Hi Folks,

I have a few questions regarding an mesh vpn deployment.

We have site 1 our main office and site 2 our detroit office and site 3 our data center.

Each site is linked up via a routed vpn tunnel (VTI interface), and we use ospf to distribute the routes.

Example :

interface Tunnel0

description tunnel to AIS San Diego

bandwidth 10240

ip address 172.28.42.2 255.255.255.0

zone-member security inside

ip ospf network broadcast

ip ospf mtu-ignore

tunnel source GigabitEthernet0

tunnel mode ipsec ipv4

tunnel destination xxx.xxx.xxx.xxx (public IP)

tunnel protection ipsec profile VTI

!

!

router ospf 42

log-adjacency-changes

redistribute static subnets

network 10.0.1.0 0.0.0.255 area 0

network 10.0.3.0 0.0.0.255 area 0

network 172.16.42.1 0.0.0.0 area 0

network 172.16.42.2 0.0.0.0 area 0

network 172.28.41.1 0.0.0.0 area 0

network 172.28.42.2 0.0.0.0 area 0

network 172.28.50.1 0.0.0.0 area 0

ip route 10.87.42.0 255.255.255.0 172.16.42.2 permanent name SDOfficeL3Switch

ip route 10.87.43.0 255.255.255.0 172.16.42.3 permanent name soPhoneRoute

Our main networks live behind a layer 3 switch that does not support OSPF, so we assigned static routes and used redistribute static subnets to get them sent to the other OSPF peers.

We now have new vpn connections into amazon's VPC, two tunnels into each site. Only these use BGP to converge their routes.

Example:

interface Tunnel2

description tunnel 1 into amazons infrastructure (BGP)

bandwidth 10240

ip address 169.254.253.2 255.255.255.252

ip virtual-reassembly

zone-member security toDetroit

ip tcp adjust-mss 1387

tunnel source public-IP-of-Interface

tunnel mode ipsec ipv4

tunnel destination Amazon-public-ip

tunnel protection ipsec profile ipsec-vpn-748cdc31-1

!

router bgp 65000

bgp log-neighbor-changes

neighbor 169.254.253.1 remote-as 7224

neighbor 169.254.253.1 timers 10 30 30

neighbor 169.254.253.5 remote-as 7224

neighbor 169.254.253.5 timers 10 30 30

!

address-family ipv4

  no synchronization

  network 10.87.42.0 mask 255.255.255.0

  neighbor 169.254.253.1 activate

  neighbor 169.254.253.1 soft-reconfiguration inbound

  neighbor 169.254.253.5 activate

  neighbor 169.254.253.5 soft-reconfiguration inbound

  no auto-summary

exit-address-family

My question: How can I get the sites to use an alternate route into amazon's VPC should the primary tunnel go down?

I have this network "10.0.1.0 0.0.0.255 area 0" and "network 10.0.3.0 0.0.0.255 area 0" on a secondary site, but they have not made their way to the routing table on an external sites router yet.

cerberus#sh ip route ospf

     5.0.0.0/20 is subnetted, 1 subnets

O E2    5.5.0.0 [110/20] via 172.28.42.2, 01:39:15, Tunnel1

O E2 192.168.40.0/24 [110/20] via 172.28.40.2, 00:19:25, Tunnel0

     172.16.0.0/24 is subnetted, 2 subnets

O       172.16.42.0 [110/10] via 172.28.42.2, 01:39:15, Tunnel1

O       172.16.1.0 [110/10] via 172.28.40.2, 00:19:25, Tunnel0

     172.28.0.0/24 is subnetted, 4 subnets

O       172.28.50.0 [110/18] via 172.28.42.2, 01:39:15, Tunnel1

                    [110/18] via 172.28.40.2, 00:19:15, Tunnel0

O       172.28.41.0 [110/18] via 172.28.42.2, 01:39:15, Tunnel1

                    [110/18] via 172.28.40.2, 00:19:15, Tunnel0

     10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

O E2    10.87.44.0/24 [110/20] via 172.28.40.2, 00:19:25, Tunnel0

O E2    10.87.43.0/24 [110/20] via 172.28.42.2, 01:39:15, Tunnel1

O E2    10.87.42.0/24 [110/20] via 172.28.42.2, 01:39:15, Tunnel1

O E2 192.168.2.0/24 [110/20] via 172.28.40.2, 00:19:25, Tunnel0

Hopefully i've explained this well enough.

TYIA