Branch office DR lines and OSPF

Matt Karney · ‎10-29-2013

I'm working on doing some significant redesign of our corporate network away from static routes, and to OSPF. One of the parts of the project is getting DR lines installed at each branch office. These lines will be public internet WAN links that an ipsec tunnel will get built over when they are needed terminating from the router to a Cisco ASA. Now the problem is that the VPN termination point is at a different part of the network from where their normal MPLS link connects upstream (6509). And this will present a problem to OSPF I believe (unless the network drops off the 6509 and it broadcasts it as down, and then the ASA readvertises it once the VPN tunnel establishes). So, how can I accomplish a DR link over the VPN that terminates differently from the non-VPN MPLS link?

Basic diagram:

Everyday operation: Branch router ---- L3 MPLS ---- 6509 ---- rest of internal network --- VPN ASA ---- dmz ---- internet

DR operation: Branch router ---- ipsec VPN ---- VPN ASA ---- rest of internal network

Vasilii Mikhailovskii · ‎10-29-2013

Hello.

I would guess that you are running OSPF with your ISP (MPLS), so if site lost the link, the routes won't be advertised by ISP. If not so, please provide routing diagram with your ISP.

Please provide graphical diagram defining routing protocol boundaries.

PS: I'm wondering how will you run OSPF over ipsec VPN without GRE tunnel, are you going to use static neighbors?

Matt Karney · ‎10-29-2013

Thanks for the reply.

The ISP will participate in the OSPF routing domain.

Attached is a quick visio diagram to give an idea of the way this is going to be setup.

Vasilii Mikhailovskii · ‎10-30-2013

Hello, Matt.

It's not clear how ASA will support VPN ternination for GRE... I thought it's not supported.

If GRE will be terninated on some other device - please add it into the diagram.

Will you run any routing protocol over IPSec tunnels?

Matt Karney · ‎10-30-2013

I can terminate the GRE tunnel at the 6509 (where the normal MPLS connection terminates) if the ASA doesn't support GRE tunnels.

I will need to run OSPF over the IPSec tunnel so that the routing domain converges to route traffic to the ASA and VPN tunnel if the main MPLS line is down.

Vasilii Mikhailovskii · ‎10-30-2013

Seems to me - yuo know what to do.

What questions do you have? Or what other help is needed?

Matt Karney · ‎10-30-2013

I needed to ensure that I wasn't missing something. For example, the ASA GRE part I didn't realize but I can do GRE to the 6509. I also wanted to verify that OSPF would work as I expected.

Vasilii Mikhailovskii · ‎10-30-2013

Hello, Matt.

Please draw a diagram including all the devices (and their interconnections) you will employ for the design.

Please include routing protocol setting (for OSPF - area number, area type, network type and etc.) per link.

Then ask you questions.

I guess if you are trying to design your solution, a lot of people here would be happy to help you.

PS: the best way to verify your solution - is to simulate it in a lab; surely local (on this forum) expects could give you valuable advices.

Matt Karney · ‎10-31-2013

Here is a diagram of what the end state will look like that I put together. I thought it would be easiest to type the different links so:

Each branch office has a router connected via ethernet to the local modem (be it a fiber, coax, or other kind of connection coming from the ISP it doesn't matter as all of them are ethernet as far as my router is concerned).The ISP's at the branch sites, except for area 4, are around 10 meg connections. The main office is about 50 meg. Area 4 has a switch coming off the router, which then feeds into 3 switch stacks. The other areas just have 1 switch (or stack) coming off the router.
Each branch site will have a DR line that goes over the public internet. An IPSec tunnel will be setup to route traffic to the VPN terminating ASA. I believe ASA's allow for OSPF through IPSec tunnels so a GRE tunnel should not be needed.
The L3 MPLS our devices do not see at all. Our ISP presents a virtual router to us, so all devices see a virtual router then our 6509. So you can replace the L3 MPLS on the diagram with a router as topologically speaking, that is what they will see.
I have two ideas for Area 0. I can create a large 10.216.0.0/16 network to grab all of our IP’s in that area, but that could become large over time. The alternative is to just take 10.216.12.0/20 and only have 8 subnets in area 0. Then spinoff 10.216.246.0/24 and 10.216.200.0/24 into their own areas. Outside of the addressing concerns, is there a reason for picking one over the other?

The networks within each area (except the L3 MPLS) are ethernet links. The L3 MPLS are going to be seen as ethernet links, but will have costs modified.

If you have other questions, please let me know. I'll be happy to answer anything I can.