Multiple internet Gateways on a Managed WAN Service
Hi Guys,
We're finishing up a move from one MPLS Managed WAN service to another. In the process we migrated a number of sites to our own branch-office Cable/DSL VPNs and they're fine but we have about 8 sites left, 3 of which serve as Internet Gateways for groups of the other sites (our company had a strong acquisition history and we left each major subcompany's internet access intact when they were incorporated into our managed service). From the config.s I have of the existing managed routers the technicians on their end accomplished this by using GRE tunnels from the non-internet sites to the correct Internet Gateway site and this has worked perfectly up until now. At the last minute we have been told that they will not do this on the new package, not that they can't they just won't....great, especially after the sales guys of course told us they could do it. We already have new circuits and managed routers in place so it's not a time to go pulling out of the deal, we literally got told No on the day it was meant to be turned on. They have stated they will only configure one default internet gateway site for all remote sites or use OSPF to essentially Round Robin the choice of which site is used based on routing cost. The problem with the latter is that no one site has enough Web Filter licensing to just take over, also there are a number of unique policies based on that business unit's needs on each device so it's not a good choice for our existing infrastructure (we could reconfigure with more time and may have to). We asked if it was then possible to manually set the OSPF costs per-site to reflect our existing 3 Gateway routing structure and again were told no....
Long post sorry, just trying to provide as much info. as possible if anyone has bothered reading this far....Soooo one other option I thought of was Policy Based Routing, I've never used it (just similar policy maps for the security and IPS side) but would it be possible to use this to selectively route internet traffic from one site specifically to another within one WAN cloud, can it be used to define the next hop from the outside interface for traffic entering on the inside interface?
If not have any of you had similar problems and come up with a better working solution?
Thanks in advance.
We're finishing up a move from one MPLS Managed WAN service to another. In the process we migrated a number of sites to our own branch-office Cable/DSL VPNs and they're fine but we have about 8 sites left, 3 of which serve as Internet Gateways for groups of the other sites (our company had a strong acquisition history and we left each major subcompany's internet access intact when they were incorporated into our managed service). From the config.s I have of the existing managed routers the technicians on their end accomplished this by using GRE tunnels from the non-internet sites to the correct Internet Gateway site and this has worked perfectly up until now. At the last minute we have been told that they will not do this on the new package, not that they can't they just won't....great, especially after the sales guys of course told us they could do it. We already have new circuits and managed routers in place so it's not a time to go pulling out of the deal, we literally got told No on the day it was meant to be turned on. They have stated they will only configure one default internet gateway site for all remote sites or use OSPF to essentially Round Robin the choice of which site is used based on routing cost. The problem with the latter is that no one site has enough Web Filter licensing to just take over, also there are a number of unique policies based on that business unit's needs on each device so it's not a good choice for our existing infrastructure (we could reconfigure with more time and may have to). We asked if it was then possible to manually set the OSPF costs per-site to reflect our existing 3 Gateway routing structure and again were told no....
Long post sorry, just trying to provide as much info. as possible if anyone has bothered reading this far....Soooo one other option I thought of was Policy Based Routing, I've never used it (just similar policy maps for the security and IPS side) but would it be possible to use this to selectively route internet traffic from one site specifically to another within one WAN cloud, can it be used to define the next hop from the outside interface for traffic entering on the inside interface?
If not have any of you had similar problems and come up with a better working solution?
Thanks in advance.
We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
Comments
-
sprkymrk Member Posts: 4,884 ■■■□□□□□□□I'd pull up any emails from the sales guys that said "they could" and threaten to sue them if they don't comply.
Other than that I just wanted to bump your post for anyone that might have a better idea than mine, which is essentially to force them to do what they told you they would do.
Good luck.All things are possible, only believe. -
gojericho0 Member Posts: 1,059 ■■■□□□□□□□Are you familiar at all with WCCP? It also uses GRE to encapsulate so it will work over your MPLS network and it can redirect web traffic. It also uses CEF for fast redirection and can reduce bottlenecks if they will let you use load balancing or shredding on any of these content filters at a single site. You may be able to see if they are willing to spread out the load to different sites since setting up policy with v2 is pretty simple instead of the OSPF option
http://www.cisco.com/en/US/docs/ios/12_0t/12_0t3/feature/guide/wccp.html -
Ahriakin Member Posts: 1,799 ■■■■■■■■□□Thanks guys.
I wasn't involved in the contract meetings just provided technical details for routing etc. and nope the boss doesn't have their commitment to making it work in writing. Actually he called today and told me that after badgering them some more they said using GRE tunnels this way was so complex they'd have to setup a whole lab to test it... ....besides the fact I emailed them the exact config.s they need to do it the fact that one of the world's biggest communications vendors can't handle GRE tunnels in one package that they can in another because apparently it's classed as experimental kinda worries me.
Looks like we'll be going with a single Internet Gateway.
I originally recommended we switch all sites to self-managed but was overruled in favour of the safety of outsourcing, this is what we reap.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?