MPLS IP-VPN compatibility
Hi, we've lots of members running on 2 Cisco 2611 with HA configured (HSRP, ISDN backup, etc). There is 2 scenarios here as follow:
i. 2 units of 2611 routers with each 2611 have a dedicated LL, one connected to HQ, the other connected to DR.
ii. 2 units of 2611 routers with only one have a dedicated LL, the other provide ISDN DDR when the LL on the other failed.
iii. 1 unit of 2611 routers with trunking to a 2950 switch, have a dedicated LL and ISDN DDR.
For the first scenario, when the members having 2 dedicated LL, normally it is from different telco providers. Now there's one single telco offering us the chance to upgrade to MPLS IP-VPN for an interesting rate. What I'm wondering is, can it work that way?
I have my 6509s with Sup720 at both HQ and DR, I have a good vendor all the while, if part of the members start to accept the MPLS-VPN, is there any integration problem? The HA configured will still work?
The thing that worried me most is the core layer part, since the member get the router through a router distribution from the core router in EIGRP, and the ISDN DDR will redistribute the static when the ISDN is active. How MPLS fit into my network?
Hello,
In principle everything can work. The dessign in question has one leased line (or ISDN) to the HQ and another path through a MPLS VPN. The issue you will have to deal with is to carefully design your dynamic routing. In case you have EIGRP, then an internal route will always be prefered over an external route. It is most likely to get external routes through the MPLS VPN - depending on implementation details.
Thus you might have the problem of proper primary/backup path selection and also with routing loops. The underlying reason for both is the redistribution in MP-BGP at the MPLS PE router.
You need to get more details on the implementation in the SP network to avoid any pitfalls. EIGRP supports backdoors in an MPLS VPN environment, but the question is, whether your telco does as well.
So it might work, but careful routing design is a must and involves you and the telco. HA is still possible, ISDN backup is possible as well. Depending on your specific implementation details you might need some route tagging and redistribution filters implemented by yourself or the telco to avoid the aforementioned problems.
Hope this helps! Please rate all posts.
Regards, Martin
Similar Messages
-
Would like to know if you can specify a general static route with mpls. I have three sites in a hub and spoke. Spoke A is linked to the hub site via a site vpn to a hub site isr. Spoke B is linked to the hub via mpls to a standalone mpls isr. I can’t get from spoke A to B and from spoke B to A. The mpls isp tells me that I cannot do this because spoke A’s local subnet is not part of the mpls peering(and is on another isp). Don’t have a lot of familiarity with mpls but I am wondering why you cannot do a static route of the form: ip route <spoke A lan> <mask> <hub site isr> in either of the mpls isr’s?
Hi,
So:
B --- mpls ----- HUB ---- vpn ---- A.
HUB connects to A and B, right?
I do not see any problem on doing a static route like you said on the client vrf (client from isp point of view).
Maybe they are afraid of backdoor route on the mpls (not the case) or there are some conflicts between mpls management ip addressing and spoke A lan.
I have various similar configurations in mpls with static routes, ospf , rip and bgp without any problems and using different isps.
Ask your mpls isp what is the reason to not create that static? Instead you can ask to make default to a router in your management.
Regards,
Pedro Lereno -
I need to implement Hub and Spoke MPLS L3 VPN. Scenario is we are
implementing 30 VPNs on one Router i.e. 10720 in single VRF and with same
RD. How can I implement Hub and Spoke in this case?When you want to have an MPLS/vpn hub and spoke topology, the HUB-PE router will need to have 2 vrf's. One which we can call 'from-spokes' and another 'to-spokes'. In the first one, we will have the routes that are being received from the spokes. In the other one, we will have the routes that will be advertised to the spokes; in this one we will certainly NOT have the routes to the other spokes. The HUB-PE needs to have 2 interfaces or sub-interfaces connected towards the CE site. One interface will be in "from-spokes" VRF and the other one will be in "to-spokes VRF. That way the traffic coming from one spoke will always go to the CE via one vrf interface, then come back from the CE via the other vrf interface and sent out towards the other spoke. This is the general overview of a Hub-spoke mpls-vpn topology
-
Hi,
What is L2 MPLS VPN & how to configure it end-to-end, What are the diffrence with L3 VPN
What is vrflite & what is the pros/cons of the same
Br/SubhojitIn a MPLS L3 VPN the service provider carries the route for the customer. The network is not transparent meaning that layer 2 traffic such as broadcast and control plane traffic like CDP/LACP/STP etc is not carried for the customer.
There are different L2 VPNS such as Ethernet over MPLS (EoMPLS) and Virtual Private LAN Service (VPLS).
EoMPLS is a point to point layer 2 service which does no MAC learning and it is transparent to the customer meaning that the customer can connect two switches together over the "cloud".
VPLS is a multipoint to multipoint technology. Essentially to the customer the provider network looks like a big switch. Several sites can be connected together and traffic here is also transparent.
Because these are layer 2 services the customer would be responsible themselves for providing routing in the network.
VRF lite is a form of L3 VPN but it's not running MPLS. Instead it uses VLANs to separate customer traffic. The cons are that it requires more configuration, is less scalable and needs peering in multiple VRFs compared to just peering in the VPNv4 address family.
Daniel Dib
CCIE #37149
Please rate helpful posts. -
Could MPLS L3 VPN forward packet which CE configure VRF Lite?
Or does anyone have a lab for my test? Please share.
Diagram:
vrf lite - mplsl3 vpn - vrf lite
Will it have any change on mpls l3vpn configuration?
Thank you very much.I test lab follow to this document is work. I test with static route and OSPF is work. Now, I’m testing with BGP route. I found the PE doesn’t send the BGP routes from the other sites to the CE. How should I do?
Topology:
BGP vrf lite (vrf v11) CE1 - BGP - MPLS L3VPN (vrf v1) PE1 - PE2 (vrf v1) MPLS L3VPN - BGP - CE2 (vrf v11) vrf lite BGP
PE1#sho ip rou vrf v1
Gateway of last resort is not set
B 10.0.252.1/32 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d22h
B 10.0.252.2/32 [200/0] via 10.0.0.14 (nexthop in vrf default), 1d22h
L 10.0.252.3/32 is directly connected, 1d22h, Loopback101
B 38.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d04h
B 39.0.0.0/24 [200/0] via 10.0.0.14 (nexthop in vrf default), 05:13:07
B 40.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d04h
C 41.0.0.0/24 is directly connected, 1d22h, GigabitEthernet0/0/1/2.14
L 41.0.0.3/32 is directly connected, 1d22h, GigabitEthernet0/0/1/2.14
B 208.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 00:06:55
B 209.0.0.0/24 [200/0] via 10.0.0.14 (nexthop in vrf default), 00:08:14
B 210.0.0.0/24 [20/0] via 41.0.0.8, 00:11:17
CE1#sho ip bgp vpnv4 vrf v11
BGP table version is 23, local router ID is 172.16.30.5
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 800:1 (default for vrf v11)
*> 10.0.252.1/32 41.0.0.3 0 18252 ?
*> 10.0.252.2/32 41.0.0.3 0 18252 ?
*> 10.0.252.3/32 41.0.0.3 0 0 18252 ?
*> 38.0.0.0/24 41.0.0.3 0 18252 ?
*> 39.0.0.0/24 41.0.0.3 0 18252 ?
*> 40.0.0.0/24 41.0.0.3 0 18252 ?
r> 41.0.0.0/24 41.0.0.3 0 0 18252 ?
*> 210.0.0.0 0.0.0.0 0 32768 i
CE1# -
I 'am looking for a good description for MPLS/VPN we want use ISIS and BGP as Routing Protocols.
What we also need is a detailed description of a Configurtaion example.
Can provide such informations.Detailed information can be found at (whithin these URLs, there are several links to undesrtand and configure MPLS/VPN with ISIS or BGP):
MPLS http://www.cisco.com/warp/customer/105/mpls_index.shtml
ISIS
http://www.cisco.com/warp/customer/97/index.shtml
BGP
http://www.cisco.com/warp/customer/459/18.html -
Load balance between MPLS and VPN
Dear All
There are two locations, site A and site B. I am confused with it. Any one can help to understand it? The site A and B are connected with two paths. One is MPLS and another is VPN over internet. we want MPLS as primary path and L2L VPN as backup. Only when primary path is down, VPN can be used. How can we configure it ? Can you give me suggestion ? or a link. Thank you.Hello yangfrank,
You can set this with a floating static using tracking with ip sla.
