MPLS IP-VPN compatibility

Hi, we've lots of members running on 2 Cisco 2611 with HA configured (HSRP, ISDN backup, etc). There is 2 scenarios here as follow:
i. 2 units of 2611 routers with each 2611 have a dedicated LL, one connected to HQ, the other connected to DR.
ii. 2 units of 2611 routers with only one have a dedicated LL, the other provide ISDN DDR when the LL on the other failed.
iii. 1 unit of 2611 routers with trunking to a 2950 switch, have a dedicated LL and ISDN DDR.
For the first scenario, when the members having 2 dedicated LL, normally it is from different telco providers. Now there's one single telco offering us the chance to upgrade to MPLS IP-VPN for an interesting rate. What I'm wondering is, can it work that way?
I have my 6509s with Sup720 at both HQ and DR, I have a good vendor all the while, if part of the members start to accept the MPLS-VPN, is there any integration problem? The HA configured will still work?
The thing that worried me most is the core layer part, since the member get the router through a router distribution from the core router in EIGRP, and the ISDN DDR will redistribute the static when the ISDN is active. How MPLS fit into my network?

Hello,
In principle everything can work. The dessign in question has one leased line (or ISDN) to the HQ and another path through a MPLS VPN. The issue you will have to deal with is to carefully design your dynamic routing. In case you have EIGRP, then an internal route will always be prefered over an external route. It is most likely to get external routes through the MPLS VPN - depending on implementation details.
Thus you might have the problem of proper primary/backup path selection and also with routing loops. The underlying reason for both is the redistribution in MP-BGP at the MPLS PE router.
You need to get more details on the implementation in the SP network to avoid any pitfalls. EIGRP supports backdoors in an MPLS VPN environment, but the question is, whether your telco does as well.
So it might work, but careful routing design is a must and involves you and the telco. HA is still possible, ISDN backup is possible as well. Depending on your specific implementation details you might need some route tagging and redistribution filters implemented by yourself or the telco to avoid the aforementioned problems.
Hope this helps! Please rate all posts.
Regards, Martin

Similar Messages

  • Mpls and Vpn

    Would like to know if you can specify a general static route with mpls.  I have three sites in a hub and spoke. Spoke A is linked to the hub site via a site vpn to a hub site isr.  Spoke B is linked to the hub via mpls to a standalone mpls isr.  I can’t get from spoke A to B and from spoke B to A.  The mpls isp tells me that I cannot do this because spoke A’s local subnet is not part of the mpls peering(and is on another isp).  Don’t have a lot of familiarity with mpls but  I am wondering why you cannot do a static route of the form: ip route <spoke A lan> <mask> <hub site isr> in either of the mpls isr’s? 

    Hi,
    So:
    B --- mpls ----- HUB ---- vpn ---- A.
    HUB connects to A and B, right?
    I do not see any problem on doing a static route like you said on the client vrf (client from isp point of view).
    Maybe they are afraid of backdoor route on the mpls (not the case) or there are some conflicts between mpls management ip addressing and spoke A lan.
    I have various similar configurations in mpls with static routes, ospf , rip and bgp without any problems and using different isps.
    Ask your mpls isp what is the reason to not create that static? Instead you can ask to make default to a router in your management.
    Regards,
    Pedro Lereno

  • MPLS L3 VPNs

    I need to implement Hub and Spoke MPLS L3 VPN. Scenario is we are
    implementing 30 VPNs on one Router i.e. 10720 in single VRF and with same
    RD. How can I implement Hub and Spoke in this case?

    When you want to have an MPLS/vpn hub and spoke topology, the HUB-PE router will need to have 2 vrf's. One which we can call 'from-spokes' and another 'to-spokes'. In the first one, we will have the routes that are being received from the spokes. In the other one, we will have the routes that will be advertised to the spokes; in this one we will certainly NOT have the routes to the other spokes. The HUB-PE needs to have 2 interfaces or sub-interfaces connected towards the CE site. One interface will be in "from-spokes" VRF and the other one will be in "to-spokes VRF. That way the traffic coming from one spoke will always go to the CE via one vrf interface, then come back from the CE via the other vrf interface and sent out towards the other spoke. This is the general overview of a Hub-spoke mpls-vpn topology

  • MPLS L2 VPN

    Hi,
    What is L2 MPLS VPN & how to configure it end-to-end, What are the diffrence with L3 VPN
    What is vrflite & what is the pros/cons of the same
    Br/Subhojit                  

    In a MPLS L3 VPN the service provider carries the route for the customer. The network is not transparent meaning that layer 2 traffic such as broadcast and control plane traffic like CDP/LACP/STP etc is not carried for the customer.
    There are different L2 VPNS such as Ethernet over MPLS (EoMPLS) and Virtual Private LAN Service (VPLS).
    EoMPLS is a point to point layer 2 service which does no MAC learning and it is transparent to the customer meaning that the customer can connect two switches together over the "cloud".
    VPLS is a multipoint to multipoint technology. Essentially to the customer the provider network looks like a big switch. Several sites can be connected together and traffic here is also transparent.
    Because these are layer 2 services the customer would be responsible themselves for providing routing in the network.
    VRF lite is a form of L3 VPN but it's not running MPLS. Instead it uses VLANs to separate customer traffic. The cons are that it requires more configuration, is less scalable and needs peering in multiple VRFs compared to just peering in the VPNv4 address family.
    Daniel Dib
    CCIE #37149
    Please rate helpful posts.

  • Could MPLS L3 VPN forward packet which CE configure VRF Lite?

    Or does anyone have a lab for my test? Please share.
    Diagram:
    vrf lite - mplsl3 vpn - vrf lite
    Will it have any change on mpls l3vpn configuration?
    Thank you very much.

    I test lab follow to this document is work. I test with static route and OSPF is work. Now, I’m testing with BGP route. I found the PE doesn’t send the BGP routes from the other sites to the CE. How should I do?
    Topology:
    BGP vrf lite (vrf v11) CE1 - BGP - MPLS L3VPN (vrf v1) PE1 - PE2 (vrf v1) MPLS L3VPN - BGP - CE2 (vrf v11) vrf lite BGP
    PE1#sho ip rou vrf v1
    Gateway of last resort is not set
    B    10.0.252.1/32 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d22h
    B    10.0.252.2/32 [200/0] via 10.0.0.14 (nexthop in vrf default), 1d22h
    L    10.0.252.3/32 is directly connected, 1d22h, Loopback101
    B    38.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d04h
    B    39.0.0.0/24 [200/0] via 10.0.0.14 (nexthop in vrf default), 05:13:07
    B    40.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d04h
    C    41.0.0.0/24 is directly connected, 1d22h, GigabitEthernet0/0/1/2.14
    L    41.0.0.3/32 is directly connected, 1d22h, GigabitEthernet0/0/1/2.14
    B    208.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 00:06:55
    B    209.0.0.0/24 [200/0] via 10.0.0.14 (nexthop in vrf default), 00:08:14
    B    210.0.0.0/24 [20/0] via 41.0.0.8, 00:11:17
    CE1#sho ip bgp vpnv4 vrf v11
    BGP table version is 23, local router ID is 172.16.30.5
       Network          Next Hop            Metric LocPrf Weight Path
    Route Distinguisher: 800:1 (default for vrf v11)
    *> 10.0.252.1/32    41.0.0.3                               0 18252 ?
    *> 10.0.252.2/32    41.0.0.3                               0 18252 ?
    *> 10.0.252.3/32    41.0.0.3                 0             0 18252 ?
    *> 38.0.0.0/24      41.0.0.3                               0 18252 ?
    *> 39.0.0.0/24      41.0.0.3                               0 18252 ?
    *> 40.0.0.0/24      41.0.0.3                               0 18252 ?
    r> 41.0.0.0/24      41.0.0.3                 0             0 18252 ?
    *> 210.0.0.0        0.0.0.0                  0         32768 i
    CE1#

  • MPLS using VPN and ISIS

    I 'am looking for a good description for MPLS/VPN we want use ISIS and BGP as Routing Protocols.
    What we also need is a detailed description of a Configurtaion example.
    Can provide such informations.

    Detailed information can be found at (whithin these URLs, there are several links to undesrtand and configure MPLS/VPN with ISIS or BGP):
    MPLS http://www.cisco.com/warp/customer/105/mpls_index.shtml
    ISIS
    http://www.cisco.com/warp/customer/97/index.shtml
    BGP
    http://www.cisco.com/warp/customer/459/18.html

  • Load balance between MPLS and VPN

    Dear All
    There are two locations, site A and site B. I am confused with it. Any one can help to understand it? The site A and B are connected with two paths. One is MPLS and another is VPN over internet. we want MPLS as primary path and L2L VPN as backup. Only when primary path is down, VPN can be used. How can we configure it ? Can you give me suggestion ? or a link. Thank you.

