04-02-2012 12:48 PM - edited 03-04-2019 03:53 PM
All- we have a client that has a data center in Boston and a DR in New York with more than 10 site-to-site VPN tunnels. Each remote site runs IPSec with GRE tunnel with BGP connected to the Data Center in Boston. The client requests to build the failover VPN router at DR in New York, and between New York and Boston, there is a MPLS via eBGP.
I am attaching the network diagram. Should I run the same AS 65003 on the failover VPN router 2 as the router 3 since the router 2 and 3 are VPN terminated end points? or should I run the differen AS than the AS 65003? Please advise.
Regards,
Joe
Solved! Go to Solution.
04-03-2012 04:51 AM
Hi,
is there the Remote-Atlanta router on your diagram an example of a remote site running a primary IPSec with GRE VPN tunnel with Router 3 in Boston?
And in a case of the primary VPN failure it will establish an failover VPN connection to Router 2 in New York?
And connect to to Boston through an MPLS connection between New York and Boston?
If the all the answers to questions above are "Yes", then you can't use the same AS number on Router 3 and router 2, I'm afraid.
Imagine following scenario:
Atlanta (AS 65004) would be connected to New York (AS 65003).
How would Router 3 (AS 65003) know where to forward the traffic with Atlanta destination?
It needs the receive the Atlanrta prefix from New York!
But if the AS_PATH conatins its own AS number (65003), it would be rejected by Router 3!
So you have to use a different AS number for Router 2.
You can imagine also more complicated scenarios when some clients are connected to Router 2 and some to Router 3.
And they would need to communicate each to the others. Again, the same AS number can't be used on Router 2 and Router 3.
According to possible routing loops caused by the client becoming a transfer AS (routing data from Boston to NewYork):
You can (and you should) configure the clients to advertise only their own (local) prefixes.
Generally, it's always confusing using the same AS number on multiple sites in more complex enterprise networks.
HTH,
Milan
04-03-2012 08:05 AM
I thought they were CPEs. But if they are PEs, then you are right.
If they are CPEs, I like the idea to run the same AS in the WAN Edge bubble.
04-03-2012 03:00 PM
Hi Joe and Milan,
The problem that Milan describes with possible loops can be overcome with the BGP as-override command.
This command is very common for ISP and VPN solutions. In this cases the ISP provide an AS to the customer and use the AS override command for the PE-CE BGP peerings.
In your topology, in case that you use the same AS, you can achieve this by configuring AS-Override to the BGP peerings R1->R3 and R0-R2.
Initially, in my first post, I thought that NY & Boston has the same AS due to the big circle in the diagram.
Now, it seems that it is more simple to have a different AS.
Just to mention that the AS override should be configured in case that you have more remote sites like R-Atlanta with the same AS, in order to achieve the site to site communication.
Regards,
Vasilis
04-02-2012 01:47 PM
Yes, that would be ideal.
04-02-2012 02:24 PM
As always, thank you Ed. Just want to clarify that I should run the same AS 65003 on the failover router, right? If so, can you please explain to me?
04-03-2012 07:42 AM
Joe,
Sorry, I should've opened the PDF file before responding. I agree with Milan's assessment.
It's usually suggested to have an unique AS per site, thus I recommend leaving 65000 just for NY and perhaps running 65001 or 65003 just for Boston.
04-03-2012 08:01 AM
Hi Edison/Joe,
aren't Router 0 and Router 1 routers owned by an MPLS provider?
Then it would make a sense to use two AS numbers per site.
BR,
Milan
04-03-2012 08:05 AM
I thought they were CPEs. But if they are PEs, then you are right.
If they are CPEs, I like the idea to run the same AS in the WAN Edge bubble.
04-02-2012 02:45 PM
Hi Joe,
I also agree with Edison.
It is better to have the same AS number to both R2 and R3 routers in your design.
Possible routing loops e.g. bymiscofiguration, are prevented due to the built-in AS-LOOP prevention BGP mechanism.
For instance if R4 advertises the subnets learnt by R2 to R3, these are denied to R3 due to the same AS value.
The same applies to R1,R0.
Of course all these can be prevented with the correct configuration (e.g. route-maps, filterlist) but in this way you can add an extra layer of protection to BGP routing loops.
Hope that helps
Vasilis
04-03-2012 04:51 AM
Hi,
is there the Remote-Atlanta router on your diagram an example of a remote site running a primary IPSec with GRE VPN tunnel with Router 3 in Boston?
And in a case of the primary VPN failure it will establish an failover VPN connection to Router 2 in New York?
And connect to to Boston through an MPLS connection between New York and Boston?
If the all the answers to questions above are "Yes", then you can't use the same AS number on Router 3 and router 2, I'm afraid.
Imagine following scenario:
Atlanta (AS 65004) would be connected to New York (AS 65003).
How would Router 3 (AS 65003) know where to forward the traffic with Atlanta destination?
It needs the receive the Atlanrta prefix from New York!
But if the AS_PATH conatins its own AS number (65003), it would be rejected by Router 3!
So you have to use a different AS number for Router 2.
You can imagine also more complicated scenarios when some clients are connected to Router 2 and some to Router 3.
And they would need to communicate each to the others. Again, the same AS number can't be used on Router 2 and Router 3.
According to possible routing loops caused by the client becoming a transfer AS (routing data from Boston to NewYork):
You can (and you should) configure the clients to advertise only their own (local) prefixes.
Generally, it's always confusing using the same AS number on multiple sites in more complex enterprise networks.
HTH,
Milan
04-03-2012 06:44 AM
All-
To answer all Milan's questions are "Yes". It seems there are two different idea, but I agree with what Milan says, Any thoughts?
Regards,
Joe
04-03-2012 03:00 PM
Hi Joe and Milan,
The problem that Milan describes with possible loops can be overcome with the BGP as-override command.
This command is very common for ISP and VPN solutions. In this cases the ISP provide an AS to the customer and use the AS override command for the PE-CE BGP peerings.
In your topology, in case that you use the same AS, you can achieve this by configuring AS-Override to the BGP peerings R1->R3 and R0-R2.
Initially, in my first post, I thought that NY & Boston has the same AS due to the big circle in the diagram.
Now, it seems that it is more simple to have a different AS.
Just to mention that the AS override should be configured in case that you have more remote sites like R-Atlanta with the same AS, in order to achieve the site to site communication.
Regards,
Vasilis
04-03-2012 07:19 PM
Thank Vasilis, Milan and Ed.
I have one last question about the Nat'ing. My client has few VPN remotes, and those VPN sites require to have the routable IP address for the local host. So what I configured on the router 3 as the following . (72.10.10.1 is routable IP address in this case)
ip nat inside source static 192.168.1.1 72.10.10.1
This nat'ing is only to meet what those VPN requirement, Question is...Should I need to configure "Ip nat outside" on the external interface, which is connected to the internet?
04-03-2012 09:07 PM
Joe,
You need 'ip nat inside' on the ingress interface from the 192.168.1.0/24 network and 'ip nat outside' on the egress interface towards the internet.
04-04-2012 12:56 AM
Hi Vasilis,
yes, configuring AS-override on the BGP peerings R1->R3 and R0-R2 would enable using the same AS number on Router 2 and Router 3.
But do you think it would be safe from possible loop detection point of view?
IMHO, this feature should be used only if you have to.
Which is not this case.
In a case that you have more remote sites like R-Atlanta with the same AS number, AS-override on the BGP peerings R1->R3 and R0-R2 would not help.
You would need neighbor allowas-in configured on the remote sites.
BR,
Milan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: