Mpls and Vpn

Would like to know if you can specify a general static route with mpls.  I have three sites in a hub and spoke. Spoke A is linked to the hub site via a site vpn to a hub site isr.  Spoke B is linked to the hub via mpls to a standalone mpls isr.  I can’t get from spoke A to B and from spoke B to A.  The mpls isp tells me that I cannot do this because spoke A’s local subnet is not part of the mpls peering(and is on another isp).  Don’t have a lot of familiarity with mpls but  I am wondering why you cannot do a static route of the form: ip route <spoke A lan> <mask> <hub site isr> in either of the mpls isr’s? 

B --- mpls ----- HUB ---- vpn ---- A.
HUB connects to A and B, right?
I do not see any problem on doing a static route like you said on the client vrf (client from isp point of view).
Maybe they are afraid of backdoor route on the mpls (not the case) or there are some conflicts between mpls management ip addressing and spoke A lan.
I have various similar configurations in mpls with static routes, ospf , rip and bgp without any problems and using different isps.
Ask your mpls isp what is the reason to not create that static? Instead you can ask to make default to a router in your management.
Pedro Lereno

Similar Messages

  • Load balance between MPLS and VPN

    Dear All
    There are two locations, site A and site B. I am confused with it. Any one can help to understand it? The site A and B are connected with two paths. One is MPLS and another is VPN over internet. we want MPLS as primary path and L2L VPN as backup. Only when primary path is down, VPN can be used. How can we configure it ? Can you give me suggestion ? or a link. Thank you.

    Hello yangfrank,
    You can set this with a floating static using tracking with ip sla.
    Your primary route will be via MPLS
    ip route x.x.x.x track 1 (via MPLS)
    ip route y.y.y.y 10 (via VPN)
    ip sla 1
    icmp-echo z.z.z.z source interface gix/x (MPLS interface)
    ip sla schedule 1 life forever start-time now
    track 1 ip sla 1 reachability
    here are examples:
    hope this helps

  • MPLS IP-VPN compatibility

    Hi, we've lots of members running on 2 Cisco 2611 with HA configured (HSRP, ISDN backup, etc). There is 2 scenarios here as follow:
    i. 2 units of 2611 routers with each 2611 have a dedicated LL, one connected to HQ, the other connected to DR.
    ii. 2 units of 2611 routers with only one have a dedicated LL, the other provide ISDN DDR when the LL on the other failed.
    iii. 1 unit of 2611 routers with trunking to a 2950 switch, have a dedicated LL and ISDN DDR.
    For the first scenario, when the members having 2 dedicated LL, normally it is from different telco providers. Now there's one single telco offering us the chance to upgrade to MPLS IP-VPN for an interesting rate. What I'm wondering is, can it work that way?
    I have my 6509s with Sup720 at both HQ and DR, I have a good vendor all the while, if part of the members start to accept the MPLS-VPN, is there any integration problem? The HA configured will still work?
    The thing that worried me most is the core layer part, since the member get the router through a router distribution from the core router in EIGRP, and the ISDN DDR will redistribute the static when the ISDN is active. How MPLS fit into my network?

    In principle everything can work. The dessign in question has one leased line (or ISDN) to the HQ and another path through a MPLS VPN. The issue you will have to deal with is to carefully design your dynamic routing. In case you have EIGRP, then an internal route will always be prefered over an external route. It is most likely to get external routes through the MPLS VPN - depending on implementation details.
    Thus you might have the problem of proper primary/backup path selection and also with routing loops. The underlying reason for both is the redistribution in MP-BGP at the MPLS PE router.
    You need to get more details on the implementation in the SP network to avoid any pitfalls. EIGRP supports backdoors in an MPLS VPN environment, but the question is, whether your telco does as well.
    So it might work, but careful routing design is a must and involves you and the telco. HA is still possible, ISDN backup is possible as well. Depending on your specific implementation details you might need some route tagging and redistribution filters implemented by yourself or the telco to avoid the aforementioned problems.
    Hope this helps! Please rate all posts.
    Regards, Martin

  • MPLS L3 VPNs

    I need to implement Hub and Spoke MPLS L3 VPN. Scenario is we are
    implementing 30 VPNs on one Router i.e. 10720 in single VRF and with same
    RD. How can I implement Hub and Spoke in this case?

    When you want to have an MPLS/vpn hub and spoke topology, the HUB-PE router will need to have 2 vrf's. One which we can call 'from-spokes' and another 'to-spokes'. In the first one, we will have the routes that are being received from the spokes. In the other one, we will have the routes that will be advertised to the spokes; in this one we will certainly NOT have the routes to the other spokes. The HUB-PE needs to have 2 interfaces or sub-interfaces connected towards the CE site. One interface will be in "from-spokes" VRF and the other one will be in "to-spokes VRF. That way the traffic coming from one spoke will always go to the CE via one vrf interface, then come back from the CE via the other vrf interface and sent out towards the other spoke. This is the general overview of a Hub-spoke mpls-vpn topology


    What is L2 MPLS VPN & how to configure it end-to-end, What are the diffrence with L3 VPN
    What is vrflite & what is the pros/cons of the same

    In a MPLS L3 VPN the service provider carries the route for the customer. The network is not transparent meaning that layer 2 traffic such as broadcast and control plane traffic like CDP/LACP/STP etc is not carried for the customer.
    There are different L2 VPNS such as Ethernet over MPLS (EoMPLS) and Virtual Private LAN Service (VPLS).
    EoMPLS is a point to point layer 2 service which does no MAC learning and it is transparent to the customer meaning that the customer can connect two switches together over the "cloud".
    VPLS is a multipoint to multipoint technology. Essentially to the customer the provider network looks like a big switch. Several sites can be connected together and traffic here is also transparent.
    Because these are layer 2 services the customer would be responsible themselves for providing routing in the network.
    VRF lite is a form of L3 VPN but it's not running MPLS. Instead it uses VLANs to separate customer traffic. The cons are that it requires more configuration, is less scalable and needs peering in multiple VRFs compared to just peering in the VPNv4 address family.
    Daniel Dib
    CCIE #37149
    Please rate helpful posts.

  • Questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN Access

    Hi there,
    I want to ask a series of questions regarding Outlook Web App, Remote Desktop, Remote Web Access and VPN access and was hoping whether you could help me. Below are my questions to ask you.
    Outlook Web App - What do I need to configure in order to get my Exchange account to work with the OWA app on my iPhone? Is Office 360 required on the server that hosts Outlook Web App in our organisation? When I configure the settings and
    connect I get the following message "couldn't connect -  We couldn't connect to the server. Check your information and make sure it's correct." I can connect with other devices using Outlook Web App.
    Remote Desktop - What do I need to configure in order to connect to my computer at work using Remote Desktop on my Windows Phone? When I configure the settings and connect I get the following message "Connection error - We couldn't connect
    to the remote PC. Make sure the PC is turned on and connected to the network, and that remote access is enabled. Inquiring minds may find this error code helpful: 0x204" I can connect with other devices using Remote Desktop. There are currently no
    RD Server settings in the Remote Desktop app on the Windows Phone and the only way I'm to connect to my PC at work is via Remote Desktop and not to be confused with the one by Microsoft, however the app is on a trial basis and times out every 5 minutes and
    can only be used once every hour unless I purchased the app for £2.99 off the App Store but would ideally like to use the Microsoft Remote Desktop app though.
    Remote Web Access - What do I need to configure in order to get Remote Web Access on my Windows Phone using a URL? When I log in using a URL I get the following message "There is a problem with this Web page. Please contact the person who manages
    the server" I can connect with other devices using Remote Web Access. Also how do you enable the background option for Remote Web Access? I know how to do this in Remote Desktop but not in Remote Web Access. Remote Web Access works on PCs regardless
    being onsite and offsite and on my iPhone, the same issue also occurs with my Nokia 5230s regardless of whether I'm using Opera Mobile or Mini or the latest Nokia Browser.
    VPN access - How do you configure VPN access on a Windows Phone using VPN? I cannot find the protocols PPTP, L2TP, SSTP and IPsec in order to configure VPN access on the Windows Phone apart from IKEv2.
    Many thanks,

    Any help would be much appreciated.
    Kind regards,

  • Do I need to use open directory on Yosemite Server, I'm only looking to use file sharing and VPN

    I'm setting up a new mac mini server with Yosemite and I was wondering if there are any advantages or disadvantages to not using the open directory service? The only services I'm planning on using are File Sharing and VPN.

    You don't need Open Directory unless you want to manage user accounts centrally on the server.

  • Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

    With Namit Agarwal and Rahul Govindan 
    Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
    This is a continuation of the live webcast.
    Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
    Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
    Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
    Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
    Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
    Webcast related links:
    Slides from the live webcast
    Video Recording of the live webcast
    Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

    Hello Namit and Rahul,
    Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
    1)      How is ASA CX different from other UTM solutions ?
    2)      How is dynamic application inspection of CX better than other inspection engines  ?
    3)      What features or functionalities on the CX are available by default ?
    4)      what are the different ways we can run or install CX on the ASA platform ?
    5)      What VPN features are supported with multi context ASA in the 9.x release ?
    6)      What are the IPv6 Enhancements in the ASA version 9.x ?
    Request you to please provide your responses to them individually.

  • ASA and vpn load balancing

    I am configuring 2 ASA5540 for internet trafic inside to outside ,
    outside to inside (web,smtp) but also vpn load balancing for client to site , site to site and webvpn.
    In the doc I can configure them for internet trafic as Active/Standby or Active/active.
    for vpn : I can use vpn load balancing
    But no information if I want to use the active/passif and vpn load balancing together.
    Any thoughts on which way to go? what is the best thing to do ?

    I think that you cannot use an Active/Active configuration for VPN connections as it is stated on Cisco's documentation: "Note: VPN failover is not supported on units that run in multiple context mode as VPN is not supported in multiple context. VPN failover is available only for Active/Standby Failover configurations in single context configurations" available at
    Hope it helps

  • Using 802.1x and vpn on t-mobile hotspot

    hi all,
    how do i configure 802.1x and vpn to enhance security on t-mobile hotspot?
    thanx for your help.

    Multi-Host is not the right option for you. In this Multi-Host only one device has to successfully authenticate to authenticate all device on that port.
    You need to set host-mode to  "multi-auth"

  • Kindly Is the Linksys E4200 Dual Band Router compatible with DHCP and VPN ?

    Is the Linksys E4200 Dual Band Router compatible with DHCP and VPN?

    Linksys/Cisco E4200 are compatible with DHCP. Second, these Wireless-N routers are only capable of enabling the VPN traffic to pass through the device.  You will need a VPN router and software to create the actual network to connect with your VPN client.

  • Cisco IOS supporting both voice and vpn

    Hi Friends
    i have one 2821 router.Can any one suggesting which ios will support both voice and vpn?

    Questions like this are better/faster answered by checking feature navigator.
    My suggestion is to run an MD release.
    Also a big dated document:
    For old software and hardware you can also check out Figure 1 here:

  • Secured server with SSH and VPN?

    Have an Archbox at home and when I'm traveling I would like to connect to my Archlinux box at home to grab files and such things.
    Using ADSL with a static IP and a D-Link router.
    If I create a portfowarding rule of port 443 to my Archlinux box and user it to connect with SSH and VPN is that secured enought?
    I have family photos and stuff on the server that I don't want to be hacked or spread. Not a high target for hackers but for scriptkiddies!
    So, will a portforwarding rule and a use of SSH daemon and a VPN Server software make me secure all the way, the VPN and SSH is encrypted right?
    Any suggestions of a good VPN application?
    Server daemon for the "archserver" and clients for my laptop with dualboot, vista and archlinux.

    Yeah, SSH or OpenVPN should be perfectly fine.
    However, why port 443? If someone is scanning a large range of IP-addresses for commonly open ports to find active servers, they will most likely scan port 21, 22, 25, 80, 110, 443, etc. as these ports usually run the most interesting services.
    Since it has no impact on the usability, choose a high port, between 10000-65000, which is not commonly used. That way your system will not be identified as active by a simple portscan searching for active servers.
    You don't have to be worried about attacks targeted directly against you, if you don't have anything interesting on your system, a cracker wouldn't spend time on manually breaking into your system. Just mask yourself from worms etc. by using uncommon ports. Using SSH or OpenVPN will handle encryption, which ensures data integrity, even when you're connected to an unencrypted hotspot somewhere in the world on your vacation
    If you setup OpenVPN, you'll also have the possibility of routing all your Internet traffic throught your home system, which can be very handy in terms of surfing and checking mail from unencrypted hotspots around the world.

  • MPLs and ATM configuration

    Please i need some information about configuring MPLS and ATM and the addcon command

    Please look at the following documents and let me know if they address the questions you have.
    Integrating MPLS with IP and ATM :
    Configuring MPLS with the BPX Switch and the 6400/7200/7500 Routers:
    Designing MPLS for ATM:
    Let me know if this helps,

  • I need to know how to configure wi-fi and VPN on m...

    I need to know how to configure wi-fi and VPN on my E61i.
    everytime I search for any available WLAN,I find one(in my company)and when start browsing,it gives me(WLAN not found).
    What should I do?

    iOS: Connecting to the Internet

Maybe you are looking for