HQ and branch design using MPLS and Internet

carl_townshend · ‎08-02-2017

Hi All

I am looking at a design for branches whereby they have mpls as a primary connection to the HQ, and we want a backup using internet.

about 50 sites

At the Hub end, what kind of equipment are we best using to terminate the IPsec tunnels, are we best looking at a 4451 ? run a firewall on it and DMPVN?

Cheers

Joseph W. Doherty · ‎08-02-2017

Your "ideal" VPN router would depend much on the amount of bandwidth you need to support, more so than the fact that you'll be supporting 50 sites.

If you're only using the Internet VPN for backup, and assume only one remote site might need its backup link, you can size much, much smaller than if your were going to support all 50 sites being active concurrently.

If you're only using a router for VPN, whether hub or remote, you don't need to run a FW, assuming you block all traffic but the VPN traffic.

carl_townshend · ‎08-02-2017

Hi Joseph

Thanks for that,

what about choice of the routing protocols etc, we peer using BGP at the min for the primary MPLS circuit.

Would you overlay this with DMVPN? or just use encrypted gre tunnels fully meshed ?

cheers

Joseph W. Doherty · ‎08-02-2017

Are you asking whether to also use BGP across your DMVPN? If so, you could, or you might run another routing protocol. In either case, you just need to insure DMVPN path is only used when a MPLS path fails (if that's your requirement).

As to "fully meshed", it's not clear what you're asking. DMVPN is both encrypted and (logically) fully meshed.

carl_townshend · ‎08-03-2017

Hi

What I would like to know is do you keep the routing domains separate between the mpls and the backup circuits

so basically you only run the dmvpn over the backup routers, then you let hsrp make the hsrp router the primary so it will always use that network first.

Should the primary router have routes to the backup network if it goes down, or do you just use hsrp to direct the traffic?

How would you do it?

cheers

Joseph W. Doherty · ‎08-03-2017

Personally, I would have one routing topology that includes both MPLS and VPN backup.

carl_townshend · ‎08-03-2017

can you explain how you would achieve this ?

would you use the dmpvn over the mpls?

just a brief explanation would be great

cheers

Joseph W. Doherty · ‎08-03-2017

would you use the dmpvn over the mpls?

No, I would either run a common routing protocol between my MPLS and VPN physical topologies or I would use a different routing protocol for both and redistribute between them.

carl_townshend · ‎08-04-2017

What does it say in the design guide for best practice ?

Joseph W. Doherty · ‎08-04-2017

I don't recall this being addressed, but then it's been a while since I've read it.

Feel free to read it yourself, and if you have questions, post them.

dbeattie · ‎08-02-2017

I currently run something similar to this with 4451s in the two DCs and 4331s at the office sites. The 4451s only have Sec/HSec and sit behind perimeter firewalls. The 4331s are directly on the Internet, but have ACLs only allowing traffic to/from the DCs. All routers use two VRFs: Internet and Internal, with the base routing table completely black-holed. I use encrypted GRE tunnels with per-tunnel QoS at the hubs to prevent overrunning the office Internet links. I do not allow spoke-to-spoke traffic (i.e. no DMVPN) because there would be on way to prevent one office from overrunning another one. I run OSPF in the Offices and BGP over the GRE links. Works like a dream. You need to spend some time ensuring that you harden all the routers including turning off all unwanted services including ICMP responses to unknown devices.

Hope this helps.