Primary on MPLS Network + Backup on Internet LL

Pain Area and aspects for consideration:

• If any location on MPLS Network goes down?
• Any MPLS Backbone issues with the Service Provider?
• Will Internet provide secured communication?
• Up to what level of redundancy?
• How much bandwidth is required at each location?
• Will it be manual intervention?
• What Routing protocol needs to be run between CE-PE?
• What would be the default-gateway IP address of LAN equipment’s?
• How many ports required to connecting 2 Service Provider in 2 CPE’s?

- Solution Proposed

This solution is for those MPLS customer who are running MPLS Network from one Service provider and wanted to have backup on Internet lease Line which will be furthure termiated on Firewall/Router  and create IPSEC/GRE tunnel over Internet.Since MPLS is most secure cloud for communication and customer don’t want to compromise in terms of security, so they wanted to flow traffic over Internet but on secure tunnel. As everybody knows that most of failure happens at Last mile end of the Service Provider or CPE end which leads to high down time and less availability of the mission critical sites which affects business processes. One of the best ways to reduce down time along with security is to have Internet leased connectivity from other service provider in every Spoke location and take bigger Internet Leased connectivity at Main (HUB) location which will work as active-failover mode. Prime location should have bigger Internet bandwidth because if n no of MPLS spokes goes down in that case traffics comes through spokes over Internet and will aggregate in Main location. MPLS should be terminated on single CPE and Internet should be terminated on other CPE for high redundancy. This active-failover solution is possible with Static routing along with tracking command or BGP protocol, so CPE’s should have features like (Routing protocol + tracking command + Security) and 1 Routed port + 1 Layer2 port. Recommendation is to run static as a Routing protocol between CE-PE at WAN Side and HSRP/VRRP at LAN side where gateway IP address of all the LAN equipment’s would be Virtual IP address along with tracking command for MPLS LINKS. If MPLS link goes down in any location automatic traffic would be reroute on Internet over IPSEC tunnel without any manual intervention.

Technical Arrangement:

1. Customer can terminate both the Services on different Routers for better redundancy.
2. Customer can implement this setup either on HUB and Spoke or Mesh Topology.
3. Solution based on considering Layer2 Switch at all the locations.
4. Recommendation is run eBGP routing on CE-PE on MPLS Network.
5. Tracking command has to configure at MPLS-HUB location to track the MPLS-Spoke location.
6.  Configure HSRP/VRRP at all the locations.
7. Defaults Gateway IP addresses will Virtual IP address of HSRP/VRRP.
8. Configure IP Sec tunnel in between HUB and spoke Internet CE Routers.
9. Permit only LAN IP Addresses in Access list configured for IP SEC.
10. IP peer IP will be WAN IP address of the remote CE Router.