FLEXVPN over MPLS Transport WAN Network

Naphthalie Ayonga · ‎04-25-2016

Hello,

We currently have about 180 sites which are interconnected over MPLS VPN WAN. We have four different providers due to the dispersion of our sites. We are running eBGP between all the CE and PE devices. Each CE has two WAN connections to the WAN, and only one LAN interface. We have been tasked to ensure that LAN to LAN traffic has been encrypted. We created loopback IP addresses on each of our WAN routers and advertised this into BGP. The spoke sites have reach ability to the HUB site. We chose not to advertise the LAN subnet into BGP. Next we configured FlexVPN between the HUB site and the spokes with ikev2. The tunnels are sources from the loopback interface, and we are running EIGRP over the FlexVPN and use this to advertise the LAN subnets.

I would like to know if this is the correct design as when the primary link fails the tunnel should shift to route traffic over the secondary link at the branches. Is there a recommended design for this deployment, and whats the best way to optimize the BGP convergence to ensure the tunnel does not hang during switching of links. We noticed the EIGRP neighborship would fail occassionaly when the primary link goes down. We sometimes have to manually shutdown the tunnel and no shut it and the EIGRP neighborship forms immediately and traffic starts flowing again.

David_Che · ‎04-26-2016

Hi,

Please try to configure BFD on bgp like 'neighbor ip-address fall-over bfd'

In this way, if the primary WAN failed, bgp will get notification of this failure quickly, then failover onto the secondary WAN, FLEXVPN and EIGRP will not be town down.

HTH

David

Pawan Raut · ‎04-26-2016

Correct BFD pretty good to improve BGP convergence time apart from it you can also use IP SLA PBR Object Tracking

This feature allows you to make sure that the next hop is reachable before that route is used. If the next hop is not reachable, another route is used as defined in the policy-based routing (PBR) configuration. If no other route is present in the route map, the routing table is used.

For more information please check below docs

https://supportforums.cisco.com/document/30296/using-ipsla-change-routing

Naphthalie Ayonga · ‎04-27-2016

Hello David,

I will implement BFD tonight and see if it changes in the performance. Another thing I did was change the "bgp timers to 10 30". The keep alive timer set to 10 seconds, hold down timer set to 30 seconds. With this I noticed that the router will automatically pass the VPN traffic sourced from the loopback to the hub through the other provider before the tunnel goes down. Tunnel goes down after about a minute of loosing the route to the hub loopback interface, so having BGP converge the routes before that minute seems pretty stable.

Besides that I noticed something else, when the EIGRP session drops over the tunnel, it hardly ever rebuilds itself. I have to manually shut the tunnel and bring it back up. I am assuming this happens when some hello packets are dropped between hub and spoke routers. I logged into the branch physical interface and checked the crypto sessions and they were ready. Checked the router from loopback to loopback and they were up. Ping from loopback to loopback, that went well. But eigrp neighbor down.

David_Che · ‎04-27-2016

Yes, decrease bgp hello time can make BGP converge faster, but you still need 30 seconds to failover. all the traffic will be discarded during this time range. however configuring BFD to 200 ms, failover can take place in less than one second. Futhermore, BFD is lightweight protocol and will have little impact on CPU usage.

Regards,

David