Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1997
Views
10
Helpful
8
Replies

IPSec route over MPLS

Go to solution
Mirko442
Level 1
Level 1

‎01-16-2023 09:28 AM - edited ‎01-16-2023 09:34 AM

Hello guys,

I'm working on a project, here's the picture 

Mirko442_0-1673889721723.png

Circle in the middle has MPLS configured, I've configured VRF's and managed to ping 3 sites Split, Makarska and Imotski. Next step I added internet router and configured static routes so each site can reach it. After that I configured IPSEC on the internet links so each site can reach eachother through IPSEC internet link aswell. Now when I ping pc's the traffic goes trough internet IPSEC links, and only goes trough mpls if i turn internet links off. I want primary route to be trough MPLS and only go trough IPSEC if MPLS fails. 

On my CE router, those routes go trough internet link with AD 1.

Mirko442_1-1673890031328.png

Anyone has idea on how to route traffic so it goes trough MPLS first?

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-16-2023 09:36 AM - last edited on ‎01-18-2023 09:35 PM by Community Manager

Hello @Mirko442 ,

you need to use floating static routes over the IPSec tunnel so that they have a greater , less preferred , admin distance

use something like 220 as you AD for the floating static routes

ip route <net > 255.255.255.0 172.4.1.1 220

and so on

warning: this works if you receive the same set of prefixes over MPLS with a dynamic routing protocol like eBGP or OSPF.

If route summarization is performed on the MPLS cloud the suggested change is not enough as the most specific route is preferred regardless of admin distance

Hope to help

Giuseppe

 

View solution in original post

8 Replies 8

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-16-2023 09:36 AM - last edited on ‎01-18-2023 09:35 PM by Community Manager

Hello @Mirko442 ,

you need to use floating static routes over the IPSec tunnel so that they have a greater , less preferred , admin distance

use something like 220 as you AD for the floating static routes

ip route <net > 255.255.255.0 172.4.1.1 220

and so on

warning: this works if you receive the same set of prefixes over MPLS with a dynamic routing protocol like eBGP or OSPF.

If route summarization is performed on the MPLS cloud the suggested change is not enough as the most specific route is preferred regardless of admin distance

Hope to help

Giuseppe

 

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-16-2023 09:39 AM

Since you have static Route that is taking preference as per the output, look below route preference :

https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/8651-21.html

So you looking here MPLS as prefered and if that Failed you want to user Internet VPN link ?

If you running OSPF why not use OSPF also IPSEC tunnel  with metric to prefer path as MPLS  ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎01-16-2023 09:44 AM - edited ‎01-16-2023 10:08 AM

AD for MPLS is = 1
AD for static default  is = 1

so change the static AD to be = more than 1 
check this solution. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎01-16-2023 10:08 AM

if you prefer MPLS over direct connect then use PBR. 

0 Helpful

Go to solution
Mirko442
Level 1
Level 1

‎01-16-2023 09:48 AM - last edited on ‎01-18-2023 09:36 PM by Community Manager

Hello guys, thanks for the quick replies,

@Giuseppe Larosa so I need to configure floating route on CE-ST for example:

ip route 10.30.5.0 255.255.255.0 132.4.2.2 220?

@balaji.bandi I didn't really understand your answer, I want my ping from PC1 to PC2 for example to go through MPLS and only go through IPSEC if MPLS interface is down.

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Mirko442

‎01-16-2023 09:58 AM

i might have not clear here - what i was suggesting if you could able to run OSPF between Routers with metric you can make decision.

if you looking only static route increate the AD from 1 to XXX ( as suggested by @Giuseppe Larosa )

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Mirko442
Level 1
Level 1

‎01-16-2023 10:16 AM

Thanks for all the replies, I've managed to make it with floating routes! Quick replies, love it

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Mirko442

‎01-16-2023 10:18 AM

glad you able to  fix, also test failure links.

My approach always use Dynamic protocol for good traffic engineering.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents