We are currently using Nortel Contivity VPN devices between London and International Offices.
Unfortunately the Service Provider has let us countless times and we are now putting in a leased line between one of the branch offices and London.
The attached diagram show the setup we will have. There is no dynamic routing protocol runing in the international branch offices.
The london Office has OSPF running on the LAN between its London sites.
The VPN devices are running a meshed configuration using RIP and a secure tunnels between each of the offices.
All the internet traffic from International offices comes into London.
Obviously implementing the leased line would mean that any traffic destined for other international offices would have to go via london.
1. We are running OSPF on the London LAN what issues will we have if we run ospf on the cisco router in the branch office or is it best to make is point to point link and redistribute statis into OSPF once in london.
2. The question is which link do we make primary , the leased or the Nortel VPN connection. Not sure how to measure the traffic going from the branch to other internal offices.
3. Can HSRP be implemented. Not sure if the Nortel's do HSRP.
3. Does any one have a sample configuration for the 2600 in this scenario ?
1. In a scenario such as yours, in which you have one branch office router directly connected on a P2P link to a core router, you can indeed use a static route at both ends and redistribute that static into OSPF at the core and be done with it.
Of course, some seasoned routing professionals may go ballistic when they hear "static." :-) But the truth is that it is an option.
Now, it also depends on the future network topology and business requirements of your organization and whether you want to incorporate redundancy at the core, WAN load balancing, injection of external routes from the branch ends into the core, etc. If so, you may come to the conclusion in the future that placing all your branch offices in an OSPF stub area or NSSA (if you want to inject external routes into the OSPF domain), and deploying a dynamic load sharing and redunadnacy scheme with multiple WAN routers at your WAN edge may be the way to go.
2. You have to first analyze the traffic load on the link and take into consideration the bandwidth of the leased line you are going to buy. The advantage of the leased line is that it offers data privacy and integrity without all the overhead of running a VPN connection. A P2P link is also an appropriate primary link if the traffic load from the remote site is constant and substantial.
3. HSRP is a first hop/default gateway redundancy mechanism. Where are you planning on running HSRP? HSRP is also Cisco proprietary, so, no, other vendors do not support HSRP.
4. What kind of sample configuration are you looking for? The P2P link with the static route? Dynamic routing?
3) As Victor notes, HSRP is proprietary, so very doubtful Nortel can do it (or the newer GLBP). However, VRRP might be an option.
Without VRRP, you could consider using a proxy gateway to maintain host outbound redundancy. Other issues arise using it.
2) Depending on routing options between Nortel VPN and Cisco, you might even be able to control how the leased lined is used relative to VPN. I.e., doesn't have to be an all or nothing deal, although could get rather complex.
Don't know what traffic analysis Nortel VPN offers, but if they supported something similar to Cisco's Netflow, you could compile a picture of your how much and where your traffic flows.
This would be an option if you initially force all traffic to take the leased line where you could obtain this information from either Cisco router. With it in hand, you could decide whether the effort is warranted to prefer the VPN for some traffic destinations.
(You didn't mention where the remote office is relative to London and other international offices. Generally, if close to London, probably little loss to transit London, but if far from London, VPN might be considerably better for some other destinations. Also not mentioned is relative bandwidths.)
1) Your could do either static or OSPF. The real issue is more how you redistribute routes to/from the remote office, via London OSPF and VPN RIP; and between the Cisco router and Nortel VPN at the remote office, especially if you intend to be able to continue to use the VPN at the remote office with the new leased line.
Since it appears the Nortel VPN boxes support OSPF, there might be benefit to extending OSPF not only across the leased line, but also between the remote Cisco router and Nortel VPN. Still questions about redistribution.
If might help your understand my response to question #1, to visualize your remote office, by extending OSPF across the WAN link, logically the remote office would become somewhat like Sites A and B, routed on one side with OSPF, and also connected to the RIP VPN mesh. (I.e. imagine the 2600s and WAN links were just a LAN link to the Nortel VPN.)
"Since it appears the Nortel VPN boxes support OSPF, there might be benefit to extending OSPF not only across the leased line, but also between the remote Cisco router and Nortel VPN. Still questions about redistribution."
I wouldn't incorporate the VPN box to the OSPF domain. Nortel's implementation of OSPF is different than Cisco's and doing so would introduce unnecessary complexity with little benefit. Static routes for VPN when used as a failover is much more sensible.
1. I think OSPF would be good to configure on the Cisco Router but not too sure on the Nortel and what affect it will have especially for Nortel as its running RIP between the tunnels.
Also how will routing be affected in London if one of the link fails at the branch ?
P2P would be the last resort.
Load sharing is not something we want to implement.
2. I have SNMP configured on the Nortels but is not giving any info for the tunnels :(
Branch office is in paris other offices at in ME.
3. Redundancy with VRRP would be good as mentioned by Joseph although I am not sure if it does interface tracking as I havn't used it before does it ?
4. Both sample configuration would be good Victor !
1. "1. I think OSPF would be good to configure on the Cisco Router but not too sure on the Nortel and what affect it will have especially for Nortel as its running RIP between the tunnels."
I agree. Adhere to the KISS principle. :-)
"Also how will routing be affected in London if one of the link fails at the branch ?"
Of course, if you lose your OSPF P2P link, if you are running VRRP between the Nortel and the Cisco branch router, the traffic will default to the Nortel.
3. "Redundancy with VRRP would be good as mentioned by Joseph although I am not sure if it does interface tracking as I havn't used it before does it?"
Yes, it does. its called "object tracking."
PLEASE rate my posts if they have been helpful.
Nortel's implementsation of VRRP SHOULD include object tracking, since this is an open standard, not proprietary. Sometimes there is a nuanced difference between the way different vendors implement an open standard, but general features should exist. Otherwise, they are simply not comforming to the standard.
I dont have any of your active configs for the core side (Area 0) that face the international "spoke" router. But suffice it to say that the configs would be pretty straightforward.
Let's assume -- rather arbitrarily for example purposes -- that your IP address range for your international sites is within the 10.136.0.0 255.255.255.0 range and that you create an NSSA area known as Area 32 with secure routing (authentication) for all international sites.
You can configure your core router for something along the lines of...
no ip address
atm lbo long
no atm ilmi-keepalive
interface ATM3/0.1 point-to-point
ip address 10.136.0.6 255.255.255.252
ip ospf message-digest-key 172 md5 Dubai
vbr-nrt 1905 1905 1
router ospf 2004
area 32 authentication message-digest
area 32 nssa no-summary
network 10.136.0.4 0.0.0.3 area 32
Then you have the Dubai Router:
no ip address
encapsulation frame-relay IETF
no arp frame-relay
no frame-relay inverse-arp
interface Serial0/0.1 point-to-point
ip address 10.136.0.5 255.255.255.252
ip ospf message-digest-key 172 md5 Dubai
frame-relay interface-dlci 52
router ospf 2004
area 32 authentication message-digest
area 32 nssa no-summary
network 10.136.0.4 0.0.0.3 area 32
This is a typical FRF.8 implementation: ATM on the core and Frame Relay at the spoke. Of course the core router will have a connection to Area 0 and will indeed be your ABR for NSSA 32.
This is just one way to do it. You can go with an MPLS cloud in between the core and remote sites, etc. Im just giving you a sample config.
Please rate my post if you found it helpful.
Regarding the question of OSPF and Nortels, how are the Nortels known to OSPF that are attached to London's Site A and Site B? In other words, how does the OSPF domain know about Moscow, Paris and Dubai, and they know about London and its two tunnel connections?
My thinking was you make Paris much like Site A or B. Either it becomes part of Site A OSPF area or it could be become a new area with a virtual link to area 0.
"Either it becomes part of Site A OSPF area or it could be become a new area with a virtual link to area 0."
You never want to create a virtual link to OSPF Area 0 as a permanent solution or as part of a permanent design! Thats a very poor design and is also highly discouraged by Cisco.
