Showing results for 
Search instead for 
Did you mean: 

Routing design issue


Because a picture tells more than a thousand words; herewith a part of our network topology (IP’s are not valid, just an example)

The picture is how the network is configured currently, except for the VPN tunnel.

How is works currently the Remote Office (RO) network traffic is as follows: all corporate traffic goes over the MPLS cloud and for the internet it break-out locally of the FW 2.

What we have:

The HQ is a large network with more than thousand network routes.

The routers (router 1 and router 2) are managed routers, so we have influence but the service provider will do the job and decides if the suggests config will be applied. Both are Cisco devices.

The Firewalls we configure our self, both Junipers. Where FW 1 is a SSG320M and FW 2 SSG20.

The L3 switch is a Cisco 3750 with IP Base 12.2.50 or newer software, so it supports OSPF.

What we want:

What we want is to create redundancy for the WAN.

From the RO view all traffic still must go over the MPLS, this because of VoIP.

In case of a problem within the MPLS, we would like to route over the IPSec tunnel.

Design Limitations:

The preferred routing protocols are OSPF and BGP.

There is a technical limitation in FW2, it supports max. 1030 routes in the table, so summary/aggregation is mandatory.

The L3 switch does not support BGP but it supports OSPF.


The things I have tested are the following:

1)      FW1, FW2 Switch and Router 2 in an AREA 2 NSSA.

Conclusion: The L3 switch routing will go over the FW2 and Routers 2, this because some routes are original OSPF and other are externals. The switch relies on preferred sequence ospf intra, inter, external 1 and external 2. (

It is possible that traffic arrives over the FW and leave router 2. State full FW don’t like this.

2)      FW1 and FW2 with BGP routing.

Between FW1 and FW2 BGP routing, and FW2, Router 2 and L3 switch in OSPF AREA 2 NSSA.

Did an aggregate on Router 1 and FW1. However when FW1 lost connection with OSPF area 0 the routing table didn’t switch back to MPLS. FW1 still aggregates the routes to FW2.

Does anyone has an how this is solvable?

Tahnks in advance,

Ed Martens

martens.ed [ add ] gmail [ dot ] com

2 Replies 2

Xavier Hick

Given the description, it looks like the FW1 is advertising the aggregate whether the more specific routes which should be the basis of the aggregate are reachable or not. If I understood this right, the solution would then be to ensure the aggregate isn't advertised anymore when the composite route of the aggregate is missing. I guess there is an option on Juniper devices to achieve this as well, since this is the default behavior on Cisco platforms.



Hello Xavier,

The solvation will be found in this thread.

Thanks for the reply


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: