Routing

Hello,

I have a single area OSPF network on my WAN that connects all of my remote sites and my primary and secondary datacenter on a layer 2 meshed WAN where everyone can talk to each other.

The connections are all low speed, except the connection between the HQ and secondary datacenter, which are 1Gbps and they push a lot of traffic due to replication and whatnot.

I have recently added VPN connections as backups from each remote site back to both the HQ and secondary datacenter and will be adding them to OSPF as well.

The dillema I have is that if the HQ or secondary site loses connectivity to the layer 2 WAN, I don't want them to find their way to each other via the VPN tunnels.

I can't use routing policy to do this, because I still need other routers on the network to know that they can route to and through the VPN tunnels to get to the HQ and secondary datacenters.

Is there a way to tell the HQ and sedondary routers to never route to each other over the VPN links, but still let everyone else on the network know that the routers on the other side of those VPN's can get to the HQ and secondary sites?  A bonus would be if we could make the HQ and secondary routers stop advertising routes for each other if the primary link goes down.

I've been studying this scenario like crazy and I'm a bit lost.  Please help.

Thanks!

Edit - I'm assuming we need to apply an export policy to the forwarding table to stop the routing process from installing those routes into the forwarding table, but if those routes become active in the routing table and we block them from the forwarding table, will these routers still advertise the routes?

Or should we just do this with firewall filters on the interfaces?

No HQ bound traffic out of the secondary VPN's

No secondary traffic out of the HQ VPN's

No source HQ dest secondary (and vice versa) out of the VPN interfaces on the remote site end.

That will work, but is it ideal since the routes will still be there and the connections will still be attemped?  And any UDP will flow through some of the links freely until it's dropped?

Thanks!

Problem simplified:

Can LSA's for routes with certain next hops not be advertised?

In the end, I'm probably a bit slow.  So many other things going on in this design, I realized I should just police traffic going onto the VPN so that the traffic I'm worried about saturating it if all other links fail won't take up all the bandwidth.

Done!

Thanks.

Maybe just a note here:  If I understand correctly, you'll be running OSPF on both physical and tunnel interfaces - just pay attention that you may have "recursive routing" problems, meaning: the tunnel destinations (the physical/loopback addresses) are learned from OSPF via the tunnel itself.

The result of this recursive routing problems is that the tunnels will flap up/down.

Good luck,

Costi

It worked well when implemented. First, I had to run GRE tunnels over the VPN tunnels because I couldn't apply firewall filters to the VPN tunnels.  I tried IPIP for less overhead at first, but it wouldn't carry the multicast traffic for OSPF.

I used static routes to ensure the VPN tunnels established on the correct connections and then statics to ensure the GRE tunnels established on those VPN tunnels.  Then ran OSPF on the tunnel endpoints.  I haven't have any issues yet and everything fails over correctly.

I also learned that my original question has an answer:

I labbed everything and found that I can set an OSPF import policy to reject routes based on specific next hops:

from protocol ospf next-hop x.x.x.x

then reject

That seemed to work okay, but the policers were a much better solution since it allows me to still use some of the bandwidth to pass the traffic that I was worried about saturating the link.

Oh sorry, I didn't get your comment the first time - OSPF isn't running on the physical interfaces that the tunnels peer on since those are internet facing links anyway.