12-04-2012 05:58 AM - edited 03-04-2019 06:18 PM
Hi all,
Hope you can help me out to try to automate the backup in the following scenario:
The main circuit is a 10Mb MPLS link with my ISP propagating my routes using eBGP and as a temporal solution, I'd like to implement a site2site link through a DSL connection using a VPN IPSec tunnel propagating my routes using EIGRP (used in all the sites).
I have HSRP configured between the 2 routers (I know it is highly recommended to use the same model of routers but I dont have a spare router) so the active router is the MPLS link and the other the standby. HSRP is working fine switching between active and state when the links go up/down.
When I enable the VLANs on the backup router, then I lose ping from the switch to Internet getting it back when I disable the VLANs. This is probably because of the propagation of the same routes using different protocols so what I had to do to make it work (not the best solution but at least it is something) is to filter the routes in the backup router using "distribute-list 25 out tunne 0" (find below some outputs of the config) to be able to keep active all the routes in both routers and if the main link goes dows, remove that line so that It starts working and sending the traffic from the backup link.
My question is, Can anyone think of a better solution to automate this process? Maybe playing with the metrics or something? Has anyone had this scenario before?
Config of the main Router:
interface FastEthernet0/0.200
description VLAN DATA
encapsulation dot1Q 200 native
ip address 10.10.10.2 255.255.255.192
standby 2 ip 10.10.10.1
standby 2 priority 120
standby 2 preempt
standby 2 track FastEthernet0/1.100 30
standby 2 track 2 decrement 50
!
interface FastEthernet0/0.400
description VLAN WIFI
encapsulation dot1Q 400
ip address 10.10.11.2 255.255.255.128
standby 4 ip 10.10.11.1
standby 4 priority 120
standby 4 preempt
standby 4 track FastEthernet0/1.100 30
standby 4 track 2 decrement 50
!
interface FastEthernet0/1
description Service_ETHERNET MPLS,
no ip address
load-interval 30
duplex full
speed 10
no cdp enable
max-reserved-bandwidth 100
!
interface FastEthernet0/1.100
description Service:ETHERNET MPLS,
encapsulation dot1Q 100
ip address X.X.X.X 255.255.255.252
no cdp enable
!
.....
router bgp 100000
no synchronization
bgp log-neighbor-changes
network 10.10.10.0 mask 255.255.255.192
network 10.10.11.0 mask 255.255.255.128
neighbor XXX remote-as XXX
neighbor XX send-community
neighbor XXXX weight 65500
neighbor XXXXX remote-as 12641
neighbor XXXX ebgp-multihop 2
neighbor XXXX send-community
no auto-summary
Config Backup Router:
!
!
interface Tunnel0
description to Internet
bandwidth 256
ip address 192.162.10.22
no ip redirects
no ip proxy-arp
ip mtu 1400
ip nhrp authentication xxxxxxx
ip nhrp map multicast dynamic
ip nhrp map multicast X1.X2.X3.X4
ip nhrp map 192.168.10.1 X1.X2.X3.X4
ip nhrp network-id 1
ip nhrp nhs 192.168.10.1
ip virtual-reassembly in
tunnel source Dialer2
tunnel mode gre multipoint
tunnel key 0
tunnel path-mtu-discovery
tunnel protection ipsec profile Cisco
!
interface FastEthernet1
description Data
switchport access vlan 200
no ip address
duplex full
speed 100
!
interface FastEthernet2
description Data
switchport access vlan 400
no ip address
duplex full
speed 100
!
interface Vlan200
description DATA
ip address 10.10.10.3 255.255.255.192
standby 2 ip 10.10.10.1
standby 2 priority 110
standby 2 preempt
!
interface Vlan400
description DATA
ip address 10.10.11.3 255.255.255.128
standby 2 ip 10.10.11.1
standby 2 priority 110
standby 2 preempt
!
interface Dialer 2
.....omitted
!
router eigrp 3
distribute-list 25 out Tunnel0
default-metric 256 500 255 255 1400
network 10.10.10.0
network 10.10.11.0
redistribute static metric 256 100000 50 100 1400 route-map LAN
passive-interface default
no passive-interface Tunnel0
!
ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route X1.X2.X3.X4 255.255.255.255 Dialer2
!
ip access-list extended ACL_LAN
permit ip 10.10.10.0 0.0.0.63 any
permit ip 10.10.11.0 0.0.0.127 any
!
access-list 25 permit 0.0.0.0
access-list 25 deny any
!
route-map LAN permit 10
match ip address ACL_LAN
!
***************************************************************************************************
So if I want the backup router to start working (while the main link is down) I need to remove the "distribute-list 25 out tunnel 0" and in order to recover the main link, add the command again.
Any suggestion to improve this scenario??
Thanks in advance!!
El mensaje fue editado por: Luis Ruiz Lopez
12-06-2012 01:06 AM
Hi,
are you talking here about a backup connection between two particular sites in your network?
Or a general backup solution for all of your sites?
In any case, you need to fix the routing for outbound and also inbound connections!
So for outbound:
When your connection to the MPLS cloud fails, your backup router becomes HSRP active one.
OK.
As the backup router has a default route configuring pointing to the Tunnel, the outgoing traffic will be sent through the tunnel to the other site.
But does the other site know how to send the traffoc back?
As the MPLS connection is OK on the other site, the primary router is still active and does not the backup path via the tunnel, correct?
So you would need either some static route (default, e.g.) configured on the primary pointing to the backup router (could be on both sites) or some dynamic routing protocol (EIGRP) running on both.
If you want ot use this connection as a full backup, i.e., also other MPLS sites should be able to connect your site via the tunnel when your primary MPLS connection fails on your site, you will need to redistribute your EIRP routes to BGP somewhere.
But that is related to my first question: What kind of backup are you trying to build?
HTH,
Milan
12-07-2012 02:13 AM
It is a backup solution between 2 particular sites, in fact, the MPLS entry point is the same for any remote site at the headquarter and the backup S2S entry point as well.
To make it clear, Headquearter has 1 router for all of the MPLS connections coming from the remote offices and 1 router for all of the S2S connections that we need to configure either for backup or for some specific reason.
In this scenario where we have the problem is a remote office with a MPLS connection as the primary circuit and a S2S router as a backup (temporaly), of course connecting to a single entry point in the headquearter where we have many other remote offices connecting.
I see your point, while the MPLS link at the remote office is down, at the headqueater is still up and therefore the traffic is not sent through the tunnel but the same MPLS circuit, so if I just want to re-route that specific traffic to the backup link, your suggestion would be to apply a static route and I guess I would need to specify what traffic I want to send through that link, correct?
This would be the configuration at the main entry point. Any suggestion?
router eigrp 3
redistribute static metric 2000 50 255 200 1500 route-map static2eigrp
redistribute bgp 60002 metric 1000 100 255 200 1500 route-map FROM-MPLS
network 62.100.100.10 0.0.0.0
network 10.10.0.0
no auto-summary
!
address-family ipv4 vrf vpn_
redistribute bgp 60002 metric 2000 50 255 200 1500 route-map FROM-MPLS
network 10.10.10.0 0.0.0.63
no auto-summary
autonomous-system 3
exit-address-family
!
router bgp 60002
no synchronization
bgp log-neighbor-changes
network 0.0.0.0
network 62.100.100.10 mask 255.255.255.255
neighbor X.X.X.X remote-as 12641
neighbor X.X.X.X ebgp-multihop 2
neighbor X.X.X.X send-community
neighbor X.X.X.X route-map Pre out
no auto-summary
!
address-family ipv4 vrf vpn_b
neighbor X.X.X.X remote-as 12641
neighbor X.X.X.X ebgp-multihop 2
neighbor X.X.X.X activate
neighbor X.X.X.X send-community
default-information originate
no auto-summary
no synchronization
network 0.0.0.0
exit-address-family
!
12-07-2012 05:27 AM
Hi,
if all your remote sites are using the same router in the HQ for the backup connections, I believe you shlould be able to make the backup fully automatic.
IMHO, all you would need would be a proper mutual redistribution between BGP and EIGRP on your main router.
I.e., what you might need is following:
If the same prefix is received by BGP and EIGRP, keep the BGP prefix preferred and redistribute it to EIGRP. Append some tag to it to be able to recognize it by EIGRP.
If a prefix comes via EIGRP only, redistribute it to BGP and advertise to the MPLS backbone with the HQ AS number prepended several times (to make it less preferred comparing to the same prefix advertised by the remote site to MPLS when MPLS line is Up again on the remote site). It's also good to use BGP community to tag the EIGRP prefixes redistributed to BGP (you can use the community to recognize them later - for prepending when advertised to the backbone, e.g.).
Another good trick is to make the BGP Weight=0 when redistributing EIGRP prefixes to BGP.
That way, when the MPLS line is Up again and the prefix is received from the MPLS backbone again, it will beat the BGP prefix in the main router BGP table which had been redistributed from EIGRP originally.
You can also play with EIGRP metric to make the prefixes redistributed from BGP less or more preferred comparing to the original EIGRP routes.
All the tags I mentioned might be also used to prevent the redistributed routes from being redistributed back to the original routing protocol (in a case more routers would be involved).
I hope I gave you some ideas, I made something similar two years ago an it was working fine!
On the other hand, mutual redistribution might be quite tricky sometimes :-(
HTH,
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide