cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
627
Views
0
Helpful
10
Replies

IPSEC as Standby Link of MPLS failure

acharyr123
Level 3
Level 3

Hi,

In the data center, all servers arekept behind FWSM which is being configured with multiple context mode.

Primary Links with branches from DC is via MPLS where as the backup link as IPSEC.

In Internet router BGP is running & in LAN OSPF is running. Internet is terminating into ASA.

My question is: if MPLS (primary link) fails, how branches users will reach to DC servers that are behind the FWSM??

Any clue plz...

10 Replies 10

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Partha,

may you provide a network diagram possibly in jpeg format ?

I understood there is a C6500 with MSFC and FWSM, behind the FWSM are the servers.

there is a LAN segment where the MSFC speaks OSPF with a router and with an ASA.

But then I'm confused:

the primary links connect via MPLS to the BGP router or to ports in the C6500 with MSFC and FWSM ?

or it is

|---- MPLS links===== remote sites

C6500/MSFC --- ASA --- BGP internet router

backup vpn tunnels terminated on ASA ?

you probably need to have the ASA to speak OSPF with MSFC to learn about servers's ip subnets.

The ASA needs to redistribute the backup routes into OSPF to make them available to use to the C6500 MSFC.

see

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1085954

for FWSM nothing should change it is the MSFC supervisor that handles routing to/from outside world when one remote site MPLS link fails the MSFC tries to use the ASA to reach the remote site subnets and traffic start to flow over the VPN.

I would use GRE tunnels inside IPSEC if possible they make ip routing more easy.

if this is not possible see the lan-to-lan vpn chapter for ASA

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html

Hope to help

Giuseppe

Hello,

Plz find a sample diag of the n/w.

If you still have a doubt plz revert.

Hello Partha,

thanks the diagram allows people to understand your topology.

I think what I proposed in first post is still valid because I guessed the right topology.

C6500 --- ASA --- internet router

Hope to help

Giuseppe

So, you suggest to run OSPF into ASA..But the question is how remote users will get access to the DC servers places behind the FWSM?? We can't have any dynamic routing running onto the FWSM as it is being configured with multiple contexts...Any clue plz..

Hello Partha,

you are right the solution is not complete

FWSM/ MSFC routing with multi contexts:

the FWSM needs to have static routes out the outside interface of each context pointing to the MSFC address (using the MSFC ip address as next-hop)

the static route can also be a default static route

you can imagine all the contexts in parallel with the outside interfaces all connected to the same vlan and speaking to an SVI (interface vlan 50)

context1--outside vlan 50

ip address 10.50.50.7

context2-outside vlan 50

ip address 10.50.50.9

the MSFC/supervisor has specific static routers for the server subnets pointing to the correct next hop

suppose 10.100.10.0/24 are servers behind context1

on MSFC

ip route 10.100.10.0 255.255.255.0 10.50.50.7

you need also to redistribute static routes into OSPF on msfc/sup to make them known to the ASA

on each context you need

route 0.0.0.0 0.0.0.0 10.50.50.1

We do so in our server farms with the only difference we have IS-IS instead of ospf

Hope to help

Giuseppe

Thanks a lot Giuseppe...Let me try my luck in this...

One more question Giuseppe....We we need to run OSPF & BGP into ASA to have this solution work??

Hello Partha,

OSPF in the ASA should be enough if the BGP internet router sends an OSPF default route in the lan segment:

in this way the ASA knows where to send the ipsec packets for the remote sites it doesn't need the details:

all detailed information about server ip subnets come from the MSFC on the inside interface.

On the outside interface running OSPF and learning a default route should be enough

Hope to help

Giuseppe

Hi,

You said to keep same VLAN instance on the outside interace of each context.To achieve such topology, we need to NAT within contexts for packet flow from one context to another. But as per our requirement, we can't do natting into contexts as per the application demand....

So any alternate idea !!!!

Hello Partha,

I've given you an example of how to perform FWSM multicontexts to MSFC routing.

I used this because we have different server farms configured in this way.

You can put the outside interfaces of the different contexts in different Vlans if you need the basic idea is that the outside (or the inside) of a context needs to have as next-hop for its static routes an MSFC SVI (Vlan) address

see the chapter about multi contexts in FWSM 3.2 guide

http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/contxt_f.html

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco