cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9950
Views
10
Helpful
23
Replies

MPLS failover with VPN?

dmurray14
Level 1
Level 1

Hi all,

We currently have an MPLS with BGP for interoffice connectivity. I want to have the ability to have one of the branch offices failover to a VPN to the main office through another internet link if the MPLS goes down (which it does often). Whats the best way to accomplish this?

Thanks

23 Replies 23

chriskeener720
Level 1
Level 1

Hi Dan,

Here is how I've always set this up. Use IP SLA to ping the far side, let it decide how to remove the route or leave it in i.e if the pink is successful, then maintain a route internally, if it fails pull the route and allow the default out i.e 0.0.0.0 outside to take over.

As for the primary router and/or switch, just use a floating static. If your using bgp your ad will be 20 and if you look at your routing table using sh ip bgp, you should be able to figure out what floating statics you will need.

ip route 250 name TOASA

Above it shows that the cost of the route will be higher and should you lose the mpls on either side, it will use the floating static to re-route the traffic out to the ASA.

The ASA will pull the route to inside by failing to ping the far side router via IP SLA.

Then the route to that network will now use the default route. This should be routing outside 0.0.0.0 0.0.0.0

Next it needs to not be natted using a nonat acl etc on the ASA.

Last it will hit the crypto map and peer to the other side. Viola! You have redundancy

Let me know if this helps.

IP SLA config. on ASA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Hi All,

I have hub-spoke network. Every spoke is connected to hub via MPLS Data Line. And also every spoke have separate internet link which terminates to firewall directly. Hub also have separate internet link which terminates to firewall.

I want to configure VPN tunnel between spoke and hub for redundancy. How can i configure this VPN tunnel to automatically trigger when MPLS link fails.

Your replies are much appreciated.

you can use BGP for MPLS and VPN tunnels and using different neighbor  weights

Thanks ttemirgaliyev for the reply.

But i want to configure the VPN tunnel using the Separate internet link which terminates to firewall.

MPLS is configured using BGP on separate 1800 router. Is it possible to automatically trigger the VPN tunnel (between firewalls at hub & spoke) when MPLS link fails?

your network is like this?

           --------- fw1-------vpn over internet------fw2--

         /                                                                          \

        /                                                                              \

    int tunn1       ---  bgp over vpn  ------                int tunn2

hub ------------------------bgp over mpls -----------------------    spoke

it will automatikaly trigger to VPN over Internet when MPLS fail

provided correct BGP neighbor  weights

dont forget to rate post

Yes, my newtork is like this. Only BGP over vpn is not there.

Just BGP over mpls and vpn over internet are there.

Thanks for the reply.

how to do it

1. configure vpn over internet from fw1 to fw2

2. configure static routes from hub to fw1 and from spoke to fw2

3. configure tunnel interfaces on hub and spoke

4. ping from int tunn1 on hub to int tunn2 on spoke

5. on hub add bgp neighbor spoke and write less neighbor  weight

6. on spoke add bgp neighbor hub and write less neighbor  weight

dont forget to rate post

Thanks ttemirgaliyev.

Really appreciate it.

 hi really is very nice conversation , what is difference between the two scenario of using default route

and of using the BGP over MPLS tunnel

does only the second scenario only automatic trigger for the Mpls if connection down

what about using only default route only does it also give the same result

Review Cisco Networking for a $25 gift card