I have two data centers, each with an HA pair of balance 710s, soon to be replaced with balance 2500s.
Remote sites have max-br1 with cellular backup.
This is a hub-to-spoke network, with no traffic allowed remote site to remote site.
Problem:
Even with “intervlan routing” unchecked on all devices, all devices receive all routes. The only thing that checkbox appears to do is apply a firewall to stop traffic.
At least, that is the way it is functioning for me. I noticed this because the hub 710s show the remote routes, but there is always one remote link that also shows routes to the other data center and back out to other remote sites. If that max-br1 is rebooted then those routes shift to another link. this is even with the allow intervlan routing unchecked on all the units.
This is a very serious problem for two reasons:
-
by the end of 2016 I will have between 1,000 and 2,000 remote sites. It will be a massive waste of bandwidth and processor to update 2,000 routes to every node when they need just 2 for the two data centers. Especially since they will update every time a remote link goes up or down!
That is assuming that the MAX-BR1 can even handle thousands of routes without choking -
the remote sites are different customers/companies. It is a massive breach of security to even show the existence of other networks. The fact that they are unreachable does not solve this. I WILL fail security audits.
Suggested solution: either by changing the functionality of the inter-vlan routing checkbox or addition of another control allow us to say “publish other vpn routes”.
or perhaps add it as a control in the pepvpn/speedfusion profile: “publish this route to other vpn clients”.
Does anyone else see this as a problem, or am I missing some benefit to publishing unreachable routes?
and sorry - I meant to post this in feature requests