I’M BACK!!! Let’s get right into it!
I have always been interested in automated failover techniques for networks. We pay all this money for expensive routers, switches, and firewalls, so these devices should provide multiple ways to make a resilient network. Well, we are lucky because they do! This project focuses on using MPLS as the primary way to communicate between branches. If the primary MPLS link fails, we should use the local broadband internet connection to make a site to site VPN back the headquarters. I threw in a little twist with one branch and made it so it has NO broadband internet connection for failover. It challenges us to get clever with the design so that if the primary MPLS link dies at the HQ, the branch can still reach it and other branches through its MPLS tunnel. For this…..we brought in an ASA to act as a VPN concentrator in the provider network to redistribute routes into the customers VRF. I hope you enjoy the challenge!
– Create simple MPLS network running OSPF internally using Process ID 1 and Area 0
– Share all needed backbone interfaces within the MPLS IGP domain to ensure full connectivity for all routed and routing protocols
– Create an iBGP relationship between all needed PE routers to make sure the solution will work (hint: may not need full mesh iBGP). Use the AS numbers provided in the picture
– Source the BGP relationship from the loopback address of each PE router
– Send both standard and extended BGP community updates using the new format to all iBGP peers
– Create a VRF called “RED” to share all customer routes within the MP-BGP network.
– Create the following eBGP relationships:
○ CE1 <-> PE1
○ CE2 <-> PE2
○ CE3 <-> PE3
– Only customer facing interfaces and routes should be in the RED Routing table
– Use OSPF as the IGP for the HQ, Detroit, and Chicago networks
– Redistribute all learned BGP routes into the IGPs of all customer networks.
– Only allow Vlan10 of the Core switches to be redistributed into BGP at Detroit and Chicago
– When Detroit’s MPLS link fails, routes to the HQ and Chicago should go through the Site to Site VPN to HQ’s firewall.
– When HQ’s MPLS link dies, it should establish a site to site VPN to the Concentrator in the MPLS service provider cloud.
– Failover should be automatic and the tunnel should be able to be established when traffic is generated for any site.
– When failback (MPLS link is restored) occurs, traffic should reroute to the MPLS link again. The site to site VPN’s are for failover only.
The address list is attached to this post along with the topology. I used 7200 Series routers for this design with an Advanced Enterprise image for the routers and 8.4(2) code rev for the ASA.
Andrew (irc name – anetnerd)