04-04-2011 02:58 AM - edited 03-04-2019 11:58 AM
Dear Experts,
I want to figure out some possibility to block/advertise the local route to specified sites. therefore I have attached a diagram for your review.
As per Diag:
1: there are 2 DR sites going to be exisiting in the network. [{1 x user recovery (Ennis)} and {1 x server recovery(Cork)}]
2: User recovery site is ok as its going to advertise a new subnet (10.18.128.0/24) but the server recovery site (Cork) is going to advertise the same subnets (10.18.108.0/24, 10.18.109.0/24 and 10.18.48.0/22) as Shannon.
3: User recovery site should only see the server in the Cork site not the Shannon one but it should also be able to reach to any where in the whole network except Shannon BUT the Cork site should only advertise the local routes (Same as Shannon) to Ennis site only, no where else.
Could anyone shed any lights how can I achieve it, I am using BGP for internal and external communication with IGP (Eigrp) in the network.
Green Line = Ennis and Cork should be able to work both ways.
Red line = Ennise shouldn't see the subnet in Shannon while shannon should see the Ennis subnet (10.18.128.0/24).
Blue line = Primary IPSec-GRE tunnel.
Orange broken line = Backup IPSec tunnel.
Regds,
Faiz
04-05-2011 03:23 AM
Hi,
I'm afraid your case is very complicated with details missing
(Are both the coulds on your diagram provided by the same provider?
The tunnels mentioned are through the Internet?
etc.)
There seems to be an oxymoron there:
"Red line = Ennise shouldn't see the subnet in Shannon while shannon should see the Ennis subnet (10.18.128.0/24)."
Does it make a sense to see a subnet but not to be able to communicate as the subnet does not know how to send data back?
Generally:
You might to discuss with your provider(s) possibilities like:
- Creating multiple MPLS VPNs and playing with Route Targets - that way a more sophisticated topology could be created with some sites "seeing" only a subset of other sites.
- Using BGP communities to tag prefixes advertised fromn some sites - you could filter prefixes coming based on those communities (or your provider might have to do that if you are peering to his CE routers).
HTH,
Milan
04-05-2011 05:02 AM
Hi Milan,
Thanks for replying in this. Please find below these point for clarification:
1: There are 2 different cloud. 1 x BT MPLS and 2 x DSL line
2: The topology we have is :
ISP cloud are pure internet cloud and we have built GRE-IPSec tunnels between the datacenter and access sites. Each site including DCs has 2 routers with dual homed scenario connected to each cloud and they are running IBGP internally and the route advertised from VPN router are path prepended to send the traffic primarily via MPLS routers.
I would like to setup the these 2 DR sites with GRE-tunnel with one of our datacenters VPN router and one of them is running with the same subnet as a live site (Shannon), therefore I stated :
a. Ennis site should be able to see everything but not the those 3 subnets advertised from Shannon.
b. Shannon site apart from these 3 subnet should be able to see Ennis site, but ofcourse not the Cork site as this site (Cork) is advertising the same subnets as Shannon.
c. Ennis should only see or prefer these 3 subnets to be reachable via Cork but not Shannon.
I hope it will clear everyone doubts.
Thanks for suggestion.. everyone welcome.
Regds,
Farhan
04-05-2011 07:11 AM
Hi,
in that case you probably might configure a PBR on your Maidstone router (Ennis tunnel interface) making a traffic coming from 10.18.128.0/24 to be routed to the Cork Tunnel.
And the same on the Rackspace router.
But I still have got a bad feeling regarding the same subnets advertised from Shannon and Cork to your network.
Wouldn't be worth using some kind of NAT instead?
HTH,
Milan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide