Dual connected remote sites to cisco nexus and ipsec vpn firewall

bmoore222 · ‎03-26-2014

We have some remote sites that are currently connected via OSPF back to our main Nexus 7000 routers. We would like to provide redundant connection for these remote sites by adding a site-to-site vpn tunnel over internet.

Currently the VPN firewalls at the main site are connected to Nexus 7000 using static routing. They are in active/standby state and failover works well.

We were considering enabling OSPF on firewalls but it appears the recommended way to do this would be to create another link between the 7ks that carries a non-vPC vlan that way the active firewall can create OSPF adjancency with each 7k. Cisco Nexus 7000 best practice guide and other sites (http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/) explain why this needs to happen due to vPC loop avoidance. I'm not very excited about the idea of creating more links between the two 7ks, not to mention they also recommend only doing dynamic routing protocols for firewalls if absolutely necessary.

So the next idea was to do an IP SLA on Nexus 7k that tracks the remote IPSEC VPN interface ip and if it is up it would insert a redistributed static route, but as I understand it the nexus 7ks can not do that type of IP SLA like the IOS routers can.

So I'm looking for some ideas on how to setup automatic redundancy for these route sites. Some sites would be dual connected with fiber and ipsec vpn (we would prefer the fiber when up). Other sites would have microwave T1s and IPSEC VPN (we would prefer IPSEC VPN when up)

Below is a diagram depicting what we are trying to do

Jon Marshall · ‎03-26-2014

I am not familiar with Nexus but i did help someone with route filtering a while back on these forums with N7ks where they were using IP SLA to track routes and they said it all worked as expected so is there a reason you think it won't work.

I'm not saying it definitely will but just wanted to clarify.

In terms of alternatives -

1) the fiber vs VPN could be solved by floating statics ie you are receving OSPF routes on the Nexus so you could configure floating statics per remote site pointing to the firewalls with a higher AD than the OSPF routes.

Whether VPN is up or not is not particularly relevant ie. if the fiber goes down then you only have the VPN to try anyway.

It does depend on how many routes per remote site there are though so it may not be practical.

2) the T1s vs the VPNs is a lot harder because you want to favour the VPNs but you are not exchanging any dynamic routes so you will have to be able to track the availability of the VPN in some way.

Jon

bmoore222 · ‎03-26-2014

I'm on 6.1(4) and i can enable feature sla sender but I don't get an option to do icmp.

Found a nexus guide for 6.2.2 and it say you can do icmp sla, however I don't know if you can track a route like so

ip route 1.1.1.0/24 2.2.2.1/32 track

Right now I don't have a track command after the ip route.

Anyone have 6.2.2 or above that can enable feature sla sender and see if they can setup ip sla with icmp and then track a route

Here is the post I found that said it wasn't possible but it is dated so maybe this works now.

https://supportforums.cisco.com/discussion/11768386/ip-sla-and-object-tracking-default-route-nexus-7010

Jon Marshall · ‎03-26-2014

Just checked the command references and it looks like the ability to track a route was added in 6.2(2).

It also says you need an Enterprise license. See this link -

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/6_x/nx-os/unicast/command/reference/n7k_unicast_cmds/l3_cmds_i.html#pgfId-1680601

like i say i have not used Nexus switches so no guarantees but the above suggests it is supported with the right version.

I am assuming if you can track a route then this can be used with IP SLA.

Jon