I am working on setting up dynamic redundancy between two ISP's. I do not have a /24 block assigned so BGP peering is not an option. The site is remote and I dont have the ability to easily change the way things are connected. Here is the architecture is illustrated below.
The idea is to take the received default from the ISP's, redistribute it into seperate OSPF ASN's on the border routers, receive it on the ASA's, redistrivute it into the internal ASN (50) and propogate it to the 6500. The 6509 gets two equal cost OPSF derived default routes and load balances internet bound traffic between the ISP's.
Two seperate IPSec tunnels exist back to an Active/Passive HA pair of ASA's at HQ. The object is to get a tunnel active and nailed up over one ISP and not the other.
1) The 6509 receives the defaults on the same vlan as the ASA's inside interfaces land there. I see the default received from one being heard by the other ASA and listed in the OSPF database. I assume I need to filter defaults being recived on the inside interface but cant find a way to do it that works.
2) I'm not clear on how to tell the HQ ASA which tunnel to establish. Theres no GRE over IPSec and I dont want to go there. How do I steer tunnels originating from the Active/Passive HA ASA pair at HQ?
3) Steering tunnel traffic from the remote site is in question as well. If I equal cost load balance, then I'll need to steer the traffic one way or the other as I dont think I can have both tunnels up at the same time. Having trouble with this and need help. A route map on the 6509 might work (changing the next hop address of HQ subnets). Internet traffic would still get balanced but HQ tunnel traffic should steer nicely. Ideas?
4) The final big issue is that I'm not well versed in OSPF and am concerned that there are underlying OSPF issues I'm missing. Thoughts? Red flags?
Listen: https://smarturl.it/CCRS9E18Follow us: https://twitter.com/CiscoChampion Reaching the height of your career is no simple feat. It often requires a combination of pursuing the right education, building the right professional network and being ...
In a typical production SD-WAN deployment, we would probably have many remote sites connected via many different Internet connections to a centralized data center or a regional hub. In most regions in the world, Internet providers will always use some typ...
Listen: https://smarturl.it/CCRS9E16 Follow us: https://twitter.com/CiscoChampion
For all end-users across Cisco’s ecosystem, counterfeiting presents serious risks to network quality, performance, safety, and reliability. It is dangerous becaus...