cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1517
Views
0
Helpful
7
Replies

Mpls failover to ipsec VPN

hifly.mansoor1
Level 1
Level 1

we have branch officec connected via MPLS Bgp . i need to connect these sites via  bgp over ipsec/gre . and make MPLS primary and VPN back incase MPLS goes down..how to configure this.

i think static route poing to ISP for ipsec tunnel with higher AD will work out...any suggestions?

7 Replies 7

Philip D'Ath
VIP Alumni
VIP Alumni

Yes, that will work.  You could also run BGP over all paths.

Hi John & Philip. Thanks for the reply

here is my config

router bgp 65201
bgp router-id 10.38.65.83
bgp always-compare-med
bgp log-neighbor-changes
neighbor 10.16.65.62 remote-as 65201
neighbor 10.16.65.62 description Connected_to_core3850
neighbor 10.38.230.110 remote-as 65400                       ( ipsec VPN)
neighbor 10.38.230.110 description vpn-to-xx
neighbor 10.208.88.197 remote-as 13979                 (MPLS)
!
address-family ipv4
network 10.38.65.83 mask 255.255.255.255
neighbor 10.16.65.62 activate
neighbor 10.16.65.62 default-originate
neighbor 10.16.65.62 soft-reconfiguration inbound
neighbor 10.38.230.110 activate       
neighbor 10.38.230.110 soft-reconfiguration inbound
neighbor 10.38.230.110 prefix-list spring_routes-out out
neighbor 10.38.230.110 route-map xx-4311_routes-in in
neighbor 10.208.88.197 activate
neighbor 10.208.88.197 soft-reconfiguration inbound      
exit-address-family
!
ip nat inside source list nat_networks interface GigabitEthernet0/0/1 overload
ip forward-protocol nd
no ip http server
no ip http secure-server
ip tftp source-interface Loopback10
ip route 0.0.0.0 0.0.0.0 50.244.123.118
ip route 192.203.160.65 255.255.255.255 50.244.123.118 name xx-VP

You can add a BGP neighbour that runs over the GRE tunnel.

HI Philip..thanks.

would this works

ip route 0.0.0.0 0.0.0.0 tunnel 150 10.38.230.109 10 name backup


There is not enough config relating to the tunnels and Internet connection to confirm this.

HI philip

now we have moved the MPLS to core switch...for best possible way

router bgp 65201
bgp router-id 10.38.65.80
bgp log-neighbor-changes
neighbor 192.x.x.xremote-as 65201
neighbor 192.x.x.x description vpn-rtr (VPN )
neighbor 10.208.88.197 remote-as 1xxx (MPLS)
!
address-family ipv4

redistribute connected
neighbor 10.16.65.61 activate
neighbor 10.16.65.61 next-hop-self
neighbor 10.16.65.61 soft-reconfiguration inbound
neighbor 10.16.65.61 prefix-list spring_routes-out out
neighbor 10.208.88.197 activate
neighbor 10.208.88.197 soft-reconfiguration inbound

For failover i added a routemap ,but ia not sure if this works

route-map s_routes-out permit 15
set as-path prepend 65201

neighbor 10.208.88.197 route-map spring_routes-out in          (MPLS)
neighbor 10.208.88.197 route-map spring_routes-out out

johnlloyd_13
Level 9
Level 9

hi,

use IP SLA and tracking.

Review Cisco Networking for a $25 gift card