Please reference the attached diagram. Remote Site is currently connected to Site A and Site B via GRE/ipsec tunneling running EIGRP. Site A and Site B WAN side are connected to MPLS and both exchange bgp route. On the CE routers in each site BGP and EIGRP redistribute with each other and the CE and VPN routers at each respective site are EIGRP neighbors. Remote Site needs access to resources in both Site A and Site B but I prefer to have them access resources in Site B by crossing Site A and only use the direct connection to Site B if Site A fails (reason being Remote Site is much closer to Site A by physical location and want to leverage CoS from MPLS vs Site B that is across the ocean). I'm bumping into a couple of obstacles trying to plan this out. Sample configs of the routers:
Site A VPN Router:
interface Tunnel1
ip address 172.30.201.5 255.255.255.252
ip access-group ACLSTUFF out
qos pre-classify
tunnel source GI0/0
tunnel destination RemoteSiteIP
tunnel protection ipsec profile GREProfile
router eigrp 50
redistribute bgp 65003 metric 1500 10 255 1 1500
network 172.30.201.0 0.0.0.255
no auto-summary
router bgp 65003
redistribute eigrp 50 metric 1
neighbor CERtrt
no auto-summary
no synchronization
Site B VPN Router:
interface Tunnel0
ip address 172.30.200.5 255.255.255.252
ip access-group ACLSTUFF out
qos pre-classify
tunnel source GI0/0
tunnel destination RemoteSiteIP
tunnel protection ipsec profile GREProfile
router eigrp 50
redistribute bgp 65003 metric 1500 10 255 1 1500
network 172.30.200.0 0.0.0.255
no auto-summary
router bgp 65003
redistribute eigrp 50 metric 1
neighbor CERtrt
no auto-summary
no synchronization
Remote Site 871:
interface Tunnel0
ip address 172.30.200.6 255.255.255.252
ip access-group ACLSTUFF out
qos pre-classify
tunnel source GI0/0
tunnel destination SiteBIP
tunnel protection ipsec profile GREProfile
interface Tunnel1
ip address 172.30.201.6 255.255.255.252
ip access-group ACLSTUFF out
qos pre-classify
tunnel source GI0/0
tunnel destination SiteAIP
tunnel protection ipsec profile GREProfile
router eigrp 50
network 172.30.201.0 0.0.0.255
network 172.30.200.0 0.0.0.255
no auto-summary
1. GRE ipsec tunneling will not show up active/active on the remote site. Only one tunnel remains active as long as the peer is alive (doing a show ip eigrp neighbor you only see one side active). This becomes a problem if the CE router in Site A fails but because the VPN router is still alive the remote router will not activate the second tunnel. The remote site is using Cisco 871s. Failover between GRE tunnels works fine (if VPN router in Site A fails, EIGRP peering occurs with Site B and things flow fine).
2. If we resolve Step 1, then that means Site A and Site B VPN routers will receive Remote Site local subnet as a network and advertises that out to their respective CE routers. Each CE router desitributes EIGRP into BGP and advertises into MPLS. The problem comes up here is if one side advertises faster (lets say Site B was able to send the route first), then Site A sees the incoming BGP route and immediately drops the EIGRP route because of administrative distance. As a result of that Site A no longer advertises the remote site. If the remote site is using Site A as a transite site in this scenario then there will be asynchronous routing going on.
What would be the best setup where the remote site will access resources in Site B through Site A as a primary? Any advice is appreciated.
Thanks!
