Home > Security and SD-WAN > Site-to-site VPN > BGP VPN Design Guide

BGP VPN Design Guide

This document describes the benefits and uses of BGP VPNs. This document will serve as a reference for the optimal architecture to allow our customers to receive the most benefit of this technology.

Overview

BGP VPNs are utilized for Data Center Failover and load sharing. This is accomplished by placing VPN Concentrators at each Data Center. Each VPN Concentrator will utilize BGP with DC edge devices. BGP is utilized for its scalability and tuning capabilities. 

BGP VPN Design

A typical BGP topology for enterprise routing can be seen below:

Screen Shot 2018-10-05 at 1.23.41 PM.png

 

This is a traditional routing environment where BGP is used to connect customers to multiple data centers. Each data center will have its own one arm concentrator running BGP. Spoke sites will form an IBGP relationship with both concentrators. Each concentrator will form two EBGP relationships with DC edge devices. This design offers hardware redundancy at the data center edge in case of failure or maintenance. This design also facilitates remote site subnets to be advertised to both data centers for route redundancy and load sharing. In order to protect the integrity of the route table, route filtering will be performed on the VPN concentrators. AS Path Access Lists will be applied outbound towards the EBGP neighbors to ensure that the Auto VPN domain does not become a transit Autonomous System. For inbound route advertisement protection, max prefix limits will be set for EBGP neighbors. The design is very scalable by nature and will facilitate the adding or removing sites based upon business needs.

BGP VPN Use Cases

Option 1: Datacenter Datacenter (DC-DC) Failover

In this use case, the design is providing DC-DC Failover for branch (spoke) sites. In this scenario, if there is a failure on any of the concentrators there will be an immediate, secure and reliable failover. In order for DC-DC Failover to be achieved, the following behavior must occur:

  • Spoke sites will form VPN tunnels to both primary and secondary hubs

  • Spoke sites will learn and maintain route information learned via BGP from both hub sites

  • Concentrators at each data center advertise spoke site routing information to DC edge devices

  • The scalability of this solution is preserved with max limits for BGP routes, this will protect the Auto VPN domain from route leaks

  • Route table integrity will be protected by utilizing AS Path Access Lists

 

Topology

 

Screen Shot 2018-10-05 at 1.23.52 PM.png

 

Option 2: Active Active Datacenters

In this use case, the design is providing load sharing between datacenters for branch(spoke) sites. In this scenario, branch sites will access applications between both datacenters. In order for load sharing to be achieved, the following behavior must occur:

 

  • Concentrators enable symmetry and load sharing through BGP traffic engineering

    • This is currently performed via AS-Path pre-pending

  • Spoke sites will be split between DC1 and DC2 as primary

  • Spoke sites will be redirected to their secondary DC in the event of an outage

  • The scalability of this solution is preserved with max limits for BGP routes, this will protect the Auto VPN domain from route leaks

  • Route table integrity will be protected by utilizing AS Path Access Lists

 

Topology

 

Screen Shot 2018-10-05 at 1.24.02 PM.png

 

Conclusion

The Cisco Meraki BGP VPN solution provides secure, reliable and scalable datacenter redundancy. This allows for the most efficient use of resources between datacenters and respective branch offices. This scalability, tune-ability and security of BGP provides the optimal solution for enterprise market segments.

 

Last modified

Tags

Classifications

This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 7600

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community