I am working on setting up dynamic redundancy between two ISP's. I do not have a /24 block assigned so BGP peering is not an option. The site is remote and I dont have the ability to easily change the way things are connected. Here is the architecture is illustrated below.
The idea is to take the received default from the ISP's, redistribute it into seperate OSPF ASN's on the border routers, receive it on the ASA's, redistrivute it into the internal ASN (50) and propogate it to the 6500. The 6509 gets two equal cost OPSF derived default routes and load balances internet bound traffic between the ISP's.
Two seperate IPSec tunnels exist back to an Active/Passive HA pair of ASA's at HQ. The object is to get a tunnel active and nailed up over one ISP and not the other.
1) The 6509 receives the defaults on the same vlan as the ASA's inside interfaces land there. I see the default received from one being heard by the other ASA and listed in the OSPF database. I assume I need to filter defaults being recived on the inside interface but cant find a way to do it that works.
2) I'm not clear on how to tell the HQ ASA which tunnel to establish. Theres no GRE over IPSec and I dont want to go there. How do I steer tunnels originating from the Active/Passive HA ASA pair at HQ?
3) Steering tunnel traffic from the remote site is in question as well. If I equal cost load balance, then I'll need to steer the traffic one way or the other as I dont think I can have both tunnels up at the same time. Having trouble with this and need help. A route map on the 6509 might work (changing the next hop address of HQ subnets). Internet traffic would still get balanced but HQ tunnel traffic should steer nicely. Ideas?
4) The final big issue is that I'm not well versed in OSPF and am concerned that there are underlying OSPF issues I'm missing. Thoughts? Red flags?
We are having issues with a WS-C2960X-48FPD-L running IOS 15.2(2)E7. Some ports are simply not working. We had POE issues on some of the ports and decided to upgrade to hopefully resolve those issues but this has now become an even bigger issu...
the scenario is :I'm replacing core Cisco switch 4506-E with switch 4507R-E. As I have one supervisor card on 4506-E and I'm going to take out all the card that I have in 4506-E and install it in the new 4507R-E. On the 4507R-E I have 2 slots for the supe...
Since its release in August of 2019, the SASE report released by Gartner has generated a lot of chatter regarding what SASE is all about. People are wondering whether it will be disruptive to the current network and network security designs and are curiou...
I tried to setup a virtual environment with 2960 switches and 2911 Router. In one part of the network where I connected PCs directly to the 2911 Router, I was able to communicate to the attached devices, having configured static route. In the th...
Network Insider Live Webinar
Tuesday, June 23, 2020 10:00 am Pacific Time (San Francisco, GMT-08:00)
Learn how Software-Defined Access and new innovations in Cisco DNA Center provide a better way to control your network. We will explore new enhancements, ...