to provide config samples if you require more direct assistance.
Cheers
****Rate This Post Once it Is Helpful****
01-09-2019 09:31 PM
Hi,
You have a Cisco License issue with your router. As you mentioned that you have an only BASE license means IP Base License.
IPSec will only possible with SECK9 license. It is not looking possible without upgrading license.
Here is the License guide: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html
Now coming on your point which you have mentioned that you are looking backup of MPLS. Yes, it is possible as IPsec VPN as a backup of MPLS. You can use as Static floating routing/BGP etc. You can also use IGP with GRE tunnel with IPSec protection.
If you are not much worry about the security of your data then you can use a GRE tunnel as a backup without upgrading your current license.
Regards,
Deepak Kumar
01-10-2019 07:15 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide