12-30-2010 02:13 AM - edited 03-06-2019 02:45 PM
Because a picture tells more than a thousand words; herewith a part of our network topology (IP’s are not valid, just an example)
The picture is how the network is configured currently, except for the VPN tunnel.
How is works currently the Remote Office (RO) network traffic is as follows: all corporate traffic goes over the MPLS cloud and for the internet it break-out locally of the FW 2.
What we have:
The HQ is a large network with more than thousand network routes.
The routers (router 1 and router 2) are managed routers, so we have influence but the service provider will do the job and decides if the suggests config will be applied. Both are Cisco devices.
The Firewalls we configure our self, both Junipers. Where FW 1 is a SSG320M and FW 2 SSG20.
The L3 switch is a Cisco 3750 with IP Base 12.2.50 or newer software, so it supports OSPF.
What we want:
What we want is to create redundancy for the WAN.
From the RO view all traffic still must go over the MPLS, this because of VoIP.
In case of a problem within the MPLS, we would like to route over the IPSec tunnel.
Design Limitations:
The preferred routing protocols are OSPF and BGP.
There is a technical limitation in FW2, it supports max. 1030 routes in the table, so summary/aggregation is mandatory.
The L3 switch does not support BGP but it supports OSPF.
Tested:
The things I have tested are the following:
1) FW1, FW2 Switch and Router 2 in an AREA 2 NSSA.
Conclusion: The L3 switch routing will go over the FW2 and Routers 2, this because some routes are original OSPF and other are externals. The switch relies on preferred sequence ospf intra, inter, external 1 and external 2. (http://www.cisco.com/en/US/tech/tk365/technologies_q_and_a_item09186a0080094704.shtml#q13)
It is possible that traffic arrives over the FW and leave router 2. State full FW don’t like this.
2) FW1 and FW2 with BGP routing.
Between FW1 and FW2 BGP routing, and FW2, Router 2 and L3 switch in OSPF AREA 2 NSSA.
Did an aggregate on Router 1 and FW1. However when FW1 lost connection with OSPF area 0 the routing table didn’t switch back to MPLS. FW1 still aggregates the routes to FW2.
Does anyone has an how this is solvable?
Thanks in advance.
Ed Martens
martens.ed [ add ] gmail [ dot ] com
Solved! Go to Solution.
12-30-2010 05:16 AM
You can use BGP conditional advertisemend , only on the R1
I do not know if the FW supports it , and even if the FW will advertise the 10/8 route the one adv from R2 will be preffered.
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094309.shtml
Dan
12-30-2010 02:51 AM
Hi,
Huff you have put more matter, as you said the picture is given some good idead rather than the matter.
What I understand is you have HQ and Remote sites, both are connected through MPLS & Internet.
BGP running on MPLS and OSPF running on IPSec tunnel over Internet.
You want to achive if MPLS link down the route to Remote site should automatically go through IPSec tunnel over Internet.
In any case the primary path will take over MPLS because of the BGP as per its AD, untill you have configure aditional stuff it wont go through IPSec becuase OSPF AD.
Is that above correct and making sense what I understand?
Regards,
Naidu.
12-30-2010 03:39 AM
Currently the is no IPSec tunnel. We want to have it.
I have problems to get the routing correct.
What I want is all corporate routes over the MPLS and internet over the FW.
In case of problems with MPLS the corporate route over the IPSec
Thanks,
Ed
12-30-2010 03:00 AM
Hi Ed ,
2) "However when FW1 lost connection with OSPF area 0 the routing table didn’t switch back to MPLS. FW1 still aggregates the routes to FW2."
Should this link be the backup link ?
"In case of a problem within the MPLS, we would like to route over the IPSec tunnel."
Dan
12-30-2010 03:39 AM
Yes the IPSec needs to be backup.
But as in config 2 the routing switch between MPLPS and IPSec is not gone smooth.
Is stays at the same path even an interruption has occurred. This was due to the aggregation
Thanks,
Ed
12-30-2010 03:47 AM
Ed ,
What aggregation are you talking about, the aggregation of the routes advertised from the remote site ?
Dan
12-30-2010 04:06 AM
Hi Dan,
No, Aggregation was done on FW 1 and router 1.
This was to summarize "all" 10.0.0.0/8 network into one router entry, to minimize the routing table.
Ed
12-30-2010 04:14 AM
Ed,
Ok. So if i understood well ,from HQ you advertise 10/8 to the remote site.
From the remote site you advertise the branch subnet.
Do you/ISP change the cost and the metric-type of the routes from BGP to OSPF ?
The cost (on both ends HQ/Branch ) of the 10/8 respctivly branch route should be lower from MPLS than from Firewalls
Also the aggregate is also advertised in OSPF area 0 of HQ ?
Dan
12-30-2010 05:07 AM
Hi Dan,
This can be arranged;
however when I aggregate on router 1 is is oke.
But when the router is disconnected from the LAN at HQ it still keeps advertizing the aggregation to the router 2. So all traffic goes into the bucket.
When I don't aggregate all works fine and routing will be over the tunnel and back when come up again.
Ed
12-30-2010 05:16 AM
You can use BGP conditional advertisemend , only on the R1
I do not know if the FW supports it , and even if the FW will advertise the 10/8 route the one adv from R2 will be preffered.
http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a0080094309.shtml
Dan
01-04-2011 02:26 AM
Hi Dan,
This documents looks promising. I'll dig deeper into it and am sure this will work.
Thanks for your knowledge.
Ed
12-30-2010 05:40 AM
Hi Dan,
Thanks for the answer.
I'll try it in the lab (next year) and come back to you on this.
Thanks so far and a happy new year.
Ed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide