cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11129
Views
54
Helpful
31
Replies

2 remote locations, 2 MPLS links between

Damir Reic
Level 1
Level 1

Hello,

maybe this is simple question for someone with MPLS experience. I have 2 locations that are connected with 2 MPLS links by 2 different ISPs. Some services go over one link, some over another link to remote location. I presume there is a static route on each server with next hop 1st or 2nd MPLS router so that's how traffic is divided. Let's presume that is truth and when 1 MPLS link goes down services on that link become unavailable. It's obvious i need to use dynamic routing protocol so path is corrected when one of the links go down. Also i need to make sure that after that broken link is restored previous path is auto restored. Which routing protocol should i implement?

31 Replies 31

Hello Damir, do you mind showing us a quick diagram so we can see if there is a better approach to this.
I tried to illustrate a basic end to end MPLS VPN, however it seems more complex than just that.
Hopefully we'll be able to provide you with a better plan/solution.

Look forward to your response

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hello,

this is the network. Not very good at drawing

I left out 30 remote sites connected to ASA since they are not important for this.

Hello, Thanks for the diagram, makes more sense what you was trying to say! (Diagram is a lot better than most of mine for sure! )

Its difficult situation here, Im thinking about your default gateway for your main site, you have a single point of failure. So we have a 3560, can do routing to some extent and switching, however, if that was to crash or die then youve lost your default gateway, well also your link to the internet. So I guess thats already the case.

The worry I have with your ASA's is the total throughput capacity. 150 Mbps. Is that enough to handle your LAN, MPLS and internet bound traffic. If we couldn't get hold of another router like the 1900 then I would improvise and see how we were to get on with the performance of the ASA's.

A bit like this:

In the beginning we can just stick with static routes, it's just easier at this stage since its already in place, this will allow for your database replication to be unchanged. Perhaps try to think about the internet edge and how we can implement HA. You could possible connect your ASA's directly to your fortigate FW's, that leaves you with 3560 and 1900.

Because the ASA's are in HA mode, each provider should have links to both ASA's (i.e. two each) - you also have gateway redundancy just in the case of primary failing. Otherwise I don't know if we could do something clever with VRRP between the 3560 and the fortigate FW... But I'd look at this option last.

Question for you - are you able to get hold of another router (c1900)? we could use this as a pair which would be a lot better. Then we could use PBR to route your database replication traffic. Along with first hop redundancy protocol like HSRP or VRRP etc...

This way we can have a resilient gateway for your LAN and other connections too.

In the mean time, I'll continue to think if there is something more we could do with what is here.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Just had a thought, we could have the 3560 and the 1900 as your CE. In this case you could think about removing the ASA's if there isn't much FW'ing going on. If there is then best to leave it there than to complicate matters. Static routes with IP SLA for tracking, which would suffice, or you could have dynamic routing.

With everything going through the ASA's it makes sense to take this option since its not a lot of change required, but I still worry about performance.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Hi,

Cisco 3560 will probably get replaced by stack of two 3750-E so let's not worry about it (or we could if you think there is a better option ). One MPLS link is 30Mbit, other one is 20Mbit. Btw, you got the connection wrong on left side, 1 MPLS link is connected to Cisco 1900 router from a provider router, while other MPLS link is connected to ASA HA from provider router (note:they are NOT both connected to ASA HA).

Cisco 3560 L3 switch is currently default gateway for all hosts on left side. So i think i need OSPF between

L3sw - ASA

L3sw - c1900

correct?

Oh - that diagram was an option for us. Not what I interpreted your diagram to be. I understood your diagram.

Okay so 3750's stacked will provide us with the resilience we need then. No problem there

In which case, all thats left is the OSPF neighborships between your devices.

This seems to be a good fit in the end, with the 3750. The direct neighborship between the 1900 and the ASA's isnt mandatory.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Yes, that's it.

So aftewall i need both providers to enable OSPF on the interface facing ASA and c1900 router on left side/ c1900 routers on right side?

Are you sure i need neighbourship between ASA and c1900 on left side since i will have neighborship between L3/ASA and L3/c1900?

Correct, just need your provider to enable OSPF on links connecting to ASAs and the c1900.

It's desired in my view, but not mandatory to have a neighbourship between the ASA and c1900. Reason being, if the link was lost towards the 3750, you have a backup route. (so you make use of both providers this way in the event of such failure) but you dont have to.

The neighbourships to the 3750 is good enough

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

And i need to configure ospf on l3, asa and c1900 on left side and right side.

Where were we with prefering replication to go over 1 mpls, failover and failback? Can it be done safely or better don't mess with it and configure load balancing with ospf?

Yes, OSPF will need to be enabled on both sides with each provider.

With OSPF, if you have equal cost paths for the same address prefix they are automatically load balanced on per session basis I believe. So just need to ensure that metrics are the same.

In terms of manipulating which way your replication traffic goes, you can take a look at PBR (policy based routing) which you can define source IP, and set the next hop for this IP in particular. E.g. go via provider 1

http://www.cisco.com/en/US/products/ps6599/products_white_paper09186a00800a4409.shtml

Please ensure you license/ios image on the 3750 can support this along with verify next hop availability or even tracking.

Otherwise if this is too much and not possible with 3750, then perhaps it's best to leave the replication and let OSPF work it out...

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

So i can have policy routing and ospf at same time?

Right now i am only worried if replication will switch to other link when it's primary link is down and will it revert back to primary link once it's up again when using policy based routing.

Yes you can have PBR and OSPF the same time.

You need to ensure the track option is available on the 3750 with PBR.

http://www.cisco.com/en/US/docs/ios-xml/ios/iproute_pi/configuration/xe-3s/iri-pbr-mult-track.html

With this you can track to see if PBR is valid for the next hop. If not then PBR is not active and all traffic is treated normally via Routing table. Sorry I'm not able to check this yet as I'm away from my laptop.

Sent from Cisco Technical Support iPhone App

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Thank you for all the info, you have been very helpfull . It would take me days to gather all this info without you

Youre welcome! Just hope that your providers aren't subborn with enabling OSPF

Just checked if the command is available on a 3750X using

c3750e-universalk9-mz.150-1.SE2.bin (ip services license)

To do PBR tracking the commands are available.

track 1 ip sla 1 reachability

!

ip sla 1

icmp-echo x.x.x.x source-interface xxxxxxx

![where xxxxxxx is the interface towards prefered provider][x.x.x.x would your device on the other side off of the same provider)

frequency 5

!

ip sla enable reaction-alerts

!

ip sla schedule 1 life forever start-time now

!

ip access-list standard database_replication

permit x.x.x.x [x.x.x.x is your replication host]

!

route-map mypbr permit 10

match ip address database_replication

set ip next-hop verify-availability y.y.y.y track 1

[y.y.y.y is the local providers ip address or the next hop towards the destination]

!

interface xxxx [ Where xxxx is your LAN interface (172 networks)]

ip policy route-map mypbr

If there's any assistance required with config feel free to ask me directly or in this thread.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.

Thanks! So in case prefered link goes down, even when i configure PBR, traffic will be switched to alternative link for replication and it will revert back when prefered link is up again?

Review Cisco Networking for a $25 gift card