Your primary route will be via MPLS
ip route 0.0.0.0 0.0.0.0 x.x.x.x track 1 (via MPLS)
ip route 0.0.0.0 0.0.0.0 y.y.y.y 10 (via VPN)
ip sla 1
icmp-echo z.z.z.z source interface gix/x (MPLS interface)
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
here are examples:
http://networklessons.com/ip-routing/reliable-static-routing-with-ip-sla/
http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/813-cisco-router-ipsla-basic.html
hope this helps -
Nortel VPN Compatibility issue
Hi All,
I'm a newbie in using BPM studio 10.3, I just want to ask something about BPM Studio 10.3. The scenario is every time I run the project on my laptop, the project wont run on my browser. I think the reason is that I'm using Nortel VPN. My question is, do you know how would I set up my studio or my laptop so that the project would run on my browser while using Nortel VPN?IPSec VPN can be with no problem set up between any cisco routers (and not nesesserely cisco), so there are should be no issues in your case.
If you say that tunnel is established successfully, then problem most probably related to routing issues between sites or incorrect crypto-acl configured. Check if hosts on both sites have correct routing information on how to get to subnets on the other site.
To make more accurate assumptions it would help if you provide config on both sites and describe your topology. -
I have a copy of Windows XP that I want to install on my iMac using Boot Camp. Once I get it installed, I want to be able to set up my Mac so that I can VPN to work computer, which runs Windows XP as well. If I boot up my Mac to run Windows, would I be able to install all necessary components for VPN just like I was using a PC?
Thanks.Hi Christine,
as Lyssa already said, after the Windows installation and the BootCamp Driver installation, your Mac-Windows is like any other Windows-PC.
Ask the IT-guys at work how to configure the built-in VPN-client in XP.
If you need a VNC-client I use RealVNC in Windows XP to connect.
You even can do a VPN/VNC-connection with Mac OSX to a Windows-PC. For that I use the built-in VPN of OSX and JollyFastVNC.
Regards
Stefan -
Issue with VPN compatibility between 2811 and 2911
hello
I would like to ask anyone have had any issues with setting up a VPN tunnel between 2811 and 2911?
The IPSec VPN is established but for some reason I cannot ping the LAN side to the other LAN side of the other end of the VPN Router?
Any experience would be much appreciated
ThanksIPSec VPN can be with no problem set up between any cisco routers (and not nesesserely cisco), so there are should be no issues in your case.
If you say that tunnel is established successfully, then problem most probably related to routing issues between sites or incorrect crypto-acl configured. Check if hosts on both sites have correct routing information on how to get to subnets on the other site.
To make more accurate assumptions it would help if you provide config on both sites and describe your topology. -
Cisco VPN compatibility problem
I am running the Cisco VPN client (version 2.5.1025) on a late 2010 iMac and on a late 2010 Macbook Air (both running OS 10.6.7). On the iMac, there is a problem after closing the VPN connection and quitting the client: most things are normal, but I no longer have internet access on the iMac. While I seem to have a local ip address and name server, according to system setting, the internet hangs. This is true both for wired and for wireless internet. The only solution seems to be to restart the iMac, and then everything is normal.
Exactly the same version of the Cisco client works fine on the Macbook Air. It quits normally. I have no problem accessing the internet after quitting.
Can you give me any help?Where did you find this Cisco VPN Client? Did you download it from iTunes as an application?
Or was it the VPN Client that comes as part of the 1.1.4 jailbreak? -
Personal VPN compatability and recommendation
Hi, I would like to use a personal VPN service (similar to WiTopia http://www.witopia.net/personalmore.html).
If I buy a personal VPN service, can I put the settings in Airport Extreme and have all my computers secured through VPN?
Do you have any recommendations for VPN services ?
Thanks,After the Genius Bar guys at our Hamburg Apple Store had given up on this issue, I finally solved the problem - my VPN is up and running!
After re-installing both OS X Lion and Lion Server several times I realized that certain settings (apparently also for the VPN server) are kept in the invisble recovery partition that Lion installed on my Mac Mini (e.g., 'com.apple.RemoteAccessServers.plist'). They even survived a reformatting of the hard drive. Something must have gone wrong the first time I tried to set up the VPN server and the "sudo serveradmin settings vpn" command revealed that the settings survived every re-installation.
Therefore, I physically removed the hard drive and formatted it using a different Mac running Snow Leopard.
It is important not only to erase the disk but also to partition it. This might even work under Lion without having to remove the drive...
After another re-installation of OS X Lion on the clean drive over the Internet from Apple's server (pressing the command-R keys while rebooting) I did a system update and subsequently installed the Server app.
After that I was able to start the VPN server from the Server app.
Inside my local network it was then possible to connect to the VPN server from an iPad 2 (iOS 4.3.5) and from an old Powerbook G4 (Leopard), but not from a MacBook Pro with Snow Leopard.
However, all clients were able to make an external connection through my Deutsche Telekom Router (SpeedPort 722V) with forwarding of ports 1701 (UDP), 500 (UDP) and 4500 (UDP) and enabled GRE and ESP protocols.
For the sake of security I have disabled (closed) all arbitrary ports of the server's own firewall while it's local network ports (192.168.x.y) are all open to enable any internal connections.
It is a serious restriction, however, that the Lion Server only offers the L2TP VPN protocol. Maybe the commercial iVPN solution is an acceptable workaround: http://macserve.org.uk/.
Regards, Björn -
Need to implement HUB and SPOKE topology while all customers are on same PE 10720, same VRF and same RD as directly connected. One directly connected site should act as HUB and all other sites are SPOKES and requirement is that SPOKES can not communicate with each other.
Hi,
you need to create a VRF per SPOKE and one for the Hub. Example config excerpt:
ip vrf Hub
rd 65000:1
route-target export 65000:1
route-target import 65000:2
ip vrf SPOKE1
rd 65000:101
route-target export 65000:2
route-target import 65000:1
ip vrf SPOKE2
rd 65000:102
route-target export 65000:2
route-target import 65000:1
interface Serial1/0
description to Hub
ip vrf forwarding Hub
ip address 10.1.1.1 255.255.255.252
interface Serial1/1
description to SPOKE1
ip vrf forwarding SPOKE1
ip address 10.1.101.1 255.255.255.252
interface Serial1/2
description to SPOKE2
ip vrf forwarding SPOKE2
ip address 10.1.102.1 255.255.255.252
You naming, IP addresses etc. may be different. The main point here is: no SPOKE will import any route from another SPOKE, only from the Hub site. Thus spokes do not get connectivity to each other. The hub site imports all spoke routes, thus can connect everywhere.
What is missing in the example above is the respective routing contexts for each VRF. You are free to choose appropriate protocols on a per VRF basis and redistribute them into MP-BGP.
Hope this helps! Please rate all posts.
Regards, Martin -
Performance end to end testing and comparison between MPLS VPN and VPLS VPN
Hi,
I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
I would appreciate any support, guidence, advice.
Thanks
ShahbazHi Shahbaz,
I am not completely sure I understand your request.
MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
Ingress PE impose 2 labels (at least)
Core Ps swap top most MPLS label
Egress PE removes last label exposing underlying packet or frame.
So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
Riccardo -
L2 MPLS VPN between different branches
Dear Experts ,
I want to have my different offices to use same IP address range (from a centrally managed DHCP server) . Is this scenario possible with MPLS L2 VPN ?
I know that we can do L2 between two branches by using xconnect but what if i have multiple branches ?
regards
harisHi,
You purpose can be solved using VPLS.
You can also create multiple Pseudowires from the HUB to different branches, however, all PWs will use different IP address range- which goes against your requirement.
HTH.
Regards,
Amit.
Maybe you are looking for
-
Macbook Air 2012 Wifi getting slower
I have had this problem for some time. My Macbook Air (which was running perfectly for the first year or so) is getting increasingly slower on Wifi. I also have the problem that it has to signal reception in one of my rooms, with my other (even older
-
Quality of airplay ipad2 - Apple TV 3
Hey there, I use an iPad2 for streaming (airplaying) videos to my Apple TV3. Now, if I have a video in 1080p in my iTunes and transfer it to my iPad2, will it show in 1080p on my TV? In other words, will the video remain in 1080p when I transfer it t
-
Listener.ora file on RAC 11gR2 with SCAN
Hello, I have 11.2.0.1 Rac with 2 nodes configured to work with SCAN. The following listener.ora file was created during the rac installation. (I only changed the name of the instance to XYZ in the output bellow). There is only one listener.ora file
-
Form Builder. Error 306 wrong number or types of arguments in call to populate_table
Hi ! I'm trying to build a simple form based on a procedure. the error that i get: error 306 - wrong number or types of arguments in call to populate_table When I use the Data block wizard, I specify the procedure with a ref cursor argument. the proc
-
how do i retrieve the answers to my security questions if i deleted my rescue email months ago? HELP!