Routing question

bsisco · ‎07-30-2008

See attached picture...

I'd like to leverage a peer router to direct some VPN traffic. Can anyone tell me if this approach is possible or if there is a better way?

China Office:

int 0/0 IP: 4.4.4.1/32

int 0/1 IP: 5.5.5.1/32 (second ISP)

US Office:

Public IP: 1.1.1.1/32

Peer Router:

Int 0/0 (US SIDE) IP: 2.2.2.1/32

Int 0/1 (CHINA ISP SIDE) IP: 3.3.3.1/32

Wish to add a route at the edge router of the US office (and any potential alternate site router) that sends all traffic destined for the China office via the peer router (which is NOT on a directly connected network).

The statement would be something like:

ip route 4.4.4.0 255.255.255.0 2.2.2.1 permanent

Thus any router with the above statement would send traffic over the general internet to the peer router and then on to the china office over the ISP backbone. All other traffic would follow the commodity internet to the china office.

Thanks so much!

m-haddad · ‎07-30-2008

Hello,

I don't if I did understand clearly the requirements. I understood that you want to establish a VPN tunnel to China via ISP2 from US side and ISP2 from China side.

If this is the scenario you need the following:

- Set static route on China router for the US LAN segements and US ISP2 public IP address to point to china ISP2 next hop

- Set static route on US router for China LAN segements and China ISP2 public IP address to point to china ISP2 next hop

- Create crypto maps on both routers (China and US) and apply it on the ISP2 interfaces

Hope this helps,

Appreciate your rating,

Regards,

bsisco · ‎07-30-2008

I don't wish to confuse the issue so for the China - > US traffic no changes are necessary routing is controlled by ISP.

For the US -> China you say to add a route statement for the ISP2 next hop. I believe we are attempting that with the statement:

ip route 4.4.4.0 255.255.255.0 2.2.2.1 permanent

however, the peer router is not the next hop - we traverse the public internet via aroute our ISP controls before reaching that router.

VPN config is no concern.

I just want to ensure that all traffic from my office destined for the IP space of ISP2 is directed to the peer router so that ISP2 can guarantee the traffic will go through their backbone instead of the typical internet route it normally takes.

m-haddad · ‎07-31-2008

You can't control traffic beyond the next hop. If the ISP2 peer router is not your next hop than the routing decision is control by ISP1 or ISP2. Usually ISP2 will advertise there subnets or address space via BGP which will affect the routing decision for incomming traffic to their AS.

Therefore, ISP2 can control incomming traffic for their subnets via BGP. Also, if ISP1 has a connection tot ISP2 backbone they can control outbound traffic from your subnet to ISP2 subnet. Therefore, ISP1 can route traffic to ISP2 if traffic is going to the China Subnet.

Let me know if you need further clarifcations,

bsisco · ‎07-31-2008

Thanks m-haddad.

That's what I've come to realize (again). I just haven't had to do this in so long. So my options are to create a tunnel (GRE or other) from each US source to the PEER and ISP2 owns everything between that point and the destination.

Obviously that doesn't scale well, and if ISP2 still wants us to sign a contract they will work with us. I have suggested that ISP2 advertise a route more specific than a /18!

m-haddad · ‎07-31-2008

Hello,

It is not up to them only to advertise /18 or more specific routes. Some peers my have restrictions. Also, it makes thier routing table more stable when they advertise summaries.

Creating a GRE tunnel could be a solution but I don't know how effective it is going to be because the peer router maybe far enough from US and close enough from China so you don't accomplish much.

Usually ISPs avoide running routing protocols or creating GRE tunnels with them. This makes their network harder to administer and messy.

I wish I could help more,

Regards,