10-29-2013 08:58 AM - edited 03-04-2019 09:26 PM
I'm working on doing some significant redesign of our corporate network away from static routes, and to OSPF. One of the parts of the project is getting DR lines installed at each branch office. These lines will be public internet WAN links that an ipsec tunnel will get built over when they are needed terminating from the router to a Cisco ASA. Now the problem is that the VPN termination point is at a different part of the network from where their normal MPLS link connects upstream (6509). And this will present a problem to OSPF I believe (unless the network drops off the 6509 and it broadcasts it as down, and then the ASA readvertises it once the VPN tunnel establishes). So, how can I accomplish a DR link over the VPN that terminates differently from the non-VPN MPLS link?
Basic diagram:
Everyday operation: Branch router ---- L3 MPLS ---- 6509 ---- rest of internal network --- VPN ASA ---- dmz ---- internet
DR operation: Branch router ---- ipsec VPN ---- VPN ASA ---- rest of internal network
10-29-2013 09:11 AM
Hello.
I would guess that you are running OSPF with your ISP (MPLS), so if site lost the link, the routes won't be advertised by ISP. If not so, please provide routing diagram with your ISP.
Please provide graphical diagram defining routing protocol boundaries.
PS: I'm wondering how will you run OSPF over ipsec VPN without GRE tunnel, are you going to use static neighbors?
10-29-2013 11:42 AM
10-30-2013 12:05 AM
Hello, Matt.
It's not clear how ASA will support VPN ternination for GRE... I thought it's not supported.
If GRE will be terninated on some other device - please add it into the diagram.
Will you run any routing protocol over IPSec tunnels?
10-30-2013 05:35 AM
I can terminate the GRE tunnel at the 6509 (where the normal MPLS connection terminates) if the ASA doesn't support GRE tunnels.
I will need to run OSPF over the IPSec tunnel so that the routing domain converges to route traffic to the ASA and VPN tunnel if the main MPLS line is down.
10-30-2013 05:37 AM
Seems to me - yuo know what to do.
What questions do you have? Or what other help is needed?
10-30-2013 07:33 AM
I needed to ensure that I wasn't missing something. For example, the ASA GRE part I didn't realize but I can do GRE to the 6509. I also wanted to verify that OSPF would work as I expected.
10-30-2013 11:43 AM
Hello, Matt.
Please draw a diagram including all the devices (and their interconnections) you will employ for the design.
Please include routing protocol setting (for OSPF - area number, area type, network type and etc.) per link.
Then ask you questions.
I guess if you are trying to design your solution, a lot of people here would be happy to help you.
PS: the best way to verify your solution - is to simulate it in a lab; surely local (on this forum) expects could give you valuable advices.
10-31-2013 04:56 PM
Here is a diagram of what the end state will look like that I put together. I thought it would be easiest to type the different links so:
If you have other questions, please let me know. I'll be happy to answer anything I can.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: