03-11-2009 10:25 AM - edited 03-04-2019 03:53 AM
Hi,
In the data center, all servers arekept behind FWSM which is being configured with multiple context mode.
Primary Links with branches from DC is via MPLS where as the backup link as IPSEC.
In Internet router BGP is running & in LAN OSPF is running. Internet is terminating into ASA.
My question is: if MPLS (primary link) fails, how branches users will reach to DC servers that are behind the FWSM??
Any clue plz...
03-11-2009 12:46 PM
Hello Partha,
may you provide a network diagram possibly in jpeg format ?
I understood there is a C6500 with MSFC and FWSM, behind the FWSM are the servers.
there is a LAN segment where the MSFC speaks OSPF with a router and with an ASA.
But then I'm confused:
the primary links connect via MPLS to the BGP router or to ports in the C6500 with MSFC and FWSM ?
or it is
|---- MPLS links===== remote sites
C6500/MSFC --- ASA --- BGP internet router
backup vpn tunnels terminated on ASA ?
you probably need to have the ASA to speak OSPF with MSFC to learn about servers's ip subnets.
The ASA needs to redistribute the backup routes into OSPF to make them available to use to the C6500 MSFC.
see
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ip.html#wp1085954
for FWSM nothing should change it is the MSFC supervisor that handles routing to/from outside world when one remote site MPLS link fails the MSFC tries to use the ASA to reach the remote site subnets and traffic start to flow over the VPN.
I would use GRE tunnels inside IPSEC if possible they make ip routing more easy.
if this is not possible see the lan-to-lan vpn chapter for ASA
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/site2sit.html
Hope to help
Giuseppe
03-12-2009 08:18 AM
03-12-2009 10:01 AM
Hello Partha,
thanks the diagram allows people to understand your topology.
I think what I proposed in first post is still valid because I guessed the right topology.
C6500 --- ASA --- internet router
Hope to help
Giuseppe
03-12-2009 11:54 AM
So, you suggest to run OSPF into ASA..But the question is how remote users will get access to the DC servers places behind the FWSM?? We can't have any dynamic routing running onto the FWSM as it is being configured with multiple contexts...Any clue plz..
03-12-2009 01:23 PM
Hello Partha,
you are right the solution is not complete
FWSM/ MSFC routing with multi contexts:
the FWSM needs to have static routes out the outside interface of each context pointing to the MSFC address (using the MSFC ip address as next-hop)
the static route can also be a default static route
you can imagine all the contexts in parallel with the outside interfaces all connected to the same vlan and speaking to an SVI (interface vlan 50)
context1--outside vlan 50
ip address 10.50.50.7
context2-outside vlan 50
ip address 10.50.50.9
the MSFC/supervisor has specific static routers for the server subnets pointing to the correct next hop
suppose 10.100.10.0/24 are servers behind context1
on MSFC
ip route 10.100.10.0 255.255.255.0 10.50.50.7
you need also to redistribute static routes into OSPF on msfc/sup to make them known to the ASA
on each context you need
route 0.0.0.0 0.0.0.0 10.50.50.1
We do so in our server farms with the only difference we have IS-IS instead of ospf
Hope to help
Giuseppe
03-15-2009 03:31 AM
Thanks a lot Giuseppe...Let me try my luck in this...
03-15-2009 03:33 AM
One more question Giuseppe....We we need to run OSPF & BGP into ASA to have this solution work??
03-15-2009 04:14 AM
Hello Partha,
OSPF in the ASA should be enough if the BGP internet router sends an OSPF default route in the lan segment:
in this way the ASA knows where to send the ipsec packets for the remote sites it doesn't need the details:
all detailed information about server ip subnets come from the MSFC on the inside interface.
On the outside interface running OSPF and learning a default route should be enough
Hope to help
Giuseppe
03-15-2009 09:45 PM
Hi,
You said to keep same VLAN instance on the outside interace of each context.To achieve such topology, we need to NAT within contexts for packet flow from one context to another. But as per our requirement, we can't do natting into contexts as per the application demand....
So any alternate idea !!!!
03-16-2009 12:20 AM
Hello Partha,
I've given you an example of how to perform FWSM multicontexts to MSFC routing.
I used this because we have different server farms configured in this way.
You can put the outside interfaces of the different contexts in different Vlans if you need the basic idea is that the outside (or the inside) of a context needs to have as next-hop for its static routes an MSFC SVI (Vlan) address
see the chapter about multi contexts in FWSM 3.2 guide
http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/configuration/guide/contxt_f.html
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: