01-27-2012 09:34 AM
I'd really appreciate some help with a chalenge I've been bashing my head against a wall with for a while. There's lots of solutions and none quite work so I figure I must be approaching it the wrong way!
What we have:
- a multi-site ring of CERs running MPLS.
- within each site a stack of FCXs running the layer 3 release but not with the BGP/GRE supporting software
e/iBGP is done on the CERs and the FCXs talk OSPF to the CERs. All subnets directly hooked to the FCXs with VEs as gateways.
Now, we also have a stack of layer2 bridge security kit - IPS etc. - which some traffic needs to pass through, both ways. This is on one site only.
Where the site is remote, we also need to ensure that the link to the site with the stack in is not a s.p.o.f. so to fall back to local routing if the remote gateway is unavailable.
We need the ability to take a prefix and route traffic coming in on any CER or going out from any FCX (inc the directly connected one) through the secrutiy stack first. We've tried PBR, static routes and various flavours of VSRP, VRRP and VLANs but it is either unmanageable or somehow imperfect.
Before we take the stap of sticking a BGP announcer behind the stack and physically connecting all relevant prefixes behind it, I wanted to run it by you guys and see if anyone had some clever ideas.
Thanks in advance!