12-04-2008 01:33 PM - edited 03-04-2019 12:36 AM
My company is using the Verizon Business MPLS infrastructure to connect our sites together. Currently, each site has it's own Firewall and internet connection and things are working fine. However, at a couple of sites, we want to remove the FW and Internet connection and route all traffic across the MPLS network to our data center and out to the internet from there. The remaining sites will continue to use their existing internet connections.
I am currently using OSPF as my IGP and successfully redistributing (via route maps) network to/from BGP. Also, I currently have a static default route that points to the firewall. This needs to go away and send everything over the MPLS network.
I guess the question is, what is the best way to advertise a default route to selected sites so that they get routed across the MPLS network?
Here is a sample config from my data center router...
router ospf 6500
log-adjacency-changes
redistribute bgp 6500 subnets route-map Allow_from_BGP
network <data center internal network> area 0
!
router bgp 6500
no synchronization
bgp log-neighbor-changes
redistribute ospf 6500 route-map Allow_into_BGP
neighbor <Verizon Router> remote-as 65000
no auto-summary
12-04-2008 01:43 PM
hello Cory,
it is easy to advertise the default route to all the sites from one site.
The ones without the static default route will use it. (use an AD < 20 for the static default route to be preferred over the eBGP one)
You need to modify NAT at central site accordingly
Hope to help
Giuseppe
12-04-2008 02:56 PM
so, just use the neighbor {ip address} default-originate command?
12-04-2008 03:15 PM
Yes advertise this from the central site BGP router. Any sites you want to use this route remove the local static route from within the site.
Sites which you don't want to use this route from BGP should keep their local static route. Make sure that the local static route has a lower AD than the BGP one that is redistributed into OSPF. It should do but can't say for sure not knowing each sites full topology.
Jon
12-04-2008 07:53 PM
I think I may need to clarify a bit...and include configs from the data center side, and a remote site...
Our data center is hosted at a large facility in Atlanta. Our connection is dropped of as ethernet which goes into our ASA firewall. The firewall internal interface then connects to a small subnet that also contains our core 4507 switch (which provides routing for all other local networks) and finally our 3845 router that connects to Verizon's MPLS network that provides connectivity to our other sites. The ASA, 4507, and 3845 are all running OSPF and are internal to our network. The 4507 has a static default route that points to the Firewall. This static default route is redistributed into OSPF and show correctly on the MPLS router as:
O*E2 0.0.0.0/0 [110/1] via 100.100.8.5, 00:09:52, GigabitEthernet0/0
What I'm trying to do is get a couple of remote sites to use this default route to send traffic across the MPLS network to the data center, then up and out through the firewall. The router running BGP is not our internet router. It simply connects to Verizon's MPLS cloud for remote site connectivity.
Here is the important info from the 4507 in the data center
router ospf 6500
log-adjacency-changes
redistribute static subnets
network 100.100.0.0 0.0.255.255 area 0
default-information originate
!
ip route 0.0.0.0 0.0.0.0 100.100.8.5 - sends traffic to the FW.
Here is the important info from the MPLS router in the data center (again, this is not our Internet router...all internet traffic is routed to and out the ASA and handed off to our hosting service)
router ospf 6500
log-adjacency-changes
redistribute bgp 6500 subnets route-map Allow_from_BGP
network 100.100.0.0 0.0.255.255 area 0
!
router bgp 6500
no synchronization
bgp log-neighbor-changes
redistribute ospf 6500 route-map Allow_via_BGP
neighbor 152.164.204.29 remote-as 65000
no auto-summary
The remote sites pretty much have the same setup. Currently, they each have their own Internet connection, a firewall, a core router/l3 switch, and the MPLS router to connect to Verizon. Again the MPLS connection is internal to our network. So the branch configs look like this...
Branch core internal router
router ospf 6500
log-adjacency-changes
redistribute static subnets
network 100.200.0.0 0.0.255.255 area 0
default-information originate
!
ip route 0.0.0.0 0.0.0.0 100.200.8.5 - sends traffic to the local branch FW.
Branch MPLS router
router ospf 6500
log-adjacency-changes
redistribute bgp 6500 subnets route-map Allow_from_BGP
network 100.200.0.0 0.0.255.255 area 0
!
router bgp 6500
no synchronization
bgp log-neighbor-changes
redistribute ospf 6500 route-map Allow_via_BGP
neighbor 152.164.204.13 remote-as 65000
no auto-summary
So what I'm trying to do is get rid of the current static default route:
ip route 0.0.0.0 0.0.0.0 100.200.8.5
and replace is with a learned route from the data center so that all traffic is routed to the data center and out the internet connection there. The local internet connection at a couple of our sites is going away and I want to send the traffic to the data center via the MPLS network.
Please let me know if you need further clarification...
TIA!
12-05-2008 01:02 AM
Hello Cory,
your topology is more complex then what I have supposed in my first post.
However, it is still possible to implement it.
Central site
Internal Router ---|---- MPLS router
FW
remote site
MPLS router ---- |--- Internal router
[FW] to be dismissed
the MPLS router on central site has to inject a default route on the eBGP session towards SP PE node.
The SP signalling plane will propagate the defaul route to all other sites that are in the same L3 VPN.
The branch MPLS router has to accept the default route over the eBGP session and to redistribute it inside OSPF, or to generate an OSPF default route conditioned on the presence of an eBGP 0.0.0.0 prefix with a specific BGP next-hop.
This external OSPF default route has to be the preferred one.
Because OSPF O E1 are preferred over O E2 you could make the branch MPLS router to generate a type E1 default route.
on the branch
ip prefix-list only-default permit 0.0.0.0/0
access-list 11 permit host branch.PE.ipaddress
route-map check_ebgp_default permit 10
match ip next-hop 11
match ip address prefix-list only-default
router ospf 6500
default-information originate route-map check_ebgp_default type 1
or simply
default-information originate type 1
on the branch datacenter router
remove the ip route 0.0.0.0 0.0.0.0 100.200.8.5
remove inside ospf process 6500
default-information originate
OR
replace the default static route with a floating static route (if you want to keep it for backup)
ip route 0.0.0.0 0.0.0.0 100.200.8.5 150
the default route injected by the branch MPLS router should be preferred for its lower AD.
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: