07-22-2019 10:50 PM
Hi All,
Need is to build a fail-over mechanism between site A and Site B using the existing setup of stacked 3750 at each site. The sites are connected together by a 20Gig port channel and each has a link to the internet. Site A and Site B have a certain set of sites homed to it. The idea is to ensure that all sites homed to site A egress through it to get to internet and sites homed to site B egress through it to get to internet. But, there should be a fail-over mechanism between the sites as well such that site A homed sites get to internet through site B and vice versa. No extra device like router etc can be added, it has to be achieved using the existing 3750 stacks. Is it possible to do it using IP SLA and HSRP setup (Wherein a single VIP acts like the gateway for default route i.e 0.0.0.0 VIP) ? I have attached the diagram for the setup. (Just a note : there is an existing BGP peering between the two sites built over the layer 3 Port-channel). Please recommend...
07-23-2019 12:03 AM
Hello Vinayak,
I don't see any attached network diagram to your initial post in this thread.
HSRP is not a routing protocol but a FHRP = First Hop Redundancy Protocol.
How are the satellite sites connected to Site A and to Site B?
Unless you have a VPLS service with remote sites of site A, site A, site B and remote site of Site B HSRP is unlikely to be a possible solution.
If you are using MPLS L3 VPN you should play with BGP on site A and site B.
Provide more details on how the remote sites connect to the main sites and a network diagram to get better help
Hope to help
Giuseppe
07-23-2019 05:01 PM
Hi Giuseppe,
Thanks for responding. I have attached the visio diagram for the setup. A quick brief about the how the traffic is flowing currently. All intranet and internet traffic from branch sites traverse to site A and site B respectively and then for site B there is no direct egress towards the AWS link or the internet rather all that traffic too comes to site A and then goes towards AWS or internet. (Thus the site B link to AWS and internet link is not in use).The site A and B is connected by L3 ten gig link which will be converted to 20 Gig L3 port-channel. Their is BGP peering between these two sites over this link. Currently, Site B has default route pointing to Site A thus all traffic comes to site A. The internet links are on the juniper firewall and just have a static route pointing to the ISP HOP. The 3750's have a physical link to the firewall and static route pointing to ensure all traffic goes to the firewall.
The requirement is
>> to ensure that traffic coming to site B from its branch sites egress to internet or AWS directly
>> to ensure that traffic coming to site A from its branch sites egress to internet or AWS directly (this is in place)
>> implement a fail-over mechanism between sites A and B such that either side branch traffic should continue to flow either through two sites towards internet or AWS.
Note : The existing setup may be a bit strange but there is no such option of revamping it completely..
Can combination of Policy based routing and IP SLA be used to implement this solution ? Please guide..
07-23-2019 06:44 PM
07-23-2019 10:58 PM
Hello Vinayak,
can we assume that remote branch sites connect to each main site with dedicated L2 links?
You are running BGP between Site A and Site B over the tengiga direct link (that will be a port-channel with 2 x 10 GE links)
Each site C3750 stack will have a static default route pointing to the local Firewall for Internet Access.
In case of failure of the local internet link the C3750 stack should use the other main site for Internet Access.
This calls for using IP SLA to track if the local internet link is alive.
The backup default route can be provided by BGP on the link between the sites.
Primary default route will use IP SLA and a track for IP SLA will be associated to the primary default static route so that if the IP SLA fails it will remove the primary default route.
each main site needs to advertise in BGP ( iBGP or eBGP between the two stacks ?) a default route if the local primary default route is alive -> command network 0.0.0.0 under router bgp can do this.
Each main site needs to advertise in BGP all the IP subnets related locally connected branch sites.
The firewalls need to be aware of all IP subnets of both sets of remote branch sites by adding appropriate static routes.
From the point of view of the branch sites they just need to point to the local main site using a default static route may be enough or a routing protocol like OSPF or EIGRP if desired.
Same reasoning should work also for the AWS connections.
Hope to help
Giuseppe
07-24-2019 07:00 PM
Hi Giuseppe,
Thanks for replying, Yes each branch site is connected by point to point tengig L3 links. There is no routing protocol running on any of the branch sites. They have static default routes pointing to either site A 3750 stack or site B 3750 stack depending on where they are homed.
Yes each site 3750 has a static default route pointing to their respective firewalls (internet links will be on firewall while the links to AWS will be on the 3750 stacks respectively). There is IBGP between the two stacks. So you suggest that i setup IP SLA with track on the Cisco stack itself OR should it be on the Juniper firewall ?
At the branch level this how the setup is, each branch has got its own set of vlans and one tengig routed port that plugs into the stack tengig routed port on the Cisco stack. Thus each branch site has just a default route pointing to that routed port ip on the Cisco stack.
The BGP peering that exists between the these two stacks share just 3 prefixes (one is the default route and other two are the routes catering to AWS cloud).
My questions are:
> The backup default route can be provided by BGP on the link between the sites. -- How to achieve this ?
> each main site needs to advertise in BGP ( iBGP or eBGP between the two stacks ?) a default route if the local primary default route is alive -> command network 0.0.0.0 under router bgp can do this -- Did not understand this
> Each main site needs to advertise in BGP all the IP subnets related locally connected branch sites -- Why would this be needed, i didn't understand
> The firewalls need to be aware of all IP subnets of both sets of remote branch sites by adding appropriate static routes -- This looks to be already in place
Pls guide.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide