Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2370
Views
5
Helpful
2
Replies

MPLS - network change

Go to solution
lovejit1313
Level 1
Level 1

‎08-16-2019 07:08 AM

Hello Guys,

 

We provide the WAN services to clients and one of our clients has 8 sites connected to each other through our MPLS cloud.

Right now, we have a firewall at one site for them and everything is going to the Internet through it. They have only 50 Mb internet.   

They want us to put a new Internet at another site and route half-sites Internet form there. Please let me know how I can accomplish this?

 

I am also confused should I put one more firewall at another Internet site or I should go without it?

 

Thanks,

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-16-2019 10:09 AM - edited ‎08-16-2019 10:14 AM

Hello lovejit1313,

 

the customer has 8 sites and you provide an MPLS L3 VPN service to them.

In one of these 8 sites there is a firewall providing Internet access to all 8 sites.

This means that you are currently sending a default route 0.0.0.0/0 to the PE node connected to this site and the PE node is sending a VPNv4 route to all other sites announcing the default route with appropriate route target value so that all remote PE nodes import the route and can advertise it to the locally connected CE node.

 

Now, the customer is asking to provide internet access via a second site.

Ideally you should replicate the current infrastructure on this second site.

 

However, there are some considerations that need to be taken in account.

 

You are likely using route reflector servers and your  PE nodes have MP iBGP sessions with route reflectors.

The PE node of the second VRF site with internet access must use a different route distinguisher to avoid competition between the two VPNv4 default routes on the RRS.

Example:

the VPNv4 routes

65000:100:0.0.0.0/0  with RT 65000:200

65000:121:0.0.0.0/0  with RT 65000:200

 

are considered not comparable by RRS and both are propagated to all remote PE nodes.

Remote PE nodes will import both routes if they import RT 65000:200.

However, each PE node will make a best path choice based on :

IGP metric to PE nodes PE1 and PE2 generating the default route

If IGP metric is the same the PE node with lowest BGP router-id is used.

 

Depending on your backbone topology the IGP can provide already some traffic load sharing to PE1, PE2.

 

However, if you want to choice the best route on each PE node you should use BGP standard communities or you can set an higher weight for the default route coming from a specific next-hop (PE1 or PE2 loopback address)

 

You cannot use local-preference because it would propagate to other nodes in same AS.

 

You can try to use a route-map applied within the vrf with an import-map command.

 

On each PEx with x different from PE1 and PE2:

 

access-list 11 remark PE1 loopback

access-list 11 permit host 10.11.11.11

 

access-list 12 remark PE2 loopback

access-list 12 permit host 10.22.22.22

 

prefix-list ONLY-DEFAULT permit 0.0.0.0/0

 

route-map SET-WEIGHT-DEF-ROUTE permit 10

match ip address prefix ONLY-DEFAULT

match ip next-hop 12

set weight 200

route-map SET-WEIGHT-DEF-ROUTE permit 20

match ip address prefix ONLY-DEFAULT

match ip next-hop 11

set weight 100

route-map SET-WEIGHT-DEF-ROUTE permit 30

 

vrf CUSTOMER

import-map SET-WEIGHT-DEF-ROUTE

 

Or in this way or using BGP communities you can make some sites to prefer one or the other exit point.

The last block in the route-map is to accept all other routes (permit 30 with no match or set conditions)

 

To be noted both firewalls must be able to serve all sites in case of fault of one site.

 

Half PE nodes can prefer PE1's route and half PE nodes can prefer PE2's route in this way

 

Hope to help

Giuseppe

 

View solution in original post

2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-16-2019 10:09 AM - edited ‎08-16-2019 10:14 AM

Hello lovejit1313,

 

the customer has 8 sites and you provide an MPLS L3 VPN service to them.

In one of these 8 sites there is a firewall providing Internet access to all 8 sites.

This means that you are currently sending a default route 0.0.0.0/0 to the PE node connected to this site and the PE node is sending a VPNv4 route to all other sites announcing the default route with appropriate route target value so that all remote PE nodes import the route and can advertise it to the locally connected CE node.

 

Now, the customer is asking to provide internet access via a second site.

Ideally you should replicate the current infrastructure on this second site.

 

However, there are some considerations that need to be taken in account.

 

You are likely using route reflector servers and your  PE nodes have MP iBGP sessions with route reflectors.

The PE node of the second VRF site with internet access must use a different route distinguisher to avoid competition between the two VPNv4 default routes on the RRS.

Example:

the VPNv4 routes

65000:100:0.0.0.0/0  with RT 65000:200

65000:121:0.0.0.0/0  with RT 65000:200

 

are considered not comparable by RRS and both are propagated to all remote PE nodes.

Remote PE nodes will import both routes if they import RT 65000:200.

However, each PE node will make a best path choice based on :

IGP metric to PE nodes PE1 and PE2 generating the default route

If IGP metric is the same the PE node with lowest BGP router-id is used.

 

Depending on your backbone topology the IGP can provide already some traffic load sharing to PE1, PE2.

 

However, if you want to choice the best route on each PE node you should use BGP standard communities or you can set an higher weight for the default route coming from a specific next-hop (PE1 or PE2 loopback address)

 

You cannot use local-preference because it would propagate to other nodes in same AS.

 

You can try to use a route-map applied within the vrf with an import-map command.

 

On each PEx with x different from PE1 and PE2:

 

access-list 11 remark PE1 loopback

access-list 11 permit host 10.11.11.11

 

access-list 12 remark PE2 loopback

access-list 12 permit host 10.22.22.22

 

prefix-list ONLY-DEFAULT permit 0.0.0.0/0

 

route-map SET-WEIGHT-DEF-ROUTE permit 10

match ip address prefix ONLY-DEFAULT

match ip next-hop 12

set weight 200

route-map SET-WEIGHT-DEF-ROUTE permit 20

match ip address prefix ONLY-DEFAULT

match ip next-hop 11

set weight 100

route-map SET-WEIGHT-DEF-ROUTE permit 30

 

vrf CUSTOMER

import-map SET-WEIGHT-DEF-ROUTE

 

Or in this way or using BGP communities you can make some sites to prefer one or the other exit point.

The last block in the route-map is to accept all other routes (permit 30 with no match or set conditions)

 

To be noted both firewalls must be able to serve all sites in case of fault of one site.

 

Half PE nodes can prefer PE1's route and half PE nodes can prefer PE2's route in this way

 

Hope to help

Giuseppe

 

Go to solution
lovejit1313
Level 1
Level 1
In response to Giuseppe Larosa

‎08-16-2019 10:42 AM

@Giuseppe Larosa  You are Great and I really appreciate your time for my help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card