- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: Site to Site VPN(Route Based) between two clus...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Site to Site VPN(Route Based) between two clusters
Hello,
Currently trying to bring up a route based S2S VPN between my two sites which each has 2 GW in ClusterXL each and if it's possible your help on confirming this design.
This is based on this reference, but it kinda threw me off:
Also, I'm planning to use static routes, not dynamic routing. So, what's the next hop supposed to be?
I've attached a HLD for a better view of I think I'm supposed to configure.
PS: I've already configured VPN Community and a VPN Domain with an Empty Group as required.
Thanks!
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Thats right, star is fine, no it should not have any impact
2) You can use unnumbered VTIs, though I found thats probably more must if you use BGP, but even if you dont, its fine, just dont "freak out" when you see vti pop up with SAME ip as external, thats totally fine and expected, as it would "piggy off" that interface
3) Yes, BUT, make sure when you create a route it points to REMOTE subnet and dg is actual VTI
I mentioned all this in post I made I referenced to.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So what exactly is failing? Do you see phase 1 and 2 completing?
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nothing is failing since I haven't completed the config. My question is specifically regarding the VTIs when GWs are clustered. Please see the attached HLD.
ClusterA ClusterB
Gw1>>>>>>>>>>Gw1
Gw2>>>>>>>>>>Gw2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, got it. Check out my post below about how this should be configured, though its with Azuire, its similar.
Andy
If still not clear, let me know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tnks! The way I see it based on the data you provided:
-Use STAR community instead of Mesh(what I have configured, I figured since they're two clusters P2P ) - What about the whole Center/Hub - spoke thing in STAR? Will that have any impact?
-Use unnumbered VTIs
-Static routes pointing towards external intf.
-
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Thats right, star is fine, no it should not have any impact
2) You can use unnumbered VTIs, though I found thats probably more must if you use BGP, but even if you dont, its fine, just dont "freak out" when you see vti pop up with SAME ip as external, thats totally fine and expected, as it would "piggy off" that interface
3) Yes, BUT, make sure when you create a route it points to REMOTE subnet and dg is actual VTI
I mentioned all this in post I made I referenced to.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it! And about which one should be center and satellite? What's the best practice?, no SK mentions that!
Also, tunnel management and VPN routing?
I keep thinking that having two clusters on each site it is somewhat different than with a 'cloud based' peer lol!
Based on your worddoc, you placed AZURE as satellite, but in my case, again two clusters managed by the same SMS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess in your case it should not matter, honestly...either one can be centre. VPN routing? Well, are you doing any?
Below is description of those options.
Andy
-
To center only . No VPN routing actually occurs. Only connections between the satellite gateways and central gateway go through the VPN tunnel. Other connections are routed in the normal way
-
To center and to other satellites through center . Use VPN routing for connection between satellites. Every packet passing from a satellite gateway to another satellite gateway is routed through the central gateway. Connection between satellite gateways and gateways that do not belong to the community are routed in the normal way.
-
To center, or through the center to other satellites, to internet and other VPN targets . Use VPN routing for every connection a satellite gateway handles. Packets sent by a satellite gateway pass through the VPN tunnel to the central gateway before being routed to the destination address.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@speedbot33 Ping me any time privately if you need help, I respond to all messages.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot Andy! I will take you up on that! let me give it a go with what I've gathered so far and let you know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any time. I had someone else message about it few months back and I told guy what to do and worked right away. He was very grateful, as he told me he's been trying to get it work for 6 months, even had TAC case about it, but nothing happened. But, I get the situation...its never easy to fix anything complicated like that unless you have working lab, otherwise, you just keep guessing and thats no way to really fix things lol
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried several times to boot up an virtual GW in EVENG but to no avail.
Btw - I appreciate giving me the heads up on vti placing the external IP - After I pulled interfaces WITHOUT topology - boom. This my first foray into Unnumbered interfaces with CP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try different NIC types, I always choose vmxnet, no issues.
Andy