Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
1
Replies

BGP/MPLS, HSRP and Internet IPSec redundency route

gpan667788
Level 1
Level 1

‎05-07-2007 12:02 PM - edited ‎03-03-2019 04:52 PM

Greeting,

I have a design question regarding BGP/MPLS, HSRP and EIGRP. Here is a description of the design:

R1 will be the default route connects to MPLS network using BGP but except internet traffic.

R2 will be internet traffic and backup route using IPSec/T1 to internet.

R3 E0 will be same subnet as E1 of R1 and E1 of R2. And R3 E1 will be LAN subnet.

If R1 goes down, all traffic will be rerouted via R2. If R2 goes down, all internet (port 80 and 443) traffic will be rerouted via R1.

=======

hostname R1

!

interface fas 0

description uplink to MPLS network

!

interface fas 1

ip address 10.10.2.2 255.255.255.0

standby 1 ip 10.10.2.1

standby 1 preempt

standby 1 priority 105

standby 1 timers 5 15

standby 1 track fast 0

!

router bgp 500

network 10.10.2.0

network x.x.x.x

redistruibute eigrp 300 route-map NextHop

neighbor x.x.x.x filter-list 10 out

!

Ip as-path access-list 10 permit ^$

!

Route-map NextHop permit 10

Set ip next-hop 10.10.2.2 10.10.2.3

=======

hostname RouterB

!

interface fas 0

description uplink to internet

!

interface fas 1

ip address 10.10.2.3 255.255.255.0

standby 1 ip 10.10.2.1

standby 1 preempt

standby 1 priority 100

standby 1 timers 5 15

standby 1 track fast 0

!

router eigrp 300

network 10.10.2.0

network x.x.x.x

redistruibute bgp 500 route-map NextHop

======

Hostname R3

!

interface fasethernet0

ip address 10.10.2.4 255.255.255.0

no ip redirects

no ip proxy-arp

!

interface fastethernet 1

ip address 172.16.2.1 255.255.254.0

access-group FilterToInternet Out

!

Ip access-list extended FilterToInternet

Permit tcp 172.16.2.0 0.0.1.255 any eq www

Permit tcp 172.16.2.0 0.0.1.255 any eq 443

==========

I am a little bit confuse of setup route-map and ACL to direct the traffic according to the routing policy. Could someone please help?

Thanks,

Perry

Labels:
0 Helpful
1 Reply 1

bjornarsb
Level 4
Level 4

‎05-08-2007 01:43 AM

Hi,

To make this work you need to receive a default route to Internet on both R1 and R2.

In this case the route to Internet on R1 should have a higher cost than the route received on R2.

So if you want to block everything except www and 443 your ACL should not be applied on fastethernet 1 on R3. At least not in that direction. Do you want to deny traffic when the R2 i active ?

So based on how your MPLS provider offer Internet you also need som sort of NAT if your LAN is from the private range (RFC 1918).

HTH

Regards,

Bjornarsb

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card