07-22-2024 02:54 AM
Hello Team,
I have a network as attached,
I have a different thread on community to be assisted on the "passive-site" to redistribute the ipsec static routes from the vFTD to the core sw site 2. -This is still on progress as still not working as expected.- despite the ospf red static command on vFTD, the core site 2 does not learn the remote ipsec networks.
If we were to unblock this, then follows my next challenge;
core sw site 2 would know remote network ipsec networks, so how would this operate to avoid assymetric routing, where, traffic comes in from active site say to site b vlan/server, the server responds back, traffic gets to core sw site 2, how would this device route the traffic? via vFTD on passive-site or back via mpls to active site ftd then to destination?
is there a way to control this thats more efficient than shutting down interfaces at passive-site, and unshutting them once active-site has an issue and you expect to failover traffic to passive-site?
your support, thoughts and ideas on this will be much appreciated.
Thank you.
07-23-2024 05:55 AM
If I am understanding correctly
Two ftd redistribute rri subnet into ospf
You need core use one path tha other?
MHM
07-23-2024 06:01 AM
yes, both FTDs have same ipsec tunnels, but each is active at a time, for failover incase any site has an issue.
so how do you make cores only route ospf routes to active remote clients direction.
07-23-2024 06:02 AM
am using bgp for this failover using as prepend. i make passive site less-prefferable than active site.
07-26-2024 06:54 AM
if this issue not solve I think I found solution here
please confirm it not solve to run lab and share result with you
Thanks
MHM
07-26-2024 06:57 AM
kindly share, not found solution for how active-routing will happen.
07-31-2024 05:45 PM
I remember you have old lab for this topology do you still have this lab, if you have use conditional advertise and check.
for static route no need to add VPN in your lab only static route to null0 will be OK
MHM
https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/16137-cond-adv.html
08-01-2024 01:58 AM
Hi, thanks for your time on this,
i understood how conditional routing comes into play here,
but question on my end, which condition do i use? my remote ipsec networks are very diverse, they are not /24 networks, some are some are less. how do i cater for all of them, without breaking anything?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide