IPSEC as Standby Link of MPLS failure

Unanswered Question
Mar 11th, 2009

Hi,


In the data center, all servers arekept behind FWSM which is being configured with multiple context mode.


Primary Links with branches from DC is via MPLS where as the backup link as IPSEC.


In Internet router BGP is running & in LAN OSPF is running. Internet is terminating into ASA.


My question is: if MPLS (primary link) fails, how branches users will reach to DC servers that are behind the FWSM??


Any clue plz...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 03/11/2009 - 12:46

Hello Partha,

may you provide a network diagram possibly in jpeg format ?


I understood there is a C6500 with MSFC and FWSM, behind the FWSM are the servers.


there is a LAN segment where the MSFC speaks OSPF with a router and with an ASA.


But then I'm confused:

the primary links connect via MPLS to the BGP router or to ports in the C6500 with MSFC and FWSM ?


or it is

|---- MPLS links===== remote sites

C6500/MSFC --- ASA --- BGP internet router


backup vpn tunnels terminated on ASA ?


you probably need to have the ASA to speak OSPF with MSFC to learn about servers's ip subnets.

The ASA needs to redistribute the backup routes into OSPF to make them available to use to the C6500 MSFC.


see


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1085954


for FWSM nothing should change it is the MSFC supervisor that handles routing to/from outside world when one remote site MPLS link fails the MSFC tries to use the ASA to reach the remote site subnets and traffic start to flow over the VPN.


I would use GRE tunnels inside IPSEC if possible they make ip routing more easy.


if this is not possible see the lan-to-lan vpn chapter for ASA


http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html


Hope to help

Giuseppe


Giuseppe Larosa Thu, 03/12/2009 - 10:01

Hello Partha,

thanks the diagram allows people to understand your topology.


I think what I proposed in first post is still valid because I guessed the right topology.


C6500 --- ASA --- internet router


Hope to help

Giuseppe


acharyr123 Thu, 03/12/2009 - 11:54

So, you suggest to run OSPF into ASA..But the question is how remote users will get access to the DC servers places behind the FWSM?? We can't have any dynamic routing running onto the FWSM as it is being configured with multiple contexts...Any clue plz..

Giuseppe Larosa Thu, 03/12/2009 - 13:23

Hello Partha,

you are right the solution is not complete


FWSM/ MSFC routing with multi contexts:



the FWSM needs to have static routes out the outside interface of each context pointing to the MSFC address (using the MSFC ip address as next-hop)


the static route can also be a default static route


you can imagine all the contexts in parallel with the outside interfaces all connected to the same vlan and speaking to an SVI (interface vlan 50)


context1--outside vlan 50


ip address 10.50.50.7


context2-outside vlan 50

ip address 10.50.50.9


the MSFC/supervisor has specific static routers for the server subnets pointing to the correct next hop


suppose 10.100.10.0/24 are servers behind context1

on MSFC


ip route 10.100.10.0 255.255.255.0 10.50.50.7


you need also to redistribute static routes into OSPF on msfc/sup to make them known to the ASA


on each context you need


route 0.0.0.0 0.0.0.0 10.50.50.1


We do so in our server farms with the only difference we have IS-IS instead of ospf


Hope to help

Giuseppe


acharyr123 Sun, 03/15/2009 - 03:33

One more question Giuseppe....We we need to run OSPF & BGP into ASA to have this solution work??

Giuseppe Larosa Sun, 03/15/2009 - 04:14

Hello Partha,

OSPF in the ASA should be enough if the BGP internet router sends an OSPF default route in the lan segment:

in this way the ASA knows where to send the ipsec packets for the remote sites it doesn't need the details:

all detailed information about server ip subnets come from the MSFC on the inside interface.

On the outside interface running OSPF and learning a default route should be enough


Hope to help

Giuseppe


acharyr123 Sun, 03/15/2009 - 21:45

Hi,


You said to keep same VLAN instance on the outside interace of each context.To achieve such topology, we need to NAT within contexts for packet flow from one context to another. But as per our requirement, we can't do natting into contexts as per the application demand....


So any alternate idea !!!!

Giuseppe Larosa Mon, 03/16/2009 - 00:20

Hello Partha,

I've given you an example of how to perform FWSM multicontexts to MSFC routing.


I used this because we have different server farms configured in this way.


You can put the outside interfaces of the different contexts in different Vlans if you need the basic idea is that the outside (or the inside) of a context needs to have as next-hop for its static routes an MSFC SVI (Vlan) address


see the chapter about multi contexts in FWSM 3.2 guide


http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/contxt_f.html




Hope to help

Giuseppe


Actions

This Discussion