cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2924
Views
0
Helpful
11
Replies

Routing Design issue

emartens
Level 1
Level 1

Because a picture tells more than a thousand words; herewith a part of our network topology (IP’s are not valid, just an example)

The picture is how the network is configured currently, except for the VPN tunnel.

How is works currently the Remote Office (RO) network traffic is as follows: all corporate traffic goes over the MPLS cloud and for the internet it break-out locally of the FW 2.

What we have:

The HQ is a large network with more than thousand network routes.

The routers (router 1 and router 2) are managed routers, so we have influence but the service provider will do the job and decides if the suggests config will be applied. Both are Cisco devices.

The Firewalls we configure our self, both Junipers. Where FW 1 is a SSG320M and FW 2 SSG20.

The L3 switch is a Cisco 3750 with IP Base 12.2.50 or newer software, so it supports OSPF.

What we want:

What we want is to create redundancy for the WAN.

From the RO view all traffic still must go over the MPLS, this because of VoIP.

In case of a problem within the MPLS, we would like to route over the IPSec tunnel.

Design Limitations:

The preferred routing protocols are OSPF and BGP.

There is a technical limitation in FW2, it supports max. 1030 routes in the table, so summary/aggregation is mandatory.

The L3 switch does not support BGP but it supports OSPF.

Tested:

The things I have tested are the following:

1)      FW1, FW2 Switch and Router 2 in an AREA 2 NSSA.

Conclusion: The L3 switch routing will go over the FW2 and Routers 2, this because some routes are original OSPF and other are externals. The switch relies on preferred sequence ospf intra, inter, external 1 and external 2. (http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a0080094704.shtml#q13)

It is possible that traffic arrives over the FW and leave router 2. State full FW don’t like this.

2)      FW1 and FW2 with BGP routing.

Between FW1 and FW2 BGP routing, and FW2, Router 2 and L3 switch in OSPF AREA 2 NSSA.

Did an aggregate on Router 1 and FW1. However when FW1 lost connection with OSPF area 0 the routing table didn’t switch back to MPLS. FW1 still aggregates the routes to FW2.

Does anyone has an how this is solvable?

Thanks in advance.

Ed Martens

martens.ed [ add ] gmail [ dot ] com

1 Accepted Solution

Accepted Solutions

You can use BGP conditional advertisemend , only on the R1

I do not know if the FW supports it , and even if the FW will advertise the 10/8 route the one adv from R2 will be preffered.

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094309.shtml

Dan

View solution in original post

11 Replies 11

Latchum Naidu
VIP Alumni
VIP Alumni

Hi,

Huff you have put more matter, as you said the picture is given some good idead rather than the matter.

What I understand is you have HQ and Remote sites, both are connected through MPLS & Internet.
BGP running on MPLS and OSPF running on IPSec tunnel over Internet.

You want to achive if MPLS link down the route to Remote site should automatically go through IPSec tunnel over Internet.

In any case the primary path will take over MPLS because of the BGP as per its AD, untill you have configure aditional stuff it wont go through IPSec becuase OSPF AD.

Is that above correct and making sense what I understand?


Regards,
Naidu.

Currently the is no IPSec tunnel. We want to have it.

I have problems to get the routing correct.

What I want is all corporate routes over the MPLS and internet over the FW.

In case of problems with MPLS the corporate route over the IPSec

Thanks,

Ed

Hi Ed ,

2) "However  when FW1 lost connection with OSPF area 0 the routing table didn’t  switch back to MPLS. FW1 still aggregates the routes to FW2."

Should this link be the backup link ?

"In case of a problem within the MPLS, we would like to route over the IPSec tunnel."

Dan

Yes the IPSec needs to be backup.
But as in config 2 the routing switch between MPLPS and IPSec is not gone smooth.
Is stays at the same path even an interruption has occurred. This was due to the aggregation

Thanks,

Ed

Ed ,

What aggregation are you talking about, the aggregation of the routes advertised from the remote site ?


Dan

Hi Dan,

No, Aggregation was done on FW 1 and router 1.

This was to summarize "all"  10.0.0.0/8 network into one router entry, to minimize the routing table.

Ed

Ed,

Ok. So if i understood well ,from HQ you advertise 10/8 to the remote site.

From the remote site you advertise the branch subnet.

Do you/ISP change the cost and the metric-type of the routes from BGP to OSPF  ?

The cost (on both ends HQ/Branch ) of the 10/8 respctivly branch route should be lower from MPLS than from Firewalls

Also the aggregate is also advertised in OSPF area 0 of HQ ?

Dan

Hi Dan,

This can be arranged;

however when I aggregate on router 1 is is oke.

But when the router is disconnected from the LAN at HQ it still keeps advertizing the aggregation to the router 2. So all traffic goes into the bucket.

When I don't aggregate all works fine and routing will be over the tunnel and back when come up again.

Ed

You can use BGP conditional advertisemend , only on the R1

I do not know if the FW supports it , and even if the FW will advertise the 10/8 route the one adv from R2 will be preffered.

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094309.shtml

Dan

Hi Dan,

This documents looks promising. I'll dig deeper into it and am sure this will work.

Thanks for your knowledge.

Ed

emartens
Level 1
Level 1

Hi Dan,

Thanks for the answer.

I'll try it in the lab (next year) and come back to you on this.

Thanks so far and a happy new year.

Ed