All- we have a client that has a data center in Boston and a DR in New York with more than 10 site-to-site VPN tunnels. Each remote site runs IPSec with GRE tunnel with BGP connected to the Data Center in Boston. The client requests to build the failover VPN router at DR in New York, and between New York and Boston, there is a MPLS via eBGP.
I am attaching the network diagram. Should I run the same AS 65003 on the failover VPN router 2 as the router 3 since the router 2 and 3 are VPN terminated end points? or should I run the differen AS than the AS 65003? Please advise.
Hi Joe and Milan,
The problem that Milan describes with possible loops can be overcome with the BGP as-override command.
This command is very common for ISP and VPN solutions. In this cases the ISP provide an AS to the customer and use the AS override command for the PE-CE BGP peerings.
In your topology, in case that you use the same AS, you can achieve this by configuring AS-Override to the BGP peerings R1->R3 and R0-R2.
Initially, in my first post, I thought that NY & Boston has the same AS due to the big circle in the diagram.
Now, it seems that it is more simple to have a different AS.
Just to mention that the AS override should be configured in case that you have more remote sites like R-Atlanta with the same AS, in order to achieve the site to site communication.
I thought they were CPEs. But if they are PEs, then you are right.
If they are CPEs, I like the idea to run the same AS in the WAN Edge bubble.
is there the Remote-Atlanta router on your diagram an example of a remote site running a primary IPSec with GRE VPN tunnel with Router 3 in Boston?
And in a case of the primary VPN failure it will establish an failover VPN connection to Router 2 in New York?
And connect to to Boston through an MPLS connection between New York and Boston?
If the all the answers to questions above are "Yes", then you can't use the same AS number on Router 3 and router 2, I'm afraid.
Imagine following scenario:
Atlanta (AS 65004) would be connected to New York (AS 65003).
How would Router 3 (AS 65003) know where to forward the traffic with Atlanta destination?
It needs the receive the Atlanrta prefix from New York!
But if the AS_PATH conatins its own AS number (65003), it would be rejected by Router 3!
So you have to use a different AS number for Router 2.
You can imagine also more complicated scenarios when some clients are connected to Router 2 and some to Router 3.
And they would need to communicate each to the others. Again, the same AS number can't be used on Router 2 and Router 3.
According to possible routing loops caused by the client becoming a transfer AS (routing data from Boston to NewYork):
You can (and you should) configure the clients to advertise only their own (local) prefixes.
Generally, it's always confusing using the same AS number on multiple sites in more complex enterprise networks.