Active/Standby Data Centre Network Design using GNS3/Virtualbox/JUNOS and Cisco – Part-4

You can see the previous tutorial Part-3 of this design series to understand the work I have done so far.

I this tutorial, I am going to add vpn12745 at both lahorir3 and karair3 PE routers. This is stretched VPN so this will need to be configured at both PE lahorir3 & karair3. vpn12745 will host incoming routes from subnets behind the virtual data center firewalls. I will use eBGP between karacf3/lahorcf3 Cisco ASAv firewalls and karair3/lahorir3 PE routers in vpn12745 to allow customer’s offices to reach their subnets in their virtual cloud hosted in Karachi and Lahore data centers.

I will add 2nd VPN vpn12725 at both PE routers (karair3/lahorir3). This is again stretched VPN and will carry incoming routes from two different locations of customer’s office (PTCL Karachi and Lahore office). These customer’s offices are connected via a WAN link provider to the PE routers (karair3/lahorir3). Customer use their routers (lahoregw1 and karachigw1) to establish eBGP connectivity to these PE routers (karair3/lahorir3) to reach their subnets in virtual clouds dc-lahore/dc-karachi, hosted in Karachi & Lahore data centres.

As part of adding above two VPN, I will also leak routes between above two vpn (vpn12725 and vpn12745) and filter the routes passing via these two VPN.

Final Topology

 

LAN users in customer’s offices in Lahore & Karachi will be connected to the Layer-3 Ethernet switch (ESW1 & ESW2). I am using 3700 series switch in this design. R1 & R2 will provide failover protection hence HSRP will be used between R1 & R2. Similarly; gateway routers karachigw1 & lahoregw1 will also provide failover protection and run HSRP between them.

Once configured, customer’s router lahoregw1/karachigw1 should be able to ping their relevant firewall interfaces in their data centers karacf3 (dc-karachi interface service vlan 102) and lahorcf3 (dc-lahore interface service vlan 103).

So I will go through following steps to build further as discussed above.

  1. Add vpn12745 layer-3 vpn on karair3/lahorir3 and establish eBGP peering with karair3/lahorir3 virtual data centre firewalls.
root@karair3> show configuration groups vpn12745 | display set 
set groups vpn12745 interfaces em3 unit 112 description vpn=12745
set groups vpn12745 interfaces em3 unit 112 vlan-id 112
set groups vpn12745 interfaces em3 unit 112 family inet address 10.236.7.169/29
set groups vpn12745 interfaces em3 unit 112 family mpls
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 0 then next term
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from interface em3.112
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 then community add vpn12745
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 0 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 0 then preference 4
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from community vpn12725
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 1 from route-filter 0.0.0.0/0 exact
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 2 then reject
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 2 then reject
set groups vpn12745 policy-options community vpn12745 members target:65000:12745
set groups vpn12745 policy-options community vpn12725 members target:65000:12725
set groups vpn12745 routing-instances vpn12745 description vpn=12745
set groups vpn12745 routing-instances vpn12745 instance-type vrf
set groups vpn12745 routing-instances vpn12745 interface em3.112
set groups vpn12745 routing-instances vpn12745 route-distinguisher 65000:12745
set groups vpn12745 routing-instances vpn12745 vrf-import vpn12745-import-vrf
set groups vpn12745 routing-instances vpn12745 vrf-export vpn12745-export-vrf
set groups vpn12745 routing-instances vpn12745 vrf-table-label
set groups vpn12745 routing-instances vpn12745 routing-options auto-export
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 type external
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 import vpn12745-import-ce
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 authentication-key cisco123
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 export vpn12745-export-ce
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 peer-as 65119
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 neighbor 10.236.7.171
root@lahorir3> show configuration groups vpn12745 | display set 
set groups vpn12745 interfaces em3 unit 113 description vpn=12745
set groups vpn12745 interfaces em3 unit 113 vlan-id 113
set groups vpn12745 interfaces em3 unit 113 family inet address 10.236.7.177/29
set groups vpn12745 interfaces em3 unit 113 family mpls
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 0 then next term
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 from interface em3.113
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 then community add vpn12745
set groups vpn12745 policy-options policy-statement vpn12745-export-vrf term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 0 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 0 then preference 4
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 from community vpn12725
set groups vpn12745 policy-options policy-statement vpn12745-import-vrf term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 1 from route-filter 0.0.0.0/0 exact
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-import-ce term 2 then reject
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol direct
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol static
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 from protocol bgp
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 1 then accept
set groups vpn12745 policy-options policy-statement vpn12745-export-ce term 2 then reject
set groups vpn12745 policy-options community vpn12745 members target:65000:12745
set groups vpn12745 policy-options community vpn12725 members target:65000:12725
set groups vpn12745 routing-instances vpn12745 description vpn=12745
set groups vpn12745 routing-instances vpn12745 instance-type vrf
set groups vpn12745 routing-instances vpn12745 interface em3.113
set groups vpn12745 routing-instances vpn12745 route-distinguisher 65000:12745
set groups vpn12745 routing-instances vpn12745 vrf-import vpn12745-import-vrf
set groups vpn12745 routing-instances vpn12745 vrf-export vpn12745-export-vrf
set groups vpn12745 routing-instances vpn12745 vrf-table-label
set groups vpn12745 routing-instances vpn12745 routing-options auto-export
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 type external
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 import vpn12745-import-ce
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 authentication-key cisco123
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 export vpn12745-export-ce
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 peer-as 65119
set groups vpn12745 routing-instances vpn12745 protocols bgp group vpn12745 neighbor 10.236.7.179

2. Add vpn12725 layer-3 vpn on karair3/lahorir3 and establish eBGP peering with customer’s routers karachigw1 and lahoregw1.

root@lahorir3> show configuration groups vpn12725 | display set    
set groups vpn12725 interfaces em0 vlan-tagging
set groups vpn12725 interfaces em0 unit 117 description vpn=12725
set groups vpn12725 interfaces em0 unit 117 vlan-id 117
set groups vpn12725 interfaces em0 unit 117 family inet address 19.19.19.1/29
set groups vpn12725 interfaces em0 unit 117 family mpls
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 0 then next term
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from interface em0.117
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 then community add vpn12725
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 0 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 0 then preference 4
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from community vpn12725
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from community vpn12745
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-ce term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-ce term 2 then reject
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 2 then reject
set groups vpn12725 policy-options community vpn12725 members target:65000:12725
set groups vpn12725 policy-options community vpn12745 members target:65000:12745
set groups vpn12725 routing-instances vpn12725 description vpn=12725
set groups vpn12725 routing-instances vpn12725 instance-type vrf
set groups vpn12725 routing-instances vpn12725 interface em0.117
set groups vpn12725 routing-instances vpn12725 route-distinguisher 65000:12725
set groups vpn12725 routing-instances vpn12725 vrf-import vpn12725-import-vrf
set groups vpn12725 routing-instances vpn12725 vrf-export vpn12725-export-vrf
set groups vpn12725 routing-instances vpn12725 vrf-table-label
set groups vpn12725 routing-instances vpn12725 routing-options auto-export
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 type external
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 import vpn12725-import-ce
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 authentication-key cisco123
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 export vpn12725-export-ce
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 peer-as 65120
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 neighbor 19.19.19.2
root@karair3> show configuration groups vpn12725 | display set    
set groups vpn12725 interfaces em1 vlan-tagging
set groups vpn12725 interfaces em1 unit 116 description vpn=12725
set groups vpn12725 interfaces em1 unit 116 vlan-id 116
set groups vpn12725 interfaces em1 unit 116 family inet address 18.18.18.1/29
set groups vpn12725 interfaces em1 unit 116 family mpls
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 0 then next term
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 from interface em1.116
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 then community add vpn12725
set groups vpn12725 policy-options policy-statement vpn12725-export-vrf term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 0 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 0 then preference 4
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from community vpn12725
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 from community vpn12745
set groups vpn12725 policy-options policy-statement vpn12725-import-vrf term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-ce term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-import-ce term 2 then reject
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol direct
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol static
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 from protocol bgp
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 1 then accept
set groups vpn12725 policy-options policy-statement vpn12725-export-ce term 2 then reject
set groups vpn12725 policy-options community vpn12725 members target:65000:12725
set groups vpn12725 policy-options community vpn12745 members target:65000:12745
set groups vpn12725 routing-instances vpn12725 description vpn=12725
set groups vpn12725 routing-instances vpn12725 instance-type vrf
set groups vpn12725 routing-instances vpn12725 interface em1.116
set groups vpn12725 routing-instances vpn12725 route-distinguisher 65000:12725
set groups vpn12725 routing-instances vpn12725 vrf-import vpn12725-import-vrf
set groups vpn12725 routing-instances vpn12725 vrf-export vpn12725-export-vrf
set groups vpn12725 routing-instances vpn12725 vrf-table-label
set groups vpn12725 routing-instances vpn12725 routing-options auto-export
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 type external
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 import vpn12725-import-ce
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 authentication-key cisco123
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 export vpn12725-export-ce
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 peer-as 65120
set groups vpn12725 routing-instances vpn12725 protocols bgp group vpn12725 neighbor 18.18.18.2 passive
  1. Customer aggregation switches karais3 and lahoris3 are configured as following:
!
interface FastEthernet1/0
 description to_karair3:em1
 switchport mode trunk
 duplex full
 speed 100
!
interface FastEthernet1/1
 description to_karachigw1:f0/0
 switchport mode trunk
 duplex full
 speed 100
!
         
