I want to backup my wired MPLS connections with VPN over 4G internet. The only thing I can come up with is IPSEC tunnel from branch routers to the internet ASA then run GRE tunnel through it to the MPLS hub router. If anyone has experience with this, your input would be appreciated!
We do this scenario at a lot of places. Primary MPLS link, backup is DMVPN tunnels over an internet connection (often 4G Cradlepoint) back to DMVPN hub routers at our two datacenters.
BGP is established over the tunnels with some extra prepends to make the MPLS the preferred link.
Best thing you can do is to lab your topology in GNS3. Replicate your 4G Internet connection and place it behind a router which will NAT all the 4G traffic (what an ISP would do on 4G connections) and create a working DMVPN network with a routing protocol running between sites. The you can add the MPLS router as this would be easier and make the MPLS more preferred.
There are some good INE and CBTnuggets videos on youtube for DMVPN. Don’t over complicate the setup with dual DMPVN hubs. Keep it simple until you achieve what you want then go crazy from there.
Have you looked at SD-WAN solutions yet? Depending on your infrastructure, network knowledge, and in-house IT resources, it might be simpler way to go especially for management purposes.
When I used to work for ISP, all our backup tunnels were DMVPN with EIGRP running over it.
Now I work for utility company where I am the only network guy. Sure I can setup a full DMVPN scenario here but from management stand point, much easier to go with SD-WAM. And if you were looking for any time of WAM optimization product, some SD-WAN solutions come with that feature baked in such as Riverbed.
I would definitely suggest an SD-WAN option. We use the SilverPeak appliances and have able to completely cut out the need for our MPLS and are strictly on IPSEC tunnels between our branches.
I put together a lab with a bunch of 2801’s and got DMVPN up and running. I then put together another lab using an ASA 5506 as the hub. The drawback to the ASA is that only BGP is supported on VTI. I think a router as the hub with EIGRP out to the branch offices over DMVPN is going to be the best solution for me.
Thanks everyone for your input, it helped me out a lot!
Second this, got 12 sites running with FlexVPN with ISR 4451 as DC hub and 4431s at branch offices. If MPLS link goes down it triggers the xDSL or 4G connection. Be weary of 4G data costs and think about the traffic patterns that could use this connection, it might create a nightmare rather than great solution. Id recommend trying for some DSL esq. connection rather than 4G if you can.
How do you configure the ACL’s for the crypto map? It seems like the traffic intended for the MPLS would match and end up being sent across the VPN. I have no trouble with L2L tunnels, but I don’t know how to do this specific thing.
Same here; but local pref instead. It works very well.
to /u/BigN8Tee - no crypto maps for DMVPN. Just routing.
I haven’t thought to deeply about any of this yet. Originally AT&T said that tunneling the 4G into our existing MPLS would be no trouble, now they are backing up on that and saying we need to purchase the solution through them.
I’m going to reach out to our Cisco SE and discuss possible solutions, as it looks like there are a few different ways to skin this cat. This sub reddit has been awesome for me since I am a one man network team and don’t have anyone to bounce ideas off.
Thanks for the input, and I’ll update with what we end up doing.
That’s awesome, we used to use a SilverPeak WAN accelerator, so I’m familiar with the company. I’m going to start looking into SD WAN for sure, if sounds like it will support short term needs and long term as well.
VTIs are used for DMVPN or FlexVPN - combined with manipulating bgp metrics - are what you are looking for. You don’t want to be deploying traditional static IPSec tunnels matching interesting traffic as they won’t scale as you add more sites (full mesh).
We use an extended ACL for inbound and outbound applied to the tunnel source interface.
ACL allows isakmp, icmp, bootps and bootpc to the two DMVPN hub routers.
I have studied DMVPN and Flex VPN, but just enough to pass the test. Guess it’s time to actually learn about them.
I would say look into SD-WAN if you have limited IT staff resources. Sure it’s cool to build a full mesh with DMVPN and redundant Hubs like some people recommended, but in smaller environments, where you have limited IT staff, you want to do these things easy and efficiently, so if you are not around, somebody else can troubleshoot it. Preferably somebody who doesn’t need to be a CCNP…
I know this is a Cisco sub and people will most likely point you into more complicated (yet well implemented and already time proved methods), I say do whatever makes more sense and the easiest to manage. You can look at Meraki SD-WAN or Riverbed SD-WAN. Those are primarily the once I researched into.
We have a much simpler setup. We allow the same traffic over the vpn as we do over the mpls. We have bgp on the mpls routers, which inject into ospf for the L3 switch at the locations. If the mpls goes down, the routes drop on the l3 switch, and it then sends all relevant information out the default route (asa firewall,) which also hosts the l2l vpn back.