Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
695
Views
0
Helpful
3
Replies

Design Advice

saquib.tandel
Level 1
Level 1

‎01-24-2011 10:28 PM - edited ‎03-04-2019 11:11 AM

Hi

One of our new branch needs to connect to HQ with less than 25 users, primary link would be MPLS and Backup link would be GRE over IPSEC using Public Network. MPLS would be around 2MB and Internet link would be 2MB as well. Users in the branch needs to browse internet using local service provider. Currently we got only One 48 port switch 3560.

Is it recommended to terminate both MPLS and GRE-over IPSEC on the same router or different,Also there is a need to restrict user internet browsing to 1MB and if MPLS link is down then all traffic for HQ will flow over GRE-over-IPSEC

Please advice

thanks

ST

Labels:
0 Helpful
3 Replies 3

spremkumar
Level 9
Level 9

‎01-25-2011 05:37 AM

hi

Based on the information provided i feel you can connect both the links onto the same router though the best practice is to have 2 different routers for redundancy purpose.

Routing wise you need to have a default route via your internet link for the internet access and more specific route for your vpn access towards the mpls link interface. Also you need to have static route with high admin distance towards your internet link for your vpn traffic so that it can be used as a standby for your mpls link.

Also you need to make sure that you encrypt only the intersting traffic which is your vpn traffic alone and not the whole traffic.

If you want to do a rate-limit make sure that you create an access-list denying your ipsec tunnnel end point ips and permitting your local network to any  and attach it to the rate-limit to limit the internet usability bandwidth to 1Mbps.

You need to make sure that you are not Natting your vpn endpoint which could result in non formation of ipsec tunnels between your locations.

regds

0 Helpful

saquib.tandel
Level 1
Level 1
In response to spremkumar

‎01-25-2011 05:47 AM

Hi Kumar

any config guidelines link from cisco website for the proposed.

thanks

ST

0 Helpful

spremkumar
Level 9
Level 9
In response to saquib.tandel

‎01-25-2011 06:45 AM

Hi

Since it involves multiple features/technologies like NAT/IPSEC/CAR(rate-limit) you may have to check out for the support sheets to start with the basic configurations. also i dont think you will have a direct link available for the MPLS/IPSEc routing scenario may be googling will help you out on that.

If you start building the configs on your own and come back here with your doubts/queries it will help you to earn more understanding/confidence which will make life easy during the actual implementation.

regds

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card