The VPN sites are configured with two IPSec tunnels, one terminated at Site B (primary) and one at Site A (backup). Sorry labeled wrong on diagram.
The Nortel Contivity advertises the remote VPN sites using RIP v2. The Services switch located at Site A and one at site B are configured to perform mutual redistribution between RIP and OSPF routing protocols to ensure full reachability between sites.
Ah, then the fact is your already have your two London Nortel VPN boxes run OSPF with Cisco suggests you should be able to do the same at Paris. Depending on how you cost the various redistributions, you can chose what will be the primary path to/from Paris for all other sites. I would expect you would want London to use the new link and all other sites continue to use the VPN connections. You will also have an alternate path between London and all your other sites if in the unlikely situation both London Nortel VPN boxes fail.
Victor, raises the concern about usage of a OSPF virtual link being a "very poor design" and "highly discouraged by Cisco". I'm unaware of this, since for example, such is not mentioned in:
To clarify, I'm not recommending you use virtual links, just that it's an option. What I was suggesting was Paris, more or less, be treated as you do Site A and Site B, i.e. that it be incorporated into your OSPF domain, and that there is redistribution between the Paris VPN Nortel box and OSPF.
"Victor, raises the concern about usage of a OSPF virtual link being a "very poor design" and "highly discouraged by Cisco". I'm unaware of this, since for example, such is not mentioned in: "
Hate to sound pompous, but this is fundamental. It is mentioned in the gospel of routing: Doyle's Routing TCP/IP, an industry standard. Its all over other documentation, too.
And to clarify, it is not the use of virtual links that is discouraged, as you write, it is the PERMANENT use of them as a design methodology that is discouraged.
With apologies to Jaya, and others, as Victor and I go a bit off topic.
For those without a copy of Doyle's "Routing TCP/IP Volume I" book (highly recommended), my first edition copy has on page 466:
"Virtual links add a layer of complexity and troubleshooting difficulty to any internetwork. It is best to avoid the need for them by ensuring areas, particular backbone areas, are designed with redundant links to prevent partitioning. When two or more internetworks are merged, sufficient planning should take place beforehand so that no area is left without a direct link to the backbone.
If a virtual link is configured, it should be used only as a temporary fix to an unavoidable topology problem. A virtual link is a flag marking a part of the internetwork that needs to be reengineered. Permanent virtual links are virtually always a sign of a poorly designed internetwork."
I suspect, the foregoing, is what Victor has in mind with his reference Doyle.
I too mainly agree with Doyle's opinion, but I don't believe even what Doyle writes precludes usage of virtual links in all cases. I also draw an important distinction between planning and initial designing, and between making something work within existing constraints, which I believe a careful reading of the above also supports.
Where I might differ with Doyle, and likely Victor, is on the question of whether a virtual link could be used permanently. Doyle mentions "temporary fix", but one should consider the actual risk of the "temporary fix" vs. the cost of implementing a better "permanent" solution. For instance, if we really wanted to insure Paris was its own OSPF area, we could connect the 2600 directly to the area 0 backbone, avoiding the need for a virtual link, unknown how difficult or costly this would be within the existing physical topology. We also need to consider the size of this area, which considering there currently isn't local Paris routing, would infer small.
Another better question might be, do we even want a 2600 to be an ABR, and Paris its own OSPF area, regardless of direct connection or virtual link? This, to me, is even more crucial. I would lean toward just including Paris as a member of the OSPF area it's attached to, but I since don't know all the other considerations with the current OSPF design and the redistribution model, I couldn't recommend either approach. I've only suggested possible "how to's".
Victor, as to your concern about sounding pompous, perhaps only in the degree of something being "fundamental". Much of network engineering, and its applied art, is based more on "it depends" than on "always" or "never".
We might also differ where you take Doyle as "gospel of routing" (perhaps Cisco too), I'm more of a "trust but verify" person. I often find, even when the information was accurate at the time when it was published, with progression of technology, it may no longer pertain or have been superseded. Even when accurate, you need to fully understand its application; often demarcations can be nebulous. Examples of the latter: How many hosts should a subnet contain? How many routers should be in an OSPF area? So, if you say, this book or vendor or industry says NEVER have more than 254 hosts in a subnet or 30 routers in OSPF area, that might indeed sound pompous even if correct for the instance at hand. Personally, I haven't found any book, any vendor or even the whole industry omniscient.
I respect and appreciate your due diligence. It's what separates the average from the exceptional.
But we did not go off topic at all. We both made recommendations to someone and we disagreed a bit on some of what each of us was saying, so we debated it. Thats what this is all about: having a healthy discussion and debate for the sake of striving toward excellence.
And you, my friend, are excellent. :-)
So there is no need to apologize to anyone, as Jaya, Im sure, has benefied even more by "listening" to us express our remarks.
Victor, thank you. Totally agree about "striving toward excellence" and the benefit of debate while doing so.
I recall, many years ago, something in an IEEE pub (I think) about the difference between a "good" solution and an "elegant" solution. A "good" solution was any that worked correctly to solve the problem at hand. An "elegant" solution was one that, besides also correctly solving the problem, was when others see it they go "ah" or "wow".
I strive for "elegant", but I'm lucky if I even get to "good". ;)
Oh, and I forgot to mention I'm not omniscient either. "More heads is better than one", is something which makes these forums so valuable, not to mention how knowledgeable some of the posters are. Reading their replies is very educational.
you cant use HSRP, as HSRP is Cisco properitary (Gateway redundancy protocol).
Instead you could implement VRRP, make the Nortel as primary and the lease as Backup. or vice versa based on your link's capacity.
(I've assumed that because you have 2 links in the rip domain connected to London Office).
As for redistribution, In this situation make sure you make single point of redistribution to avoid routing loops. redistribute RIP into OSPF in SITE-A , dont do the same for SITE-B. at the same site-A , do the same by redistributing ospf into rip.
Hope this helps,
Could you pls clarify more, how currently you setup your network?
I mean (Site-A) and (Site-b) in Which OSPF areas, and are you utilizing both wan links on the rip domain?
Also, what is the current config between site-b 2600 & branch office 2600 router?
Pls clarify more your current setup and config?
The previous posts will answer some of your questions also I have provided an ospf diagram provided.
The primary VPN device is located in Site B and backup at Site A. The traffic comming into the London sites are load balanced based on reachability.
The VPN device at each site in London connects to a services switch 3750 which has RIP and OSPF routing configured. Where RIP routes advertised from the VPN are distributed into OSPF.
The cisco 2600 routers are still to be configured when the leased line goes in.
Ok, I have attached your Diagram with some modification.
I have done this keeping in consederation that Rip is used and both Wan links are utilized for load balancing and redundancy.
bellow are the steps I made:
1- I made the lease line site-b 2600 router the ABR.
2- I made Sit-A Nortel and Site-B Nortel as ASBR routers, since they both should allow
redistribution for full reachability.(Ensures reachability and redundancy incase of any failure at the RIP Wan Link).
3- when redistributed RIp into OSPF on ASBR-1 , I will set a tag and deny it when I redistribute back OSPF from ASBR-2 to the RIP. (To avoid routing loop).
4- I will repeat step 3 for the same manner on ASBR-2.
5- For Suboptimal routing, I will ensure both ASBR-1 and 2, are prefering the RIP
direct routes to Nortel by modifying RIP AD value to lower than OSPF.
6- For redundancy and incase of the Lease Failure on 2600 site-b router, I will create
a tunnel between ASBR-1 to the ABR , and ASBR-2 to the ABR,since I cant create
a virtual link over Stub area, those tunnels will ensure and maintains connectivity
to Area 0 between ASBR-1,2 to the ABR.
I would like to hear from you & Joseph your comments.
Have you seen the other OSPF diagram ?
We are not looking to make a make such a drastic configuration change in London or Paris and we are not ready to introduce OSPF in Paris as yet possibly at a later date.
At the moment we want a simple redundancy solution to enable users in Paris continue working without major distruptions.
Ideally we want to keep things simple as possible with minimal downtime.