Routing and HSRP

jayamistry · ‎02-21-2008

We are currently using Nortel Contivity VPN devices between London and International Offices.

Unfortunately the Service Provider has let us countless times and we are now putting in a leased line between one of the branch offices and London.

The attached diagram show the setup we will have. There is no dynamic routing protocol runing in the international branch offices.

The london Office has OSPF running on the LAN between its London sites.

The VPN devices are running a meshed configuration using RIP and a secure tunnels between each of the offices.

All the internet traffic from International offices comes into London.

Obviously implementing the leased line would mean that any traffic destined for other international offices would have to go via london.

Questions :-

1. We are running OSPF on the London LAN what issues will we have if we run ospf on the cisco router in the branch office or is it best to make is point to point link and redistribute statis into OSPF once in london.

2. The question is which link do we make primary , the leased or the Nortel VPN connection. Not sure how to measure the traffic going from the branch to other internal offices.

3. Can HSRP be implemented. Not sure if the Nortel's do HSRP.

3. Does any one have a sample configuration for the 2600 in this scenario ?

lamav · ‎02-21-2008

Hi:

1. In a scenario such as yours, in which you have one branch office router directly connected on a P2P link to a core router, you can indeed use a static route at both ends and redistribute that static into OSPF at the core and be done with it.

Of course, some seasoned routing professionals may go ballistic when they hear "static." :-) But the truth is that it is an option.

Now, it also depends on the future network topology and business requirements of your organization and whether you want to incorporate redundancy at the core, WAN load balancing, injection of external routes from the branch ends into the core, etc. If so, you may come to the conclusion in the future that placing all your branch offices in an OSPF stub area or NSSA (if you want to inject external routes into the OSPF domain), and deploying a dynamic load sharing and redunadnacy scheme with multiple WAN routers at your WAN edge may be the way to go.

2. You have to first analyze the traffic load on the link and take into consideration the bandwidth of the leased line you are going to buy. The advantage of the leased line is that it offers data privacy and integrity without all the overhead of running a VPN connection. A P2P link is also an appropriate primary link if the traffic load from the remote site is constant and substantial.

3. HSRP is a first hop/default gateway redundancy mechanism. Where are you planning on running HSRP? HSRP is also Cisco proprietary, so, no, other vendors do not support HSRP.

4. What kind of sample configuration are you looking for? The P2P link with the static route? Dynamic routing?

HTH

Victor

Joseph W. Doherty · ‎02-21-2008

3) As Victor notes, HSRP is proprietary, so very doubtful Nortel can do it (or the newer GLBP). However, VRRP might be an option.

Without VRRP, you could consider using a proxy gateway to maintain host outbound redundancy. Other issues arise using it.

2) Depending on routing options between Nortel VPN and Cisco, you might even be able to control how the leased lined is used relative to VPN. I.e., doesn't have to be an all or nothing deal, although could get rather complex.

Don't know what traffic analysis Nortel VPN offers, but if they supported something similar to Cisco's Netflow, you could compile a picture of your how much and where your traffic flows.

This would be an option if you initially force all traffic to take the leased line where you could obtain this information from either Cisco router. With it in hand, you could decide whether the effort is warranted to prefer the VPN for some traffic destinations.

(You didn't mention where the remote office is relative to London and other international offices. Generally, if close to London, probably little loss to transit London, but if far from London, VPN might be considerably better for some other destinations. Also not mentioned is relative bandwidths.)

1) Your could do either static or OSPF. The real issue is more how you redistribute routes to/from the remote office, via London OSPF and VPN RIP; and between the Cisco router and Nortel VPN at the remote office, especially if you intend to be able to continue to use the VPN at the remote office with the new leased line.

Since it appears the Nortel VPN boxes support OSPF, there might be benefit to extending OSPF not only across the leased line, but also between the remote Cisco router and Nortel VPN. Still questions about redistribution.

[edit]

PS:

If might help your understand my response to question #1, to visualize your remote office, by extending OSPF across the WAN link, logically the remote office would become somewhat like Sites A and B, routed on one side with OSPF, and also connected to the RIP VPN mesh. (I.e. imagine the 2600s and WAN links were just a LAN link to the Nortel VPN.)

lamav · ‎02-21-2008

"Since it appears the Nortel VPN boxes support OSPF, there might be benefit to extending OSPF not only across the leased line, but also between the remote Cisco router and Nortel VPN. Still questions about redistribution."

I wouldn't incorporate the VPN box to the OSPF domain. Nortel's implementation of OSPF is different than Cisco's and doing so would introduce unnecessary complexity with little benefit. Static routes for VPN when used as a failover is much more sensible.

Victor

jayamistry · ‎02-21-2008

1. I think OSPF would be good to configure on the Cisco Router but not too sure on the Nortel and what affect it will have especially for Nortel as its running RIP between the tunnels.

Also how will routing be affected in London if one of the link fails at the branch ?

P2P would be the last resort.

Load sharing is not something we want to implement.

2. I have SNMP configured on the Nortels but is not giving any info for the tunnels :(

Branch office is in paris other offices at in ME.

3. Redundancy with VRRP would be good as mentioned by Joseph although I am not sure if it does interface tracking as I havn't used it before does it ?

4. Both sample configuration would be good Victor !

Jay

lamav · ‎02-21-2008

1. "1. I think OSPF would be good to configure on the Cisco Router but not too sure on the Nortel and what affect it will have especially for Nortel as its running RIP between the tunnels."

I agree. Adhere to the KISS principle. :-)

"Also how will routing be affected in London if one of the link fails at the branch ?"

Of course, if you lose your OSPF P2P link, if you are running VRRP between the Nortel and the Cisco branch router, the traffic will default to the Nortel.

3. "Redundancy with VRRP would be good as mentioned by Joseph although I am not sure if it does interface tracking as I havn't used it before does it?"

Yes, it does. its called "object tracking."

PLEASE rate my posts if they have been helpful.

Thanks kindly

Victor

jayamistry · ‎02-21-2008

Victor,

Is there object tracking on Nortel ? I know Cisco do it ?

Do you have sample config ?

Thanks !

jayamistry · ‎02-21-2008

I have attached an OSPF diagram

jayamistry · ‎02-21-2008

attached now..

lamav · ‎02-21-2008

Nortel's implementsation of VRRP SHOULD include object tracking, since this is an open standard, not proprietary. Sometimes there is a nuanced difference between the way different vendors implement an open standard, but general features should exist. Otherwise, they are simply not comforming to the standard.

I dont have any of your active configs for the core side (Area 0) that face the international "spoke" router. But suffice it to say that the configs would be pretty straightforward.

Let's assume -- rather arbitrarily for example purposes -- that your IP address range for your international sites is within the 10.136.0.0 255.255.255.0 range and that you create an NSSA area known as Area 32 with secure routing (authentication) for all international sites.

You can configure your core router for something along the lines of...

interface ATM3/0

description DS3_For_International_Sites

mtu 1500

no ip address

load-interval 30

atm lbo long

no atm ilmi-keepalive

!

interface ATM3/0.1 point-to-point

description To_Dubai_Site

bandwidth 1544

ip address 10.136.0.6 255.255.255.252

ip ospf message-digest-key 172 md5 Dubai

vbr-nrt 1905 1905 1

tx-ring-limit 7

oam-pvc manage

encapsulation aal5snap

router ospf 2004

router-id 10.136.x.x

log-adjacency-changes

area 32 authentication message-digest

area 32 nssa no-summary

network 10.136.0.4 0.0.0.3 area 32

Then you have the Dubai Router:

interface Serial0/0

description To_London_Core_Router

no ip address

encapsulation frame-relay IETF

no fair-queue

no arp frame-relay

no frame-relay inverse-arp

!

interface Serial0/0.1 point-to-point

description To_London_Core_Router

bandwidth 1544

ip address 10.136.0.5 255.255.255.252

ip ospf message-digest-key 172 md5 Dubai

frame-relay interface-dlci 52

router ospf 2004

router-id 10.136.0.1

log-adjacency-changes

area 32 authentication message-digest

area 32 nssa no-summary

network 10.136.0.4 0.0.0.3 area 32

This is a typical FRF.8 implementation: ATM on the core and Frame Relay at the spoke. Of course the core router will have a connection to Area 0 and will indeed be your ABR for NSSA 32.

This is just one way to do it. You can go with an MPLS cloud in between the core and remote sites, etc. Im just giving you a sample config.

HTH

Please rate my post if you found it helpful.

Victor

jayamistry · ‎02-22-2008

Thanks Victor for the sample config I will review and may come back with more questions if thats ok ?

Joseph W. Doherty · ‎02-21-2008

Regarding the question of OSPF and Nortels, how are the Nortels known to OSPF that are attached to London's Site A and Site B? In other words, how does the OSPF domain know about Moscow, Paris and Dubai, and they know about London and its two tunnel connections?

My thinking was you make Paris much like Site A or B. Either it becomes part of Site A OSPF area or it could be become a new area with a virtual link to area 0.

lamav · ‎02-21-2008

Joseph:

"Either it becomes part of Site A OSPF area or it could be become a new area with a virtual link to area 0."

You never want to create a virtual link to OSPF Area 0 as a permanent solution or as part of a permanent design! Thats a very poor design and is also highly discouraged by Cisco.

jayamistry · ‎02-22-2008

The VPN sites are configured with two IPSec tunnels, one terminated at Site B (primary) and one at Site A (backup). Sorry labeled wrong on diagram.

The Nortel Contivity advertises the remote VPN sites using RIP v2. The Services switch located at Site A and one at site B are configured to perform mutual redistribution between RIP and OSPF routing protocols to ensure full reachability between sites.

lamav · ‎02-22-2008

jay: