cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
331
Views
0
Helpful
3
Replies
Beginner

Design Advice

Hi

One of our new branch needs to connect to HQ with less than 25 users, primary link would be MPLS and Backup link would be GRE over IPSEC using Public Network. MPLS would be around 2MB and Internet link would be 2MB as well. Users in the branch needs to browse internet using local service provider. Currently we got only One 48 port switch 3560.

Is it recommended to terminate both MPLS and GRE-over IPSEC on the same router or different,Also there is a need to restrict user internet browsing to 1MB and if MPLS link is down then all traffic for HQ will flow over GRE-over-IPSEC

Please advice

thanks

ST

3 REPLIES 3
Engager

Re: Design Advice

hi

Based on the information provided i feel you can connect both the links onto the same router though the best practice is to have 2 different routers for redundancy purpose.

Routing wise you need to have a default route via your internet link for the internet access and more specific route for your vpn access towards the mpls link interface. Also you need to have static route with high admin distance towards your internet link for your vpn traffic so that it can be used as a standby for your mpls link.

Also you need to make sure that you encrypt only the intersting traffic which is your vpn traffic alone and not the whole traffic.

If you want to do a rate-limit make sure that you create an access-list denying your ipsec tunnnel end point ips and permitting your local network to any  and attach it to the rate-limit to limit the internet usability bandwidth to 1Mbps.

You need to make sure that you are not Natting your vpn endpoint which could result in non formation of ipsec tunnels between your locations.

regds

Beginner

Re: Design Advice

Hi Kumar

any config guidelines link from cisco website for the proposed.

thanks

ST

Highlighted
Engager

Re: Design Advice

Hi

Since it involves multiple features/technologies like NAT/IPSEC/CAR(rate-limit) you may have to check out for the support sheets to start with the basic configurations. also i dont think you will have a direct link available for the MPLS/IPSEc routing scenario may be googling will help you out on that.

If you start building the configs on your own and come back here with your doubts/queries it will help you to earn more understanding/confidence which will make life easy during the actual implementation.

regds

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards