cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
363
Views
0
Helpful
2
Replies

Load balancing IPSEC traffic (going throught MPLS Cloud)

mario.laniel
Level 1
Level 1

Is it possible to set up VPN/IPSEC where the main pop router has two points of entry into an MPLS cloud and about 50 other pop and somehow automatically load balance the VPN traffic from the main pop over two Ethernet interfaces. If the main pop has two equal cost paths to the MPLS cloud and one applies the same crypto map to both interfaces, will encrypted traffic be sent over each one of the links.

P.S. We're using a 6509 and VPN service Module blade at the main pop and 2621 with AIM module everywhere else.

2 Replies 2

drolemc
Level 6
Level 6

What you are facing is a routing issue. The problem boils down to routing the traffic to the interfaces in a 50-50 ratio. For that you have a number of options such as static routes and policy routing.

I can see your point, but what happen if one of the point of entry fails? I would like to get all the IPSEC tunnel to get recreated on the other point of entry and go back to what it was when the link comes back online.

Somebody suggested creating two GRE/IPSEC tunnels from each of the 50 routers. These two tunnels would terminate on each of the two interfaces of the hub router. Both tunnels would remain up all the time.

Using routing to make the tunnel terminate on the hub router's first interface as primary for the first 25 routers. Then make the tunnel terminate on the second interface as primary for the last 25.

This way if one of the interface of the hub goes down then other tunnel would take all the traffic.