04-10-2024 10:31 PM
User is having ISR8300 routers. Here there are using p2p connectivity with 5 uplinks and down the line from switch to router Encrypter link and non-encrypter link has been connected.
Now the challenge is.
Encrypter link traffic should go through the 4 uplinks and Non-encryption link should through the 1 uplink(VAST link)
Already i have configured ospf between the routers and i defined cost value for priority of the links. As per the user requirement always 1st priority is radio link and CUC link are both links get the traffic from encrypter link. 3rd priority is for VSAT link but this link should get traffic from NON-Encryption link.
Please Anyone suggest me what features for switch and router.
04-10-2024 10:56 PM
Without redundancy I think this solve by using two ospf processes.
One for non encrypt and other for encryption traffic.
In such that each router learn only prefix behind other router via one ospf process.
MHM
04-10-2024 11:17 PM
Hi MHM,
Please suggest what features are required for this.
Thank you
04-10-2024 11:26 PM
Route ospf 100
Network <encrypted subnet>
Network <subnet of link between router for encryption traffic>
Router ospf 200
Network <non encrypt subnet>
Network <subnet of link between Routers for non encrypt traffic >
MHM
04-11-2024 01:52 AM
Ok, but how switch will shift the link from Encryptor to Non-Encryptor ?
04-11-2024 02:54 AM
BTW, multiple router processes feed same router's route table unless you use VRFs.
04-11-2024 03:33 AM
How that if I dont use redistrubte?
I am clear in my suggestion commands' use network not redistrubte.
@kasulasaiganesh run also two ospf in SW to separate the ospf db.
MHM
04-11-2024 04:43 AM
"How that if I dont use redistrubte?"
Because it's not a question of copying (redistribution) one router process's routes into another router process, same router, but how router processes populate the router's route table, same router.
What you're proposing, is a variation of what Cisco, years (decades) ago referred to a ships-in-the-night.
If the issue is unclear, as you do excellent labs, lab it up.
As mentioned in my prior reply, if you also used VRFs, the issue I'm describing shouldn't be an issue although unsure your approach would work if fail over is considered (which OP did not) or things like OP drawing shows switches as L2, which might negate your ". . . run also two ospf in SW to separate the ospf db."
04-11-2024 07:15 AM
Oh, rereading my replies my be taken to imply what @MHM Cisco World suggested cannot work. If so, that's not (necessarily) the case!
All I'm noting, by default, the two OSPF router processes will place all their routes into one composite route table, per router. However, although both OSPF processes would be in the route table, what I believe @MHM Cisco World has in mind, not all remote networks would have the same next hop, which is what OP desires, i.e. different paths.
As I mentioned in my prior reply, handling link/path failures is a possible issue. Also noted in @MHM Cisco World initial reply.
04-11-2024 06:43 AM - edited 04-11-2024 06:49 AM
How does encrypt/non-encrypt traffic get identified? Does Cipher-box support routing? You have SVIs on L2 switch, does it support dynamic routing protocols?
04-11-2024 09:29 AM - edited 04-11-2024 09:30 AM
@rais that is just encryption box and it doesn't know any ip routing just in/out interfaces are there.
1. See First user requirement is when he is try to send any traffic it should go through the encrypter link and it reach to the router and router will forward the traffic based on the 1st priority (Radio Link).
2. Second thing is configured priority for each uplink manually in interfaces.
# Int gi0/0/0
# ip ospf cost 10 (Radio Link)
# int gi 0/0/1
# ip ospf cost 20 (VSAT Link)
# int gi 0/0/2
# ip ospf cost 30 (CUC Link)
I observed failover is working upto now it is ok.
But the problem is user does not want to send encrypted traffic through VSAT link. My questing is when we lost the connection from primary link (Radio link) how switch side shift the link from Encrypter to Non-Encryptor link.
At switch i configured IPSLA.
Please help me
Thnak you
04-11-2024 12:23 PM
By encrypted link you seem to mean Ge1/0/0? Is it possible to bundle g1/0/0 & 3 in a LAG with max-bundle 1 and port priority being higher for g1/0/0? Can 1/0/1 be disabled in this case?
04-11-2024 08:04 PM - edited 04-11-2024 08:08 PM
@rais No, here i'm not configured lag.
I used ipsla for both links. see, that only i'm asking All uplinks except 1 VSAT link traffic should go through Encryptor and Encrypter to router and desired uplink that means( Radio, cuc, E1,fiber)
And non-encryption traffic should through Non-Encryption link and Router and VSAT Link.
Manually configured cost value for each link. User preference is Radio link & CUC link Primary and Secondary and ( both should get traffic from Encrypter). If this two link fails then user next preference is VSAT link (Non-Encryption traffic should come).
This one is ok. Links is shifting from radio to cuc and cuc to vsat. I got neighbour between two ospf routers router also formed.
But here my problem is at switch side How ip sla link shift to primary to secondary. When VSAT Link has been formed.
Cisco tac is suggesting PBR is it write?
04-12-2024 05:00 AM
If VSAT is to be dedicated for non-encrypt then a vrf on each 8300 can be created. Not sure if your switch supports PBR. If it does, simply PBR non-encrypt to the vrf.
04-12-2024 06:49 AM
@rais Yes i have tried vrf and PBR. As per above scenario PBR is not working.
Today, I have tried with acl's it's working now From Encrypter to Router uplink( Radio, E1&t1, CUC) and from Non-Encryption to Router (VSAT link) working.
Thanks everyone for you support.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide