BGP/MPLS, HSRP and Internet IPSec redundency route

Unanswered Question
May 7th, 2007

Greeting,

I have a design question regarding BGP/MPLS, HSRP and EIGRP. Here is a description of the design:

R1 will be the default route connects to MPLS network using BGP but except internet traffic.

R2 will be internet traffic and backup route using IPSec/T1 to internet.

R3 E0 will be same subnet as E1 of R1 and E1 of R2. And R3 E1 will be LAN subnet.

If R1 goes down, all traffic will be rerouted via R2. If R2 goes down, all internet (port 80 and 443) traffic will be rerouted via R1.

=======

hostname R1

!

interface fas 0

description uplink to MPLS network

!

interface fas 1

ip address 10.10.2.2 255.255.255.0

standby 1 ip 10.10.2.1

standby 1 preempt

standby 1 priority 105

standby 1 timers 5 15

standby 1 track fast 0

!

router bgp 500

network 10.10.2.0

network x.x.x.x

redistruibute eigrp 300 route-map NextHop

neighbor x.x.x.x filter-list 10 out

!

Ip as-path access-list 10 permit ^$

!

Route-map NextHop permit 10

Set ip next-hop 10.10.2.2 10.10.2.3

=======

hostname RouterB

!

interface fas 0

description uplink to internet

!

interface fas 1

ip address 10.10.2.3 255.255.255.0

standby 1 ip 10.10.2.1

standby 1 preempt

standby 1 priority 100

standby 1 timers 5 15

standby 1 track fast 0

!

router eigrp 300

network 10.10.2.0

network x.x.x.x

redistruibute bgp 500 route-map NextHop

======

Hostname R3

!

interface fasethernet0

ip address 10.10.2.4 255.255.255.0

no ip redirects

no ip proxy-arp

!

interface fastethernet 1

ip address 172.16.2.1 255.255.254.0

access-group FilterToInternet Out

!

Ip access-list extended FilterToInternet

Permit tcp 172.16.2.0 0.0.1.255 any eq www

Permit tcp 172.16.2.0 0.0.1.255 any eq 443

==========

I am a little bit confuse of setup route-map and ACL to direct the traffic according to the routing policy. Could someone please help?

Thanks,

Perry

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bjornarsb Tue, 05/08/2007 - 01:43

Hi,

To make this work you need to receive a default route to Internet on both R1 and R2.

In this case the route to Internet on R1 should have a higher cost than the route received on R2.

So if you want to block everything except www and 443 your ACL should not be applied on fastethernet 1 on R3. At least not in that direction. Do you want to deny traffic when the R2 i active ?

So based on how your MPLS provider offer Internet you also need som sort of NAT if your LAN is from the private range (RFC 1918).

HTH

Regards,

Bjornarsb

Actions

This Discussion