Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
323
Views
1
Helpful
7
Replies

ROUTE MANIPULATION

fmugambi
Spotlight
Spotlight

‎07-22-2024 02:54 AM

Hello Team,

I have a network as attached,

fmugambi_0-1721641746525.png

I have a different thread on community to be assisted on the "passive-site" to redistribute the ipsec static routes from the vFTD to the core sw site 2. -This is still on progress as still not working as expected.- despite the ospf red static command on vFTD, the core site 2 does not learn the remote ipsec networks.

If we were to unblock this, then follows my next challenge;

core sw site 2 would know remote network ipsec networks, so how would this operate to avoid assymetric routing, where, traffic comes in from active site say  to site b vlan/server, the server responds back, traffic gets to core sw site 2, how would this device route the traffic? via vFTD on passive-site or back via mpls to active site ftd then to destination? 

is there a way to control this thats more efficient than shutting down interfaces at passive-site, and unshutting them once active-site has an issue and you expect to failover traffic to passive-site?

your support, thoughts and ideas on this will be much appreciated.

Thank you.

 

Labels:
0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎07-23-2024 05:55 AM

If I am understanding correctly 

Two ftd redistribute rri subnet into ospf

You need core use one path tha  other?

MHM

0 Helpful

fmugambi
Spotlight
Spotlight
In response to MHM Cisco World

‎07-23-2024 06:01 AM

yes, both FTDs have same ipsec tunnels, but each is active at a time, for failover incase any site has an issue.

so how do you make cores only route ospf routes to active remote clients direction.

0 Helpful

fmugambi
Spotlight
Spotlight
In response to fmugambi

‎07-23-2024 06:02 AM

am using bgp for this failover using as prepend. i make passive site less-prefferable than active site.

0 Helpful

MHM Cisco World
VIP
VIP
In response to fmugambi

‎07-26-2024 06:54 AM

if this issue not solve I think I found solution here 
please confirm it not solve to run lab and share result with you 

Thanks 

MHM

0 Helpful

fmugambi
Spotlight
Spotlight
In response to MHM Cisco World

‎07-26-2024 06:57 AM

kindly share, not found solution for how active-routing will happen.

MHM Cisco World
VIP
VIP
In response to fmugambi

‎07-31-2024 05:45 PM

I remember you have old lab for this topology do you still have this lab, if you have use conditional advertise and check.
for static route no need to add VPN in your lab only static route to null0 will be OK 

MHM

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/16137-cond-adv.html

fmugambi_0-1721641746525.png

0 Helpful

fmugambi
Spotlight
Spotlight
In response to MHM Cisco World

‎08-01-2024 01:58 AM

Hi, thanks for your time on this,

i understood how conditional routing comes into play here,

but question on my end, which condition do i use? my remote ipsec networks are very diverse, they are not /24 networks, some are some are less. how do i cater for all of them, without breaking anything?

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card