Cisco → [HELP] BGP Failover to IPSEC

We recently put a MPLS network between our facilities as a primary way of inter-site communications. A new business continuity requirement asked that we provide a failover route in case our connection to the MPLS went down. We used to do Router to Router IPSEC Tunnels.

Can I use BGP to use the Serials (MPLS) as primary and the IPSEC-VPN as a failover route?

How would this be accomplished? My routers are Cisco 2821, 2811, and 1841, all running 12.4 Advance IP Services.

Thanks!

You should be able to build IPSEC over GRE tunnels, you'll need GRE to pass routing information across your VPN tunnel, then figure out that you want to have the VPN tunnel connection to have a higher cost than your MPLS link. This is the first thing that came to my mind without knowing your topology.

Our topology is pretty simple. All sites look like:

Internet Cloud connects to Outsides of:
PIX 515E + 515E-FO, Connects from Insides to
Cisco 3560G, Connects to Gig0/1 of
Cisco 2821 ISR - Ser0/0/0 & 0/1/0 MPPP MPLS
Gig0/0 - Inside User & Server Switches

What I am looking to do, is route all traffic amonst the 4 sites via MPLS, then should the MPPP go down, use a VPN tunnel from router to router through the internet.

Hope this helps. Not sure on GRE. Do you have a sample config, or a link to a sample?

Oh, and I should mention that the ISR is different in all sites.

One site has the 2821, one has a 2811, and 2 have 1841s. All Routers use 12.4 IOS Advanced IP Services level.

swulm,

Which circuit do you plan the VPN tunnel to use? Will the VPN tunnel ride over the same MPPP or do you have different circuit?

If I'm not mistaken, you only have a single MPPP to your ISP without backup circuit. When this MPPP or ISP MPLS network is down, how would the VPN tunnel be established?

Yep, I agree with aryoba. If this MPLS link is also your Internet link, this isn't going to work. You'd need a separate Internet connection.

They are seperate. Our MPLS is provided by Level3, and our Internet through AT&T. Our Internet is through the Firewall, where the MPLS is direct to the router.

swulm,

Can you post the network diagram then? This way we could understand your network setup better as which equipment connect to what.

Tips:
In case you don't know how to post diagram, there are choices. You can upload a JPEG format file using the "Preview/Attach". You can also "draw" on your typing pad using the HTML code PRE as listed on the right bar.

Sure. I have attached a jpg showing the basic layout.

The "top of the line" network setup for redundancy/failover is to have dedicated point-to-point circuit between two sites. This point-to-point circuit would not be over Level 3 MPLS network. Instead it would be a long-haul circuit or utilize Level 3 POP. With similar scenario, you could also consider to use AT&T MPLS network to have redundant connection.

Other alternative is to have IPSec VPN tunnel between two sites over the AT&T network to provide redundancy/failover. As the IPSec VPN peers, you might be able to use the ASA. You will then should have at least two static IP address from AT&T for each site; one IP address for Internet access and another for the VPN peer.

As webnetwiz mentioned, you could consider GRE over IPSec. With GRE, you can run dynamic routing over the IPSec tunnel and/or run load balance (per packet or per destination).

For GRE tunnel termination point, you could use either the 2821 or 3560.

As far as I can tell, the PIX gets an ethernet handoff from another defice separate from the MPLS connectivity.

If that's the case, I don't think BGP is the right route distribution mechanism. You should be using whatever you've already got in place to distribute routes over the MPLS network, probably RIP/OSPF. EIGRP or some other IGP.

I guess you want to fail over to the GRE connection if *all* of the MPLS connectivity dies? Does your MPLS network offer full-mesh connectivty between the sites, or do you mostly use connections from satellite offices to an HQ site?

The MPLS is a full mesh, but if I lose my connection at site one, sites 2 and 3 can continue to talk, but site 1 would be completely offline. That's why I wanted to use the IPSEC as a failover.

I myself prefer EIGRP, very simple. How can I amke the VPN route cost more for failover?

Would it be as simple as saying in the config:

ip route 192.168.2.0 255.255.255.0 192.168.11.1 255.255.255.0 200

and let EIGRP handle the MPLS?

On EIGRP configuration, you should be able to set higher metrics or costs on Tunnel interfaces than the MPPP interface. This way your EIGRP would prefer MPPP over the GRE tunnel.

The following link shows two devices as the VPN peer. The two PIX provide IPSec tunnel. The two routers provide GRE tunnel which will ride over the IPSec tunnel. The same routers also pass dynamic routing (OSPF) to provide site-to-site IP routing.

Note that your routers run Advance IP Services which may only support GRE tunnel creation. When it is the case, you will then use the ASA to provide the IPSec tunnel. The sample configuration would apply to this situation.

Routers run OSPF and GRE, PIX-es provide IPSec
»www.cisco.com/en/US/tech ··· f6.shtml

When all routers IOS image version are something like Enterprise that support both GRE and IPSec tunnel creations, then you could have DMVPN setup as follow

DMVPN supporting RIP, OSPF, or EIGRP
»www.cisco.com/en/US/tech ··· 3e.shtml