One of our new branch needs to connect to HQ with less than 25 users, primary link would be MPLS and Backup link would be GRE over IPSEC using Public Network. MPLS would be around 2MB and Internet link would be 2MB as well. Users in the branch needs to browse internet using local service provider. Currently we got only One 48 port switch 3560.
Is it recommended to terminate both MPLS and GRE-over IPSEC on the same router or different,Also there is a need to restrict user internet browsing to 1MB and if MPLS link is down then all traffic for HQ will flow over GRE-over-IPSEC
Based on the information provided i feel you can connect both the links onto the same router though the best practice is to have 2 different routers for redundancy purpose.
Routing wise you need to have a default route via your internet link for the internet access and more specific route for your vpn access towards the mpls link interface. Also you need to have static route with high admin distance towards your internet link for your vpn traffic so that it can be used as a standby for your mpls link.
Also you need to make sure that you encrypt only the intersting traffic which is your vpn traffic alone and not the whole traffic.
If you want to do a rate-limit make sure that you create an access-list denying your ipsec tunnnel end point ips and permitting your local network to any and attach it to the rate-limit to limit the internet usability bandwidth to 1Mbps.
You need to make sure that you are not Natting your vpn endpoint which could result in non formation of ipsec tunnels between your locations.
Since it involves multiple features/technologies like NAT/IPSEC/CAR(rate-limit) you may have to check out for the support sheets to start with the basic configurations. also i dont think you will have a direct link available for the MPLS/IPSEc routing scenario may be googling will help you out on that.
If you start building the configs on your own and come back here with your doubts/queries it will help you to earn more understanding/confidence which will make life easy during the actual implementation.
Listen: https://smarturl.it/CCRS9E25 Follow us: twitter.com/ciscochampions
With applications and users everywhere, the networks are now, more than ever, being tasked with delivering consistent protection while providing an exceptional user exper...
Listen: https://smarturl.it/CCRS9E24 Follow us: https://twitter.com/CiscoChampion
Cisco Radio Aware Routing addresses several of the challenges faced when merging IP routing and radio communications in mobile networks, especially those exhibiti...
Listen: https://smarturl.it/CCRS9E23 Follow us: https://twitter.com/CiscoChampion The Wi-Fi 6E Catalyst 9136 access point takes advantage of the 6-GHz band to produce a network that is more reliable and secure, with higher throughput, more ...
When moving from OSPFv2 to OSPFv3, there are many changes in the format of the LSAs Type, but the most known changes are: IP prefix informations are no longer carried in Type-1 LSA and Type-2 LSA, new LSAs Type 8 and 9 are added to carry these prefixes.