Skip to main content
gzarini
gzarini
New Member
November 11, 2015
Question

IPSEC for mpls failover.

  • November 11, 2015
  • 1 reply
  • 14555 views

Hi, i have a little issue on setting up my network. I have a MPLS network provided by an isp. This network has a HQ and 3 branches. On the short time we're going to move our app servers to a dc, but keep in HQ AD/DNS/Fileserver. I need to create an ipsec between branches and HQ to fordward traffic in case the mpls fails. I need to route 3 networks between each branch and HQ, here is where i have my doubts. Since i can only use static routes, i have a problem on how to handle traffic when the mpls is down. I thought about setting up a dgd on branches to check connectivity through MPLS and send traffic over vpn in case MPLS fails. I understand that what FG does when a dgd is detected is stop sending traffic through that interface. On the HQ, how can i set up a dgd on any kind of detection to check that the other side is unreachable?. I don't think i can use a dgd on HQ because i need to check that three branches are down, but only one can be unaccesible. I could really use some help.   Regards.

    1 reply

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    November 11, 2015

    hi,

     

    interesting question. But, please don't cross-post. "VPN" is the right forum I think.

     

    Connection failover will be built on route failover. You set up the VPNs to connect all the time. The routes across the MPLS and the VPNs will have to be weighted differently to make the MPLS route prefered. That's what the distance and priority parameters are for.

    The prefered (MPLS) routes will be included in the Routing Table and the backup (VPN) routes will not.

     

    Now what happens if the MPLS fails.

    Dead gateway detection (in the more sophisticated form of ping server detection) will delete the MPLS route from the RT. Now, the secondary, less attractive route across the VPN will be included and traffic will flow again.

    As soon as the MPLS is tested OK it's route will be installed and traffic will be diverted back across the MPLS.

     

    For the VPN I recommend a hub-and-spokes layout. This is easy to set up and easy to enlarge later.

     

    How do you know that the MPLS is down? Well, you can specify up to 3 ping servers which all have to fail until DGD declares the MPLS down. You should always use at least 2 independent servers to guard against 'false' failovers due to server downtime/maintenance window. The additional servers are specified in the CLI only. If you select servers such that more than one external link is monitored you can be quite sure to detect an outage.

     

    If you monitor each link independently, you can survice partial link loss. IMHO it's not a 'all or nothing' question.

    gzarini
    gzariniAuthor
    New Member
    November 11, 2015

    Thanks for the answer. one question.

    "Now what happens if the MPLS fails. Dead gateway detection (in the more sophisticated form of ping server detection) will delete the MPLS route from the RT. Now, the secondary, less attractive route across the VPN will be included and traffic will flow again. As soon as the MPLS is tested OK it's route will be installed and traffic will be diverted back across the MPLS."

     

    When Mpls fails and FG deletes routes from the routing table, it deletes all routes associates to the interfac that connects to the mpls, or deletes only routes to one particular branch?.

     

    Regards.

    gzarini
    gzariniAuthor
    New Member
    November 11, 2015

    This is a little diagram of what i need.

     

    Terms & ConditionsAccessibility statement