cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1022
Views
2
Helpful
12
Replies

IP TRANSIT

felix.mugambi
Level 1
Level 1

Hello Team,

Need help configuring IP transit between my data centres. Below is the scenario.

ON DCA i have 2 FTDs in HA-physical, being managed by virtual FMC. The FTDs peer with ISP via BGP, advertising my /24 address. One of this /24 address, i use it to peer site-to-site vpns with my partners.

ON DCB  i have 1 virtual FTD being managed by virtual FMC on DCA. Here i have peered with ISP who also advertised same /24 via BGP. I dont have any ipsec site-to-site VPNs here.

I wished to have a setup in place where the site-to-site /32 IP use to peer VPN with on DCA to be able to transit to DCB automatically, incase links/network in DCA is unreachable, and be transparent to my partners ie. i dont ask them to reconfigure their peer on VPN.

Kindly give me ideas, configuration if possible on how to achieve this.

12 Replies 12

M02@rt37
VIP
VIP

Hello @felix.mugambi 

To enable automatic failover for your site-to-site VPN traffic from DCA to DCB, you could configure BGP peering on DCB to receive the /24 prefix from the ISP. Advertise a loopback interface with a /32 address on DCB and set up IP SLA on DCA to track the reachability of a specific IP. Modify the BGP configuration on DCA to conditionally advertise the /32 loopback IP from DCB based on the IP SLA status.

Ensure your site-to-site VPNs on DCA are configured to peer with the /32 loopback IP on DCB. When the IP SLA track detects a failure, BGP on DCA will stop advertising the /32 loopback IP, prompting automatic traffic rerouting to DCB without requiring partner reconfiguration. 

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

And do i need to separate how I manage the two FTDs, or they can still be managed by the single FMC?

felix.mugambi
Level 1
Level 1

so this can not work if the /32 IP is on a physical Interface?

where does this loopback sit,  which DC? "Ensure your site-to-site VPNs on DCA are configured to peer with the /32 loopback IP on DCB." and since already partners are peering to a /32 IP sitting in DCA, what does that mean for me, in your solution?

So you need s2s vpn as backup if ISP is down? 

But as I get from your original post the vpn also use ISP' so if the ISP down the vpn will also down.

MHM

the VPN peer ip, the /32 is among the /24 advertised by ISP in DCA. ISP in DCB has advertised the /24 on DCB as well. Question was how i can transit the /32 between the DCs, incase any has an issue.

I would use AS pre-pend to manipulate primary and secondary but, how to move the /32 Peer IP is what am having a challenge to visualize..

I really don't follow you' if you can share topolgy to make clear.

Also we cab always use vti if we face routing issue with legacy IPSec VPN' did you think about VTI?

Thanks

MHM

felix.mugambi
Level 1
Level 1
 

felixmugambi_1-1706090014792.png

 

you can use VTI between two FTD 
using tunnel source and destination the IP of interface connect two site to SP. no need to use this overlapping subnet to build VPN.
MHM

the vpns in context here are to different partners, all mapped to device and IP on DCA. these are all up.

I need to know if this peer IP on DCA can be moved to DCB (transitted) using BGP advertisement concepts, that should DCA have issues the protocal moves the peer IP to DCB, this way partner will never know if DCA has an issue or vice-versa.

I think what you are looking for 
you want IPsec when traffic change from DC-1 to DC-2 to keep up 
I think this can not be happen you need stateful between FTD in both site to make all IPsec conn detail exchange 
hence the other Peer dont detect the swap of IP between two DC. 
I Hope I am correct here 
MHM

there is the concept of AS prepend, where manually i would make DC1 preferreable, with best path since am advertising the /24 network, but how to make the /32 active on dc2 is where am not getting.

secondly does it mean i need a  copy of ipsec configs on dc2 as they are on dc1?

Review Cisco Networking for a $25 gift card