07-09-2013 07:23 AM - edited 03-04-2019 08:25 PM
Here is my scenario
I have 3 business units that I need to connect to my infrastructure in order to provide them access to the our International WAN that will be coming into two of my data centers (a primary and a backup). These business units are not controlled by us so want to keep them separate and also force all of their traffic through a firewall. There will be two 'circuits' connecting us to the business units -MPLS into DC1 and IPsec VTI into DC2. I need to be able to fail over to the backup circuit automatically for each business unit.
My design has the following layout
An MPLS circuit at each business unit on a new VRF for each business unit terminating on an existing MPLS OC12 in DC1. Each business unit VRF has a subinterface on the OC12 associated with it. There is also a pair of ethernet interfaces with a subinterface for each business unit with the associated VRF configured on it.
The MPLS 'VRF' interfaces are connected to a Palo Alto and the Palo Alto the a 6500 VSS core. The 6500 has a subinterface for each business unit as well and the same VRF configured for each business unit too. We have BGP established between the core and MPLS router via BGP address family for each VRF.
Up to this point everything is working.
The part that is not working is on the 6500 I need to import routes from the global routing table into each VRF routing table and export routes from each VRF routing table into the global routing table. The international WAN that each of these business units need access to are part of the global routing table, they also need access to our internal LAN as well which is part of the global routing table.
I also have a backup circuit for each business unit using IPsec VTI with the same basic setup using VRF's for each business unit, a Palo Alto, etc (the only difference between the two setups is MPLS vs VTI for the WAN circuit) So since I have a backup circuit that I need to be able to fail over to automatically I can't use static routes for import/export functions as the static route will never go away and therefore we will never fail over.
Attached is a visio of the planned VRF setup and International WAN as well as the config I have in the MPLS router and core 6500 VSS
I see the global route I am trying to import into the VRF table in global BGP table and I see the routes I am trying to export into global in the VRF BGP table.
Any help is much appreciated!
Kevin
07-09-2013 08:22 AM
You need static routing to leak between GRT and VRF.
07-09-2013 10:22 AM
What would the static route look like to leak 10.81.101.0/24 from the GRT to VRF? How does using a static to leak routes affect failing over to a backup automatically?
I did get this working in GNS3, however I realize that is not 'real life' and was not on a 6500.
Kevin
07-09-2013 10:42 AM
http://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
You can use tracking on the static routes to verify reachability.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: