12-19-2011 04:27 PM - edited 03-07-2019 03:58 AM
Currently, I have this design:
The DC and the Corporate Office have a dedicated Optiman Circuit, and they are also connected via MPLS. Both locations have also Internet connection with ASA Firewalls
HQ and DC are also connected to one small branche via MPLS as well. This location also has Internet with ASA Firewall
I am not running any routing protocols and currently relying on static routes. It is getting very difficult to manage because we are growing fast.
I like to introduce OSPF internally and BGP to MPLS so we can redistribute OSPF to BGP for end-to-end reachibility.
I need some advise (Best Practice)
Obviously, between HQ and DC we would prefere Optiman as a first choice path, followed by MPLS/BGP followed by Internet IPSEC site-to-site.
For the small branch, the first preference will be MPLS/BGP, followed by Internet site-to-site VPN.
From what I know, I will have to call our ISP and ask them to provdide internal AS for us to enabing BGP on our all MPLS routers at our three locations.
I am looking for a best practices and configuration guidelines such as how to setup up BGP, redistribute OSPF into BGP and configure path preferences. For example. For site-to-site VPN how to configure BGP as a secondary path etc.
Any help will be appreciated.
Thanks
12-22-2011 12:59 PM
Hi Abbas,
You have several extensive requirements, I suggest you take one at a time , perhaps open a separate thread posting for each requirement, you'll get more help audience to assist you by taking one tehnology at a time separate and eventually put them together to work.
"I like to introduce OSPF internally and BGP to MPLS so we can redistribute OSPF to BGP for end-to-end reachibility"
This implementation I dont want to say is easy becuase it all depends on your network, but overall basic OSPF inplementatoin comming from a statically routed network to dynamic should be fairly simple to introduce provided you have some basic understanding on the workings of OSPF and BGP.
" From what I know, I will have to call our ISP and ask them to provdide internal AS for us to enabing BGP on our all MPLS routers at our three locations."
That is right , you should work with your MPLS ISP provider with respect to moving from static routing to BGP and work with them to gradually move your sites to BGP, get AS numbering etc.. before BGP is in place, I suggest you should have OSPF already in place in your DC and HQ and properly working in the LAN, use standard single area all across between the two sites DC and HQ using that Optiman link, you can do same standard/single ospf area in all other smaller branhes that are connected to MPLS but one at a time.
"Obviously, between HQ and DC we would prefere Optiman as a first choice path, followed by MPLS/BGP followed by Internet IPSEC site-to-site."
Since you have a point to point link between DC and HQ and if you configure both sites as standard OSPF area all across, that link will be used as the prefered path by OSPF becuase routes leanred from adjacent devices
are consider intra-area routes, meaning, routes learned within that same area. Consequently if that Point to point link was to fail then routes learned from BGP via MPLS will take affect as they are treated as External routes .
As for site-to-site VPN , this diserves is a different thread, but sure, you can have a L2L VPN as a back up for the Optiman link and MPLS in DC site to HQ , you can use the internet link at each site DC and HQ for that purpose and implemet GRE over IPsec for example , you can terminate the GRE in one of your your internal routers and have the ASAs firewalls do the Ipsec encryption and have this link only as a backup for the Otiman and MPLS links .
"I am looking for a best practices and configuration guidelines such as how to setup up BGP, redistribute OSPF into BGP and configure path preferences. For example. For site-to-site VPN how to configure BGP as a secondary path etc."
Like I said before , first look at your DC and HQ LAN, and assess how you will introduce OSPF, make a list of your routers in each site and come up with peering the devices into forming OSPF adjecency.
some OSPF resources
http://www.cisco.com/en/US/partner/tech/tk365/tk480/tsd_technology_support_sub-protocol_home.html
BGP resources
http://www.cisco.com/en/US/partner/tech/tk365/tk80/tsd_technology_support_sub-protocol_home.html
Regards
12-22-2011 11:49 PM
jorge,
Thank you for you wonderful explanation. I will take you suggestions and take one step at a time. The first prirority will be to put IGP such as OSPF in place and making sure that there is an end to end connectivity. OSPF will be pretty straightforward since we have a dedicated optiman circuit beween two sites. The only caveat the HQ and DC are also connected to one remote location over an MPLS and one more small office over the Internet. For now, we will just continue to use staic routes for those locations and once we have BGP is in place, the remote location will be migrated over to OSPF as well redistriubted into BGP.
For reachibiltiy over Internet, I think I will go with DMVPN, but got a check if Juniper Firewall will support this configuration. We have ASAs for all 3 locations, but one small site has Juniper Firewall.
Regards,
12-23-2011 06:46 AM
Hi Abbas, you're welcome . keep us posted on how everything goes.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide