L2 redundant VPN

David Swafford david at davidswafford.com
Tue Jan 22 05:02:35 UTC 2013

Just throwing out another option --
if you can do 9K MTUs over the provider's IP connection (or even 4K
for that matter), you might want to look at deploying an MPLS overlay.
Imagine having a pair of MPLS PEs at each datacenter, so four in
total.  Then link those in a mesh using GRE tunnels over the existing
IP transport.  Run MPLS over these four boxes and build L2 pseudowires
across.  Here's a really basic config of this:
https://w.ntwk.cc/working-on-atompls/.  For lab testing, a pair of
3725s on 12.4T will do the trick.


On Mon, Jan 21, 2013 at 2:57 PM, Peter Kristolaitis <alter3d at alter3d.ca> wrote:
> Alternatively, just disable encryption by using "--cipher none" if you only
> care about the L2 bridging and don't care about the encryption aspect.  You
> should get a huge performance boost through the tunnel and it would be the
> same thing as dropping a dedicated circuit in there.
> Of course, encryption is generally a Good Thing(tm), and the AES-NI stuff is
> phenomenal, but it's not necessarily required in places where you're just
> trying to get a link set up between 2 sites and you were considering MPLS
> anyways.
> - Pete
> On 01/21/2013 05:37 PM, Dan Olson wrote:
>> Can you enable aes-ni on your openvpn servers?  Any newer intel xeon
>> chipset should support it, but it is usually disabled (bios) by default.
>> There are more tuning tips at
>> http://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux
>> ----- Original Message -----
>>> From: "Tomas Podermanski" <tpoder at cis.vutbr.cz>
>>> To: nanog at nanog.org
>>> Sent: Monday, January 21, 2013 3:37:55 PM
>>> Subject: L2 redundant VPN
>>> Hi networking guys,
>>>      I need some help :-). We try to find for our department reliable
>>> solution for L2 VPN. The task is to connect two remote data centers,
>>> each of them connected two 1Gbps  lines (with link aggregation). Only
>>> IP
>>> connectivity between data centers is available (so there is no
>>> possibility to create circuit based on MPLS or something like that).
>>> The
>>> basic problem is that high reliability is required, so the solution
>>> have
>>> to be fully redundant.
>>> The initial idea was about two OpenVPN servers in each data center +
>>> two
>>> switches (HP E5800) joined into one logical switch via VRF. The link
>>> failure is based on LACP packets between both data centers.  The
>>> solution works, however performance of OpenVPN is really creepy. The
>>> maximum we were able to get from this configuration was about
>>> 100Mbps.
>>> We expect at least 500Mbps (or more in the future).
>>> In our thoughts then we were thinking about l2tp on some
>>> cisco/HP(H3C)
>>> device, however there is little information about performance of that
>>> solution and I am not sure how the failure detection would work in
>>> redundant configuration.
>>> Have anybody some experience with similar solution or at least any
>>> idea ?
>>> Thanks a lot for thoughts
>>>      Tomas

More information about the NANOG mailing list