One of clinets wants to setup the site-to-site VPN router in the HQ for the remote sites WAN backup. I am attaching the network digram.
R1 is the internet router in HQ.
R2 in HQ is the WAN router connected to all the remote sites via MPLS
R4 in remote site is the WA router connected via MPLS. We have about 50 locations.
In the current network layout, R2 communicates to R4 via BGP protocol, R1 to ASA and ASA to R2 are running static routing protcol.
Client wants to terminate the VPN on the router R3 in HQ and terminate all VPN on the remote site router R4 so they have L2L VPN for the WAN backup. Also, they want to elimate the static route on the R2, ASA and R3, and run dynamic routing.
1) My plan is to run BGP and IPSec GRE tunnel between the routers R3 and R4 (remote sites), and setup the low weight in the BGP to make the VPN as the secondary connection, and the WAN MPLS higher weight in the BGP on the router R4 since the WAN is already running BGP. Is it best way to setup the routing?
2) If elimating the static route, and ASA is not support BGP, what is the better routing should run on R3, ASA and R2? EIGRP or OSPF? Please advise.
Solved! Go to Solution.
There are some things that are not clear to me, but let's discuss and something good has to come up
1. From the drawing R4 has only one connection to the MPLS cloud. Over this connection your run a BGP with R2 (iBGP or eBGP ?).
"...and setup the low weight in the BGP to make the VPN as the secondary connection..." VPN is a logical connection, if you lose the physical connection to the MPLS cloud, the BGP to R2 and the VPN will be down. I don't understand this sentence. The secondary connection to what?
Maybe you can clarify a little bit.
2. I would go with OSPF.
I know there will be voices to say EIGRP because this and that arguments, but I'm speaking from the experience that I had. If you don't need any particular feature of EIGRP, go with OSPF as OSPF is cross-vendor compatible. If you'll be in the same place as I was and need to change that ASA with another provider equipment, you'll not be force to reconfigure your routers, as OSPF is supported on all L3 capable devices.
This my humble opinion. Please help clarify point 1.
Thank you for answering my questions.
1. We are runing eBGP on the R4 to the MPLS clound. The goal is when the MPLS connection is down on the R4, the VPN connection is kicked in as the backup connection.
2. We are Cisco shop, if running EIGRP on the R3, ASA and R2, it is not a scalable network. To choose the routing protcol, is it based on the # of the router and # of the routes?
1. OK, got it. Then no matter what protocol you use for the VPN connection you have to assure that is has worst metric or the routes through VPN are less preferred. Just as an example what I implement for a client in the past. Over the MPLS I configure the BGP to receive full prefix tables and over the VPN just a default route. Due to longest match being preferred, the only time when the default route was used is either when the BGP over MPLS was down and had not other choice, or in the case that a certain prefix was not received from the peer over MPLS. Just and idea.
2. You said that you have aprox 50 location. This will not make a difference between EIGRP and OSPF. Just think of this. If you for any reason need to use unequal load-balancing then go with EIGRP as OSPF does not support this feature. At the bottom line, use the protocol that you are more familiar with. It will make a difference if you have to troubleshoot yourself possible issues.
I really like the idea you setup on BGP for the VPN as backup connection for your client. Do you mind you can provide me the sample configuration? I would appreicate it.
I did this some years ago and I don't have to that document to copy / paste, but here are the steps and if you have issue with configuration itself, let me know here on a private message and I will help.
1. Do you get the full BGP table from the peer over MPLS connection?
YES -> you can proceed
NO -> you / we have to think to another solution
2. Establish a VPN over Internet connection between R3 and R4
You need R3 with public IP with ASA firewall open for the ports / protocol for VPN
Or you need to NAT inside a Public IP on ASA or somewhere to the IP address of the R3.
This depends entirely of your topology
Of course another accessible IP from the Internet on R4. The rule is that R3 and R4 endpoint IP addresses have to be reachable over Internet, not over BGP through MPLS!!! If the endpoints are know over MPLS BGP, then you solve nothing as when the BGP goes down the VPN goes down
3. Establish a dynamic routing protocol over VPN tunnel with whatever protocol you want. You can use BGP if you want.
4. Get the default route on R4 with the next hop R3. In BGP you can originate a default route (be careful that the route has to exist in your routing table to be advertised via BGP). If you use OSPF this does not require any default route in the routing table to originate it if you use the keyword "always"
You can use also EIGPR and then have a static default route on R3 which you redistribute in the EIGRP.
You can do it even simplier and have a static default route on R4 with next hop R3 and then you don't need Step 3.
I would not recommend this for production.
5. Check the routing table of R4. You should have the more specific prefixes with next hop R2 over MPLS BGP and a last resort route through R3
Please rate some of my posts if you find this useful. Thanks!
I am confused on the step 4 and 5. Assuming we establish BGP over the VPN tunnel, and run the EIGRP on R3, ASA and R2. Can you please provide me more details how the VPN will kick in when the primary MPLS cloud is down? By the way, how can we discuss in private message?
The EIGRP between R3 ASA and R2 has nothing to do with the BGP between the R3 and R4 over tunnel.
The EIGRP is use to propagate routes internally, let's say in the LAN / DMZ and at the most to propagate the end-points for the VPN tunnel of the R3 and R4.
The BGP is, let's say, transparent for ASA as for this device all traffic between R3 and R4 will be encrypted / encapsulated traffic in a tunnel.
On the R4 you will have a permanent default route obtain over the BGP (R3-R4), but this route will not be used as long as you have another BGP between R4 and R2 which is pushing the entire BGP table -> Do you understand what I'm saying with full BGP table?
I mean specific prefixes like just for example:
When R4 has to sent packet to a destination (again example) in the 184.108.40.206 /24 network will prefer the path over the R4-R3 instead of the default route for R4-R2 due to the fact that the longest match (e.g. /24) is preferred over /0 which is from the default route (0.0.0.0 /0).
Thank you Calin for the detailed explaination.
One last question, since ASA doesn't support BGP feature, and R2 and R3 in the different interface on the firewall , can we run BGP through the firewall between the R2 and R3?