Doubt. Same routes in 2 routers, MPLS (BGP) and S2S IPSec Tunnel (EIGRP)

Luis Ruiz Lopez · ‎12-04-2012

Hi all,

Hope you can help me out to try to automate the backup in the following scenario:

The main circuit is a 10Mb MPLS link with my ISP propagating my routes using eBGP and as a temporal solution, I'd like to implement a site2site link through a DSL connection using a VPN IPSec tunnel propagating my routes using EIGRP (used in all the sites).

I have HSRP configured between the 2 routers (I know it is highly recommended to use the same model of routers but I dont have a spare router) so the active router is the MPLS link and the other the standby. HSRP is working fine switching between active and state when the links go up/down.

When I enable the VLANs on the backup router, then I lose ping from the switch to Internet getting it back when I disable the VLANs. This is probably because of the propagation of the same routes using different protocols so what I had to do to make it work (not the best solution but at least it is something) is to filter the routes in the backup router using "distribute-list 25 out tunne 0" (find below some outputs of the config) to be able to keep active all the routes in both routers and if the main link goes dows, remove that line so that It starts working and sending the traffic from the backup link.

My question is, Can anyone think of a better solution to automate this process? Maybe playing with the metrics or something? Has anyone had this scenario before?

Config of the main Router:

interface FastEthernet0/0.200

description VLAN DATA

encapsulation dot1Q 200 native

ip address 10.10.10.2 255.255.255.192

standby 2 ip 10.10.10.1

standby 2 priority 120

standby 2 preempt

standby 2 track FastEthernet0/1.100 30

standby 2 track 2 decrement 50

!

interface FastEthernet0/0.400

description VLAN WIFI

encapsulation dot1Q 400

ip address 10.10.11.2 255.255.255.128

standby 4 ip 10.10.11.1

standby 4 priority 120

standby 4 preempt

standby 4 track FastEthernet0/1.100 30

standby 4 track 2 decrement 50

!

interface FastEthernet0/1

description Service_ETHERNET MPLS,

no ip address

load-interval 30

duplex full

speed 10

no cdp enable

max-reserved-bandwidth 100

!

interface FastEthernet0/1.100

description Service:ETHERNET MPLS,

encapsulation dot1Q 100

ip address X.X.X.X 255.255.255.252

no cdp enable

!

.....

router bgp 100000

no synchronization

bgp log-neighbor-changes

network 10.10.10.0 mask 255.255.255.192

network 10.10.11.0 mask 255.255.255.128

neighbor XXX remote-as XXX

neighbor XX send-community

neighbor XXXX weight 65500

neighbor XXXXX remote-as 12641

neighbor XXXX ebgp-multihop 2

neighbor XXXX send-community

no auto-summary

Config Backup Router:

!

interface Tunnel0

description to Internet

bandwidth 256

ip address 192.162.10.22

no ip redirects

no ip proxy-arp

ip mtu 1400

ip nhrp authentication xxxxxxx

ip nhrp map multicast dynamic

ip nhrp map multicast X1.X2.X3.X4

ip nhrp map 192.168.10.1 X1.X2.X3.X4

ip nhrp network-id 1

ip nhrp nhs 192.168.10.1

ip virtual-reassembly in

tunnel source Dialer2

tunnel mode gre multipoint

tunnel key 0

tunnel path-mtu-discovery

tunnel protection ipsec profile Cisco

!

interface FastEthernet1

description Data

switchport access vlan 200

no ip address

duplex full

speed 100

!

interface FastEthernet2

description Data

switchport access vlan 400

no ip address

duplex full

speed 100

!

interface Vlan200

description DATA

ip address 10.10.10.3 255.255.255.192

standby 2 ip 10.10.10.1

standby 2 priority 110

standby 2 preempt

!

interface Vlan400

description DATA

ip address 10.10.11.3 255.255.255.128

standby 2 ip 10.10.11.1

standby 2 priority 110

standby 2 preempt

!

interface Dialer 2

.....omitted

!

router eigrp 3

distribute-list 25 out Tunnel0

default-metric 256 500 255 255 1400

network 10.10.10.0

network 10.10.11.0

redistribute static metric 256 100000 50 100 1400 route-map LAN

passive-interface default

no passive-interface Tunnel0

!

ip route 0.0.0.0 0.0.0.0 Tunnel0
ip route X1.X2.X3.X4 255.255.255.255 Dialer2

!

ip access-list extended ACL_LAN

permit ip 10.10.10.0 0.0.0.63 any

permit ip 10.10.11.0 0.0.0.127 any

!

access-list 25 permit 0.0.0.0

access-list 25 deny any

!

route-map LAN permit 10

match ip address ACL_LAN

!

***************************************************************************************************

So if I want the backup router to start working (while the main link is down) I need to remove the "distribute-list 25 out tunnel 0" and in order to recover the main link, add the command again.

