Hello guys, below is my topology,
I have added internet fw and introduced ISP on site B.
Before site B resources/ servers would go via mpls to site a to access internet.
I introduced the above to make each site use its own isp respectively.
I ran to challenges, site b resources were not able to get to their isp/internet, until i introduced " ip route 0.0.0.0/0 sitebinternetfw interface. --> which works but causes some issues.
is there a way, to manipulate just internet traffic for site b resources without introducing static entries? and not affecting site a and b from communicating with each other?
Accepted Solutions
so bgp at 1941s, has route maps out, for downstream serverfirm subnet.and redistribution of ospfs' respective of the site.
Site A has some static routing, but on site A core sw ospf redistributes static routes.
so issues begin here, for example when you check for a route on site b, the route is not known, until you introduce a static route on 1941 of site b..-> since the bgp redistributes static as well, then the route now is known by site b 1941, which advertises it downstream , and servers in site b can reach the subnet now on site A and vice versa.
on site A, there a re quite number of ipsec tunnels, which have static entires on site A core sw. so you find these entries are not known in site b, so traffic from site b flows via mpls to core in site a then this core knows these guys needs to be routed via vpn.--. connectivity is ok.
question, where is this behaviour on the 1941s?
now when i want to introduce isp specific access to each site, the easiet way i went about it was, introducing the 0.0.0.0/0 to ciscoasa fw on site b.--> site b resources now get their internet access via their site b isp. my problem comes, when vpn clients are not able to reach site b resources, since now rem, since the vpn client routes are not known on the site b side, they fall under default category and forwarded to site b asa fw which does not know the route back to vpn clients.
a workaround would have all vpn static routed on site a core , on site a 1941 mpls edge router as well with core sw sita a as destination..-which would then be distributed by bgp across the sites, making 1941 mpls edge router on site a knowing about these routes, distributing them downstream to site b resources..,then these vpn clients routes would no longer fall under "default-route" and vpn clients would manage to access the site b resources.., problem is re-introduction of lots of static routing, which i wish to avoid/reduce.
Any insights here?
1. how to sort vpn learnt static routes be advertised to site b without introducing static routes at 1941 site mpls edge router?
2. is it possible as the setup is, make site b resources uses site b isp, without introducing default route at site be core sw?
Thanks.
so bgp at 1941s, has route maps out, for downstream serverfirm subnet.and redistribution of ospfs' respective of the site.
Site A has some static routing, but on site A core sw ospf redistributes static routes.
so issues begin here, for example when you check for a route on site b, the route is not known, until you introduce a static route on 1941 of site b..-> since the bgp redistributes static as well, then the route now is known by site b 1941, which advertises it downstream , and servers in site b can reach the subnet now on site A and vice versa.
on site A, there a re quite number of ipsec tunnels, which have static entires on site A core sw. so you find these entries are not known in site b, so traffic from site b flows via mpls to core in site a then this core knows these guys needs to be routed via vpn.--. connectivity is ok.
question, where is this behaviour on the 1941s?
now when i want to introduce isp specific access to each site, the easiet way i went about it was, introducing the 0.0.0.0/0 to ciscoasa fw on site b.--> site b resources now get their internet access via their site b isp. my problem comes, when vpn clients are not able to reach site b resources, since now rem, since the vpn client routes are not known on the site b side, they fall under default category and forwarded to site b asa fw which does not know the route back to vpn clients.
a workaround would have all vpn static routed on site a core , on site a 1941 mpls edge router as well with core sw sita a as destination..-which would then be distributed by bgp across the sites, making 1941 mpls edge router on site a knowing about these routes, distributing them downstream to site b resources..,then these vpn clients routes would no longer fall under "default-route" and vpn clients would manage to access the site b resources.., problem is re-introduction of lots of static routing, which i wish to avoid/reduce.
Any insights here?
1. how to sort vpn learnt static routes be advertised to site b without introducing static routes at 1941 site mpls edge router?
2. is it possible as the setup is, make site b resources uses site b isp, without introducing default route at site be core sw?
Thanks.
