Hi gents,
I'm working to find a solution on this topic, trying to leave the complexity low as possible:
This is the layout:
I have a branch office provided with internet and MPLS connectivity and I need to failover on Internet VPN if the MPLS link goes down .
Remote branch office LAN need to reach all the HQ subnets.
On branch firewall I have the default route poiting to the MPLS router, tracked with an ip SLA that removes all his associated routes if the link goes down , at this point VPN kicks in and traffic now flow into the VPN tunnel .
The problem comes into getting the traffic back from VPN to branch, because some of the subnets (vlan 8,20) use the core switch as default gw that have a static route for the branch subnet pointing the MPLS router.
The VPN instead terminate into an ASA firewall , that can route the traffic back for his connected subnet (eg. vlan 153 , cause the lower AD) but not for vlan 8 and 20, those are getting routed to the MPLS router in any case, because of the static route .
Any suggestion to accomplish the desired configuration?
My best idea right now is to start an IP SLA on the core switch that removes the default route to the branch in case of failure (pinging the branch firewall through MPLS) and letting ASA to announce learned route from VPN via OSPF.
Otherwise I can decide to overload all traffic coming from the branch to an unused NAT IP when coming form VPN , but in that case I get a big management overhead (ACL and so on) and a big loss in accounting, other than making the network design filthier.
Also, I can't do VTI with BGP and ip SLA directly on the ASA firewall, because of the multicontext.
Any suggestion would be appreciated,
If something is missing or unclear please ask, I've tried to keep the explanation brief.
Edit: schema revision
No comments:
Post a Comment