MPLS failover

mwatson · ‎12-05-2012

We have an MPLS network, we have installed a 20mbps internet circuit that we are dumping all the internet traffic to which is working fine. Now I need to config a failover so that if the MPLS side goes down the trafficis pointed to the internet circuit which has a firewall on the outside which will build a point to point VPN to our external firewall on the head of the MPLS. Our environment is this. 4 offices connected to MPLS which runs to our colo. In one office we have this internet circuit for testing. If office 1 loses MPLS we want the internel traffic for the subnets 172.16.x.x to run through the internet circuit. Right now I have static routes for 172.16.x.x internal traffic to send it through the MPLS with a default route 0.0.0.0 0.0.0.0 to point to the internet circuit. So in the failover the 172.16.x.x would then go to the internet circuit and the firewall would know to build a p2p vpn to our colo.

Thanks

alok nath · ‎12-05-2012

Hi Mwatson

It would be great if you provide simple diagram with genaric IP mentioned .

Thanks

Alok Nath

mwatson · ‎12-05-2012

Here you go.

alok nath · ‎12-06-2012

Hi Mwatson

You can achive this failover by using IP SLA track and floating route by considering the internal FW is a CISCO product .

Belwo is a link on this concept . Hope this will help you .

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Thanks

Alok Nath

mwatson · ‎12-10-2012

Firewall is a Sonicwall and I can setup the failover for that to talk to the other firewall no problem. The issue is getting the internal traffic to flow out the internet side when the MPLS is down. IP SLA sounds like the right approach but since I have static routes for all the internal traffic and a default for everything else with IP SLA basically reset my ip routes to send everything out the internet side thus allowing my firewall to say oh wait I have traffic for this subnet I need to setup a ip vpn.

So if this is my ip routes:

ip route 0.0.0.0 0.0.0.0 172.16.90.2 (Internet circuit)

ip route 10.0.1.1 255.255.255.255 198.X.X.X (MPLS)

ip route 67.220.116.64 255.255.255.224 198.X.X.X (MPLS)

ip route 164.57.0.0 255.255.0.0 198.X.X.X (MPLS)

ip route 172.16.2.0 255.255.255.0 198.X.X.X (MPLS)

ip route 172.16.4.0 255.255.255.0 198.X.X.X (MPLS)

ip route 172.16.6.0 255.255.255.0 198.X.X.X (MPLS)

ip route 172.16.11.0 255.255.255.0 198.X.X.X (MPLS)

ip route 172.16.12.0 255.255.255.0 198.X.X.X (MPLS)

ip route 172.16.14.0 255.255.255.0 198.X.X.X (MPLS)

ip route 172.16.15.4 255.255.255.255 SM1/0 (VOIP to CCM)

ip route 172.16.16.0 255.255.255.0 198.X.X.X (MPLS)

ip route 172.16.17.0 255.255.255.0 198.X.X.X (MPLS)

ip route 172.16.26.0 255.255.255.0 198.X.X.X (MPLS)

Will IP SLA change route to this:

ip route 0.0.0.0 0.0.0.0 172.16.90.2 (Internet circuit)

and then back to what it needs to be when the MPLS comes back?

Thanks

john williams · ‎09-21-2015

Any resolution to this - I have a similar setup.

shaps · ‎09-22-2015

I believe you need to create a VPN tunnel interface between the FWs you can then implement policy based routing and adjust the metric accordingly, so you would have the metric set lower going into the MPLS network and you can add fail-over/tracking on the sonicwall, cant remember exactly where but it is there somewhere.

shadjohnson · ‎04-15-2016

I know this post is old but do you remember what you did? I have the exact same scenario right now.