topic Re: OSPF, VPN, routing and distribution in General Topics

OSPF, VPN, routing and distribution

jessica-davis — Wed, 26 Sep 2018 21:03:29 GMT

I'm trying to solve a routing conundrum to improve a remote site and provide redundancy, and hoping others may have some solutions. The short version is that we have the remote site with basic commodity internet using VPN to connect back to two datacenters. The datacenters in turn have direct links to each other, and all are running OSPF.

The issue - datacenter 1 and datacenter 2 use area 0 for all inter-site connections. When adding the remote site to this with the VPN connections, everything appears fine, but if there is a disruption to the link between datacenters, the remote is advertising the routes between them. In testing, even though everything was theoretically clear we experienced issues as the remote advertised the paths to each other, causing issues with communications between the datacenters.

I tested with dedicating a stub area for the VPN tunnels to the remote, however, it appears that we lose inter-area OSPF when this is done and you can't define an OSPF redistribution rule for OSPF, so everything known behind the datacenter palos is lost.

Below is a simplified diagram of the network with placeholder IPs:

Re: OSPF, VPN, routing and distribution

OtakarKlier — Thu, 27 Sep 2018 14:20:09 GMT

Hello,

The way we solved our issue with this is to weight the OSPF links to the DR data center to force the connection. We made the remote office also area 0 to keep things simple and not have issues with LSA's. so our primary link is the default and we made the cost of the DR link much higher, like 10000 or if it was the 3rd backup link 20000.

Hope that helps!

Re: OSPF, VPN, routing and distribution

jessica-davis — Thu, 27 Sep 2018 17:09:49 GMT

That does help a bit to make sure that it isn't a preferred route under normal conditions. The problem I'm looking at is that in the case of loss of the MPLS connection between DC1 and DC2, the DCs see a route through the remote site to each other. Suffice to say, the remote site doesn't have the bandwidth to handle DC to DC traffic. Even setting the metric to max (65535) and the priority to max (255), if I cut that link in the lab the two DCs route through the VPN. The preference would be that the DCs not be able to see each other through the remote.

Re: OSPF, VPN, routing and distribution

OtakarKlier — Thu, 27 Sep 2018 17:41:03 GMT

We had the same concerns. How about a VPN tunnel between the DC's as a backup to the MPLS? That was our solution. That way it uses the internet circuit and not the remote offices.

Re: OSPF, VPN, routing and distribution

rmfalconer — Thu, 27 Sep 2018 21:30:23 GMT

Are the data center OSPF devices PAs also?

When you tried creating the branch as a stub, what did you configure on all devices?

Re: OSPF, VPN, routing and distribution

jessica-davis — Mon, 01 Oct 2018 15:16:23 GMT

The data center devices are also Palos, and there are other areas, as well as some BGP going on behind them (the diagram is drastically simplified). When I tested with the lab devices, I created a stub zone between the three, and found that it the DCs could still see each other through the stub and they stopped inter-zone advertising so the remote could only see what was in the area. At this point I'm looking into non-routing solutions (ie. VPN tunnel failover options, or feasibility of a single link for the remote) as I'm realizing that there may not be the tools available to manage this in Palo routing.

Re: OSPF, VPN, routing and distribution

OtakarKlier — Tue, 02 Oct 2018 21:11:47 GMT

Hello,

What about a VPN over the internet between the two PAN's. That way its always data center to data center traffic, MPLs is preferred but VPN is backup.

Thoughts?