karais3#sh int trunk 
Port      Mode         Encapsulation  Status        Native vlan
Fa1/0     on           802.1q         trunking      1
Fa1/1     on           802.1q         trunking      1
Port      Vlans allowed on trunk
Fa1/0     1-4094
Fa1/1     1-4094
Port      Vlans allowed and active in management domain
Fa1/0     1,116
Fa1/1     1,116
Port      Vlans in spanning tree forwarding state and not pruned
Fa1/0     1,116
Fa1/1     1,116
!
interface FastEthernet1/0
 description to_lahorir3:em0
 switchport mode trunk
 no ip address
 duplex full
 speed 100
!         
interface FastEthernet1/1
 description to_lahoregw1:fa0/0
 switchport mode trunk
 no ip address
 duplex full
 speed 100
!

lahoris3#sh int trunk 
Port      Mode         Encapsulation  Status        Native vlan
Fa1/0     on           802.1q         trunking      1
Fa1/1     on           802.1q         trunking      1
Port      Vlans allowed on trunk
Fa1/0     1-1005
Fa1/1     1-1005
Port      Vlans allowed and active in management domain
Fa1/0     1,117
Fa1/1     1,117
Port      Vlans in spanning tree forwarding state and not pruned
Fa1/0     1,117
Fa1/1     1,117
  1. Configuration of customer managed routers karachigw1/lahoregw1 in their office in Karachi and Lahore configured as following:
karachigw1#

!
interface FastEthernet0/0.116
 description to_karair3
 encapsulation dot1Q 116
 ip address 18.18.18.2 255.255.255.248
!
!
router bgp 65120
 no synchronization
 bgp log-neighbor-changes
 network 18.18.18.0 mask 255.255.255.248
 neighbor 18.18.18.1 remote-as 65000
 neighbor 18.18.18.1 password cisco123
 neighbor 18.18.18.1 soft-reconfiguration inbound
 no auto-summary
!         
ip route 10.141.33.96 255.255.255.240 18.18.18.1
ip route 18.18.18.0 255.255.255.248 Null0
!
lahoregw1#
!
interface FastEthernet0/0.117
 description to_lahoris3
 encapsulation dot1Q 117
 ip address 19.19.19.2 255.255.255.248
!

router bgp 65120
 no synchronization
 bgp router-id 19.19.19.2
 bgp log-neighbor-changes
 network 19.19.19.0 mask 255.255.255.248
 neighbor 19.19.19.1 remote-as 65000
 neighbor 19.19.19.1 password cisco123
 neighbor 19.19.19.1 soft-reconfiguration inbound
 no auto-summary
!
ip forward-protocol nd
ip route 10.141.212.144 255.255.255.240 19.19.19.1
ip route 19.19.19.0 255.255.255.248 Null0
!

Now let’s try to ping from karachigw1 and lahoregw1 customer managed routers to the Cloud Firewall interfaces karacf3/lahorcf3 in dc-karachi & dc-lahore respectively.

lahoregw1#ping 10.236.7.179
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.236.7.179, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/10/12 ms
lahoregw1#
karachigw1#ping 10.236.7.171
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.236.7.171, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/16 ms
karachigw1#

We have now IP reachability from customer’s offices in Lahore & Karachi to their dc-lahore & dc-karachi firewalls.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s