Multihoming with OSPF L3 VPN to 2 Provider

Unanswered Question
Nov 6th, 2009
User Badges:

Hi ALL,


Can I do a failover with OSPF at the CE with 2 provider.


For example when the link with ISP 1 at the HQ is dead, the INTERNAL LAN at CE can use the link from ISP 2 to reach the site of the ISP 1 by transiting the DRC sites.


In this case, the DRC site use 1 router that connect to ISP 1 and ISP 2


Detailed topology is attached.





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 11/07/2009 - 02:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Suryanto,

it is possible to use OSPF as PE-CE protocol.

From the CE node point of view it is a standard OSPF domain and it has two OSPF neighbors PE_ISP1 and PE_ISP2.


for example it is just enough to set an higher cost on L3 link to PE_ISP2 to have a schema where PE_ISP1 is preferred.


it is even possible to have load balancing if costs are the same for all remote IP prefixes.


Be aware that if you use VRF-lite on your CE making it a multiVRF CE you may need to tune OSPF configuration

with


router ospf xx

capability vrf-lite


see

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_osp1.html#wp1012376



the only risk is that the CE router will propagate OSPF LSAs received from PE_ISP1 to PE_ISP2 and viceversa.


this can create problems to the service providers.


So you should use two different OSPF processes even if you are not using VRF lite multiVRF feature.


in this way the OSPF LSAs received by PE_ISP1 are not propagated to PE_ISP2 and viceversa.


you may need in this case to manipulate the AD for the different types of OSPF routes or you will not be able to establish a clear hierarchy of routes.


different OSPF processes use "ships in the night" and with default settings both compete to see thier IP route installed in the IP routing table


see


http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_osp1.html#wp1013195


to have one process used as backup


router ospf process_2#


distance ospf external 118 inter-area 118 intra-area 118.


in this way if OSPF neighbor Pe_ISP1 fails all the routes of process-2 are installed in IP routing table.


To be noted eBGP sessions can provide an easier way to multihome because the unwanted routing feedback from ISP1 to ISP2 and viceversa can be easily avoided using an as path access-list that says to advertise only prefixes with empty AS path.



Hope to help

Giuseppe


demoschairos Sat, 11/07/2009 - 03:39
User Badges:

Hai Giuseppe,


If I use different Process ID at the Core as CE EDGE and the LSDB is different, I am afraid the failover can be happen when one of the Provider link is down because OSPF LSAs received by PE_ISP1 are not propagated to PE_ISP2 and viceversa.


By the way, I try to do the failover, when I try to shut down one of the WAN Link at the ISP 1 ROUTER, I still receive the OSPF routing PRefix from the PE NEXT HOP ADDRESS from the ISP 2. But when I do the traceroute it is unreachable.


Are there any explanation for this ?


Regards,

Suryanto

Giuseppe Larosa Sat, 11/07/2009 - 04:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Suryanto,


>> I am afraid the failover can be happen when one of the Provider link is down because OSPF LSAs received by PE_ISP1 are not propagated to PE_ISP2 and viceversa.


passing LSAs from provider1 to provider2 should be avoided.


about your test:

you haven't provided enough details to understand what is happening:

for example if these are two different ISPs why they should be exchanging routes about this customer?

unless you have some sites with ISP1 and some sites with ISP2 and only one site multihomed.

If so LSA propagation is needed and you need to use a single OSPF process.


but if all sites are multihomed with ISP1 and ISP2 I would use the two OSPF processes approach to keep separated the routing information.


>> By the way, I try to do the failover, when I try to shut down one of the WAN Link at the ISP 1 ROUTER, I still receive the OSPF routing PRefix from the PE NEXT HOP ADDRESS from the ISP 2. But when I do the traceroute it is unreachable.


from your picture I had the impression the two PE nodes were in different IP subnets that is recommended for the above reasons.


Hope to help

Giuseppe


demoschairos Sat, 11/07/2009 - 23:31
User Badges:

Hai Giuseppe,


Thx for the reply.


I will try to provide you the detail that is the requirement.


As you see at the topology ,

1. There area 2 Main Site which is HQ and Backup HQ ( DRC ) and 2 ISP which is ISP 1 ( Left sida ) and ISP 2 ( Right Side )


2. There are branches with only one connection to ISP 1 and also branches with only one connection to ISP 2.


The objective is ;


1. If the connection PE-CE between ISP 1 and HQ WAN ROUTER 1 is Dead, the INternal LAN of the HQ will use the connection between PE-CE ISP 2 to reach the ISP 1 Branches and vice versa.


2. What is already done is there is only 1 OSPF process at all of the CE router.


3. When I shut the WAN ROUTER to ISP 1, I can receive the branches using ISP 1 prefix at CE that connect to ISP 2.


But when I try to do the traceroute is is unreachable eventhough I have that routes. I confused about that, why I can received the prefix but I can ping to that sites and it is unreachable.


When I do the show ip route for the ISP 1 sites prefix at CE ISP2, (still the ISP 1 router is dead), I see the originator of the routes is the ISP1 PE.


Is it OK if I separate the OSPF processes at the DRC sites which is int the diagram is the topmost Router and then I redistribute between that different process id. So I can make the originator from the DRC sites.


Do you need any addtional information instead of the diagram.


Thx for your assistance.




Giuseppe Larosa Sun, 11/08/2009 - 04:29
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Suryanto,

now it is clear.


sorry I hadn't understood at first.


inter-communication is needed.


you have two multihomed sites HQ and DRC.


both are connected to ISP1 and ISP2.



>> 3. When I shut the WAN ROUTER to ISP 1, I can receive the branches using ISP 1 prefix at CE that connect to ISP 2.




only remote sites IP subnets are of interest for you.


>> When I do the show ip route for the ISP 1 sites prefix at CE ISP2, (still the ISP 1 router is dead), I see the originator of the routes is the ISP1 PE


both sites are multihomed, link of HQ to ISP1 is shutted down


you should receive the routes of sites connected only to ISP1 via DRC site that receives them from ISP1 PE at DRC.


this shouldn't be a problem if the appropriate information about LSA originator is correctly propagated.


be aware that duplicated router-ids are not allowed in a single OSPF domain.


so you need to check if this router-id of ISP1 PE at DRC is unique including all ISP2 PE router-ids !


Hope to help

Giuseppe






demoschairos Mon, 11/09/2009 - 19:53
User Badges:

Hi guiseppe,


Thx for your input and also I have already try your suggestion to make 2 process ID at the DRC but I cannot put 1 interface to 2 process id with redistribution between them


Actually it doesn't work and there is a looping in my network.


For the clarity and brief explanation, I will summarize all that I have done.


Condition ;

1. Using Multiple Area OSPF for PE-CE Routing

2. Each Router using 1 OSPF Process ID

3. Process ID at ISP_A and ISP_B already same

4. HQ_ISPA received internal route-type from ISP_A

5. HQ_ISPB received internal route-type from ISP_B

6. The router-id area already unique

Issue ;

1. Failover doesn't work

2. When the ISP_A is down , the ISP_B can provide the prefix to BRANCH_ISPA and vice versa

Analyze ;

1. When the ISP_A is down the ISP_B do not received the prefix for BRANCH_ISPA from DRC and vice versa

2. CE_HQ_ISPB received the BRANCH_ISPA prefix with the next hop of ISP_B and the originator is IP of ISP_A Cloud  Maybe looping

 

Workaround;

1. Separate the Process ID at DRC and Redistribution for Each process ID and Apply filter with route-tag

a. 2 Process ID at DRC

b. 1 Process ID at all other the CE

2. At ISP_A router always prefer the external from ISP_B instead of internal IA route from ISP_A eventhough the link was not down.

3. I cannot use more than one process id to the interface at DRC site.




Giuseppe Larosa Tue, 11/10/2009 - 02:44
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Suruyanto,


yes OSPFv2 doesn't allow to have the same interface in the same area for two different processes.


you should review DRC IP addressesing cooperating with providers to have two different IP subnets so that you can put one in process 1 and one in process 2.


However, in your setup it should be possible to work with a single OSPF process unless some specific issues like duplicated OSPF router-ids.


So I would investigate this aspect also.


Hope to help

Giuseppe


Actions

This Discussion