    Hello yangfrank,
    You can set this with a floating static using tracking with ip sla.
    Your primary route will be via MPLS
    ip route 0.0.0.0 0.0.0.0 x.x.x.x track 1 (via MPLS)
    ip route 0.0.0.0 0.0.0.0 y.y.y.y 10 (via VPN)
    ip sla 1
    icmp-echo z.z.z.z source interface gix/x (MPLS interface)
    ip sla schedule 1 life forever start-time now
    track 1 ip sla 1 reachability
    here are examples:
    http://networklessons.com/ip-routing/reliable-static-routing-with-ip-sla/
    http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html
    hope this helps

  • Nortel VPN Compatibility issue

    Hi All,
    I'm a newbie in using BPM studio 10.3, I just want to ask something about BPM Studio 10.3. The scenario is every time I run the project on my laptop, the project wont run on my browser. I think the reason is that I'm using Nortel VPN. My question is, do you know how would I set up my studio or my laptop so that the project would run on my browser while using Nortel VPN?

    IPSec VPN can be with no problem set up between any cisco routers (and not nesesserely cisco),  so there are should be no issues in your case.
    If you say that tunnel is established successfully, then problem most probably related to routing issues between sites or incorrect crypto-acl configured. Check if hosts on both sites have correct routing information on how to get to subnets on the other site.
    To make more accurate assumptions it would help if you provide config on both sites and describe your topology.

  • VPN compatibility

    I have a copy of Windows XP that I want to install on my iMac using Boot Camp. Once I get it installed, I want to be able to set up my Mac so that I can VPN to work computer, which runs Windows XP as well. If I boot up my Mac to run Windows, would I be able to install all necessary components for VPN just like I was using a PC?
    Thanks.

    Hi Christine,
    as Lyssa already said, after the Windows installation and the BootCamp Driver installation, your Mac-Windows is like any other Windows-PC.
    Ask the IT-guys at work how to configure the built-in VPN-client in XP.
    If you need a VNC-client I use RealVNC in Windows XP to connect.
    You even can do a VPN/VNC-connection with Mac OSX to a Windows-PC. For that I use the built-in VPN of OSX and JollyFastVNC.
    Regards
    Stefan

  • Issue with VPN compatibility between 2811 and 2911

         hello
    I would like to ask anyone have had any issues with setting up a VPN tunnel between 2811 and 2911?
    The IPSec VPN is established but for some reason I cannot ping the LAN side to the other LAN side of the other end of the VPN Router?
    Any experience would be much appreciated
    Thanks           

    IPSec VPN can be with no problem set up between any cisco routers (and not nesesserely cisco),  so there are should be no issues in your case.
    If you say that tunnel is established successfully, then problem most probably related to routing issues between sites or incorrect crypto-acl configured. Check if hosts on both sites have correct routing information on how to get to subnets on the other site.
    To make more accurate assumptions it would help if you provide config on both sites and describe your topology.

  • Cisco VPN compatibility problem

    I am running the Cisco VPN client (version 2.5.1025) on a late 2010 iMac and on a late 2010 Macbook Air (both running OS 10.6.7). On the iMac, there is a problem after closing the VPN connection and quitting the client: most things are normal, but I no longer have internet access on the iMac.  While I seem to have a local ip address and name server, according to system setting, the internet hangs.  This is true both for wired and for wireless internet. The only solution seems to be to restart the iMac, and then everything is normal.
    Exactly the same version of the Cisco client works fine on the Macbook Air.  It quits normally.  I have no problem accessing the internet after quitting.
    Can you give me any help?

    Where did you find this Cisco VPN Client? Did you download it from iTunes as an application?
    Or was it the VPN Client that comes as part of the 1.1.4 jailbreak?

  • Personal VPN compatability and recommendation

    Hi, I would like to use a personal VPN service (similar to WiTopia http://www.witopia.net/personalmore.html).
    If I buy a personal VPN service, can I put the settings in Airport Extreme and have all my computers secured through VPN?
    Do you have any recommendations for VPN services ?
    Thanks,

    After the Genius Bar guys at our Hamburg Apple Store had given up on this issue, I finally solved the problem - my VPN is up and running!
    After re-installing both OS X Lion and Lion Server several times I realized that certain settings (apparently also for the VPN server) are kept  in the invisble recovery partition that Lion installed on my Mac Mini  (e.g., 'com.apple.RemoteAccessServers.plist'). They even survived a reformatting of the hard drive. Something must have gone wrong the first time I tried to set up the VPN server and the "sudo serveradmin settings vpn" command revealed that the settings survived every re-installation.
    Therefore, I physically removed the hard drive and formatted it using a different Mac running Snow Leopard.
    It is important not only to erase the disk but also to partition it. This might even work under Lion without having to remove the drive...
    After another re-installation of OS X Lion on the clean drive over the Internet from Apple's server (pressing the command-R keys while rebooting) I did a system update and subsequently installed the Server app.
    After that I was able to start the VPN server from the Server app.
    Inside my local network it was then possible to connect to the VPN server from an iPad 2 (iOS 4.3.5) and from an old Powerbook G4 (Leopard), but not from a MacBook Pro with Snow Leopard.
    However, all clients were able to make an external connection through my Deutsche Telekom Router (SpeedPort 722V) with forwarding of ports 1701 (UDP), 500 (UDP) and 4500 (UDP) and enabled GRE and ESP protocols.
    For the sake of security I have disabled (closed) all arbitrary ports of the server's own firewall while it's local network ports (192.168.x.y) are all open to enable any internal connections.
    It is a serious restriction, however, that the Lion Server only offers the L2TP VPN protocol. Maybe the commercial iVPN solution is an acceptable workaround: http://macserve.org.uk/.
    Regards, Björn

  • MPLS L3 VPN

    Need to implement HUB and SPOKE topology while all customers are on same PE 10720, same VRF and same RD as directly connected. One directly connected site should act as HUB and all other sites are SPOKES and requirement is that SPOKES can not communicate with each other.

    Hi,
    you need to create a VRF per SPOKE and one for the Hub. Example config excerpt:
    ip vrf Hub
    rd 65000:1
    route-target export 65000:1
    route-target import 65000:2
    ip vrf SPOKE1
    rd 65000:101
    route-target export 65000:2
    route-target import 65000:1
    ip vrf SPOKE2
    rd 65000:102
    route-target export 65000:2
    route-target import 65000:1
    interface Serial1/0
    description to Hub
    ip vrf forwarding Hub
    ip address 10.1.1.1 255.255.255.252
    interface Serial1/1
    description to SPOKE1
    ip vrf forwarding SPOKE1
    ip address 10.1.101.1 255.255.255.252
    interface Serial1/2
    description to SPOKE2
    ip vrf forwarding SPOKE2
    ip address 10.1.102.1 255.255.255.252
    You naming, IP addresses etc. may be different. The main point here is: no SPOKE will import any route from another SPOKE, only from the Hub site. Thus spokes do not get connectivity to each other. The hub site imports all spoke routes, thus can connect everywhere.
    What is missing in the example above is the respective routing contexts for each VRF. You are free to choose appropriate protocols on a per VRF basis and redistribute them into MP-BGP.
    Hope this helps! Please rate all posts.
    Regards, Martin

  • Performance end to end testing and comparison between MPLS VPN and VPLS VPN

    Hi,
    I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
    I would appreciate any support, guidence, advice.
    Thanks
    Shahbaz

    Hi Shahbaz,
    I am not completely sure I understand your request.
    MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
    From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
    Ingress PE impose 2 labels (at least)
    Core Ps swap top most MPLS label
    Egress PE removes last label exposing underlying packet or frame.
    So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
    About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
    Riccardo

  • L2 MPLS VPN between different branches

    Dear Experts ,
    I want to have my different offices to use same IP address range (from a centrally managed DHCP server)  . Is this scenario possible with MPLS L2 VPN ?
    I know that we can do L2 between two branches by using xconnect  but what if i have multiple branches ?
    regards
    haris

    Hi,
    You purpose can be solved using VPLS.
    You can also create multiple Pseudowires from the HUB to different branches, however, all PWs will use different IP address range- which goes against your requirement.
    HTH.
    Regards,
    Amit.

Maybe you are looking for