Internet L3 Vpn Configuration - Avaya 8600 Technical Configuration Manual

2.2.9 Internet L3 VPN Configuration

In this section we shall configure a DualHub-Spoke IPVPNs which will allow internet access to both the
Green & Red IPVPNs previously created while preventing any connectivity between the Green and Red
IPVPNs.
To achieve this, the existing Green and Red VRFs in all 5 Sites will be used as Spoke VRFs for this new
IPVPN. The Internet IPVPN will thus overlap the Green IPVPN on the Green VRFs and overlap the Red
IPVPN on the Red VRFs.
For the Hub Sites (Site1 & Site2) an additional Internet VRF will be configured. This Internet VRF will
have IP connectivity to the firewalls and will redistribute a default route to all the Spokes.
2.2.9.1 Configuration of Internet VRFs as well as Firewall connectivity
Internet bound traffic from Sites 3, 4 or 5 will always be MLT hashed either to Site1 or Site2, regardless of
whether Site1 (or Site2) has an active connection to it's local firewall. It is therefore desirable that both
Site1 and Site2 (a) always have a valid route to a firewall and (b) always be capable of terminating and
routing Internet IPVPN traffic.
To achieve (a), each Internet VRF will have a local network connection to both firewalls. This is achieved
by extending a vlan from each firewall to both Site1 and Site2 over the IST as shown in figure 18. A lower
cost default route will be pointing to the local firewall via the vlan connecting to the local firewall. A higher
cost default route will be pointing to the remote firewall via the vlan connecting to the remote firewall.
To achieve (b) RSMLT is enabled in the IGP Core OSPF VLANs and the same identical CLIP#3 address
space and Internet IPVPN RD configuration is used for the Internet VRF on both Site1 and Site2.
Therefore, this configuration ensures the following:
1. Site1 (or Site2) will still be able to route traffic to a firewall, even if it's connection to the local
firewall is down. In this case the Secondary Default static route will be active and traffic will be
switched over to the remote firewall
2. Failure of a firewall, or of the interconnecting link, will result in the Secondary Default Static route
being immediately available thus ensuring sub-second failover (which is normally not possible to
obtain with BGP)
The SMLT architecture will automatically ensure sub-second failover for Internet bound traffic in case of
Site1 (or Site2) node failure, as Sites 3, 4 and 5 will immediately hash traffic only to the remaining Site2
(or Site1) node.
However, some care needs to be taken for node recovery. As soon as the failed Site1 (or Site2) node
comes back online it will be receiving traffic from the locally attached firewall but it will take some time
before OSPF adjacencies form and the IBGP peerings establish. During this time, the node will not have
any IPVPN routes installed and will not be able to forward IPVPN traffic to the other Sites. A mechanism
is thus required to prevent the restarting node from IP routing any traffic it might receive from the local
firewall until all the IPVPN routes are in place.
Network Design Implementation to Provide L2 & L3 VPN Connectivity
November 2010
between Sites using SMLT and IPVPN-Lite for ERS 8600
Technical Configuration Guide
avaya.com
73