Any suggestion to improve this scenario??

Thanks in advance!!

El mensaje fue editado por: Luis Ruiz Lopez

milan.kulik · ‎12-06-2012

Hi,

are you talking here about a backup connection between two particular sites in your network?

Or a general backup solution for all of your sites?

In any case, you need to fix the routing for outbound and also inbound connections!

So for outbound:

When your connection to the MPLS cloud fails, your backup router becomes HSRP active one.

OK.

As the backup router has a default route configuring pointing to the Tunnel, the outgoing traffic will be sent through the tunnel to the other site.

But does the other site know how to send the traffoc back?

As the MPLS connection is OK on the other site, the primary router is still active and does not the backup path via the tunnel, correct?

So you would need either some static route (default, e.g.) configured on the primary pointing to the backup router (could be on both sites) or some dynamic routing protocol (EIGRP) running on both.

If you want ot use this connection as a full backup, i.e., also other MPLS sites should be able to connect your site via the tunnel when your primary MPLS connection fails on your site, you will need to redistribute your EIRP routes to BGP somewhere.

But that is related to my first question: What kind of backup are you trying to build?

HTH,

Milan

Luis Ruiz Lopez · ‎12-07-2012

It is a backup solution between 2 particular sites, in fact, the MPLS entry point is the same for any remote site at the headquarter and the backup S2S entry point as well.

To make it clear, Headquearter has 1 router for all of the MPLS connections coming from the remote offices and 1 router for all of the S2S connections that we need to configure either for backup or for some specific reason.

In this scenario where we have the problem is a remote office with a MPLS connection as the primary circuit and a S2S router as a backup (temporaly), of course connecting to a single entry point in the headquearter where we have many other remote offices connecting.

I see your point, while the MPLS link at the remote office is down, at the headqueater is still up and therefore the traffic is not sent through the tunnel but the same MPLS circuit, so if I just want to re-route that specific traffic to the backup link, your suggestion would be to apply a static route and I guess I would need to specify what traffic I want to send through that link, correct?

This would be the configuration at the main entry point. Any suggestion?

router eigrp 3

redistribute static metric 2000 50 255 200 1500 route-map static2eigrp

redistribute bgp 60002 metric 1000 100 255 200 1500 route-map FROM-MPLS

network 62.100.100.10 0.0.0.0

network 10.10.0.0

no auto-summary

!

address-family ipv4 vrf vpn_

redistribute bgp 60002 metric 2000 50 255 200 1500 route-map FROM-MPLS

network 10.10.10.0 0.0.0.63

no auto-summary

autonomous-system 3

exit-address-family

!

router bgp 60002

no synchronization

bgp log-neighbor-changes

network 0.0.0.0

network 62.100.100.10 mask 255.255.255.255

neighbor X.X.X.X remote-as 12641

neighbor X.X.X.X ebgp-multihop 2

neighbor X.X.X.X send-community

neighbor X.X.X.X route-map Pre out

no auto-summary

!

address-family ipv4 vrf vpn_b

neighbor X.X.X.X remote-as 12641

neighbor X.X.X.X ebgp-multihop 2

neighbor X.X.X.X activate

neighbor X.X.X.X send-community

default-information originate

no auto-summary

no synchronization

network 0.0.0.0

exit-address-family

!

milan.kulik · ‎12-07-2012

Hi,

if all your remote sites are using the same router in the HQ for the backup connections, I believe you shlould be able to make the backup fully automatic.

IMHO, all you would need would be a proper mutual redistribution between BGP and EIGRP on your main router.

I.e., what you might need is following:

If the same prefix is received by BGP and EIGRP, keep the BGP prefix preferred and redistribute it to EIGRP. Append some tag to it to be able to recognize it by EIGRP.

If a prefix comes via EIGRP only, redistribute it to BGP and advertise to the MPLS backbone with the HQ AS number prepended several times (to make it less preferred comparing to the same prefix advertised by the remote site to MPLS when MPLS line is Up again on the remote site). It's also good to use BGP community to tag the EIGRP prefixes redistributed to BGP (you can use the community to recognize them later - for prepending when advertised to the backbone, e.g.).

Another good trick is to make the BGP Weight=0 when redistributing EIGRP prefixes to BGP.

That way, when the MPLS line is Up again and the prefix is received from the MPLS backbone again, it will beat the BGP prefix in the main router BGP table which had been redistributed from EIGRP originally.

You can also play with EIGRP metric to make the prefixes redistributed from BGP less or more preferred comparing to the original EIGRP routes.

All the tags I mentioned might be also used to prevent the redistributed routes from being redistributed back to the original routing protocol (in a case more routers would be involved).

I hope I gave you some ideas, I made something similar two years ago an it was working fine!

On the other hand, mutual redistribution might be quite tricky sometimes :-(

HTH,

Milan