This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Serban_Biliuti
Participant
‎2019-02-01 03:21 AM

VPN Backup to MPLS

I'm trying to come up with a working solution to have a redundant VPN link to a remote site as a backup to the MPLS link already deployed there.

Since we break out from the DC and MPLS out the Firewall we terminate our VPNs on, I'm struggling to find a way to have the return traffic from the MPLS go back on the MPLS instead out the VPN which is connected and route static.

The Breakout CP has OSPF that redistributes in MPLS BGP. 

I know how to route traffic over the MPLS from the site and within the DC. My worry is with the internet traffic that's coming back to the Site. I'm worried about ending up with asymmetric routing and out of state packets.

Any ideas? VPN_Trust is true, Looked at RBP but that is not dynamic based on if the MPLS is available.

0 Kudos
2 Replies
Mark_Mitchell
Advisor
‎2019-02-01 11:52 AM

Hi Serban, 

Do you have a topology or proposed topology you are working with? I.e what does the MPLS look like and what are the capabilities of your switching hardware at the remote site you want to make resilient?

Regards

Mark

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-02-01 11:44 PM

The main problem with this issue  is that you have to use dynamic routing between router an gateway and also between the VPN gateways, the latter can only be achieved when you use VTI's as you can only run a dynamic protocol over a interface.

Think of this one, use the router to setup the VPN to the other location's MPLS router, using NAT on gateways. In fact you're taking the gateway out of the backup equation. The MPLS router will then be able to use priorities for the VPN and MPLS and also does not care to much about asymmetric routing.

Regards, Maarten

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events