MPLS failover with VPN? - Page 2

dmurray14 · ‎02-25-2010

Hi all,

We currently have an MPLS with BGP for interoffice connectivity. I want to have the ability to have one of the branch offices failover to a VPN to the main office through another internet link if the MPLS goes down (which it does often). Whats the best way to accomplish this?

Thanks

chriskeener720 · ‎02-21-2012

Hi Dan,

Here is how I've always set this up. Use IP SLA to ping the far side, let it decide how to remove the route or leave it in i.e if the pink is successful, then maintain a route internally, if it fails pull the route and allow the default out i.e 0.0.0.0 outside to take over.

As for the primary router and/or switch, just use a floating static. If your using bgp your ad will be 20 and if you look at your routing table using sh ip bgp, you should be able to figure out what floating statics you will need.

ip route 250 name TOASA

Above it shows that the cost of the route will be higher and should you lose the mpls on either side, it will use the floating static to re-route the traffic out to the ASA.

The ASA will pull the route to inside by failing to ping the far side router via IP SLA.

Then the route to that network will now use the default route. This should be routing outside 0.0.0.0 0.0.0.0

Next it needs to not be natted using a nonat acl etc on the ASA.

Last it will hit the crypto map and peer to the other side. Viola! You have redundancy

Let me know if this helps.

IP SLA config. on ASA:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml

Pushkar Joshi · ‎05-27-2012

Hi All,

I have hub-spoke network. Every spoke is connected to hub via MPLS Data Line. And also every spoke have separate internet link which terminates to firewall directly. Hub also have separate internet link which terminates to firewall.

I want to configure VPN tunnel between spoke and hub for redundancy. How can i configure this VPN tunnel to automatically trigger when MPLS link fails.

Your replies are much appreciated.

Tagir Temirgaliyev · ‎05-27-2012

you can use BGP for MPLS and VPN tunnels and using different neighbor weights

Pushkar Joshi · ‎05-27-2012

Thanks ttemirgaliyev for the reply.

But i want to configure the VPN tunnel using the Separate internet link which terminates to firewall.

MPLS is configured using BGP on separate 1800 router. Is it possible to automatically trigger the VPN tunnel (between firewalls at hub & spoke) when MPLS link fails?

Tagir Temirgaliyev · ‎05-27-2012

your network is like this?

--------- fw1-------vpn over internet------fw2--

/ \

int tunn1 --- bgp over vpn ------ int tunn2

hub ------------------------bgp over mpls ----------------------- spoke

it will automatikaly trigger to VPN over Internet when MPLS fail

provided correct BGP neighbor weights

dont forget to rate post

Pushkar Joshi · ‎05-27-2012

Yes, my newtork is like this. Only BGP over vpn is not there.

Just BGP over mpls and vpn over internet are there.

Thanks for the reply.

Tagir Temirgaliyev · ‎05-27-2012

how to do it

1. configure vpn over internet from fw1 to fw2

2. configure static routes from hub to fw1 and from spoke to fw2

3. configure tunnel interfaces on hub and spoke

4. ping from int tunn1 on hub to int tunn2 on spoke

5. on hub add bgp neighbor spoke and write less neighbor weight

6. on spoke add bgp neighbor hub and write less neighbor weight

dont forget to rate post

Pushkar Joshi · ‎05-27-2012

Thanks ttemirgaliyev.

Really appreciate it.

Medhat Mohammed Mostafa El-Samoly · ‎08-25-2015

hi really is very nice conversation , what is difference between the two scenario of using default route

and of using the BGP over MPLS tunnel

does only the second scenario only automatic trigger for the Mpls if connection down

what about using only default route only does it also give the same result