I have 1 site on my WAN that is in the process of being de-merged from our company and converting to an independent company. I am looking for a way to only allow this branch Internet access through our data center ASA. Our WAN is MPLS using BGP. I was thinking a route-map was the best option, matching the traffic from the branch and setting its next hop as the ASA. I cannot turn BGP off because of the AT&T design of our WAN.
We have a 7201 that connects to AT&T at the datacenter, which connects to a 6513, and the ASA sits off that. All devices, except ASA run BGP.
So at the branch router I tried a route map setting next hop as the 7201. At the 7201 I tried setting next hop as 6513, and at 6513 to ASA for this subnet.
Does not work. Can this even work with BGP still running and the router having full route tables? Any thoughts are appreciated.
You can have a GRE tunnel without using multicast or IPSEC. Basically you are just creating a tunnel between 2 routers eg.
Router1 -> router2 -> router3 -> router4
The tunnel is configured between router1 and router4. As long as router1 has IP connectivity to router4 and vice-versa it should work. You can then set the next-hop on router1 to be router4 and you would not need PBR on router2 and router3.
Attached is a link to configuring GRE - it is on cable routers but the principle is the same.
Edit - apologies, here is the link
PBR provides a mechanism to over-ride the normal routing logic. But it depends on every device in the path being configured with PBR. Even with the recursive feature activated, the branch router is attempting to forward to the next hop that you specify but if the physical next hop device does not have your PBR configured then it will not over-ride the normal routing logic and will follow the normal (BGP) routing logic and defeat the PBR attempt on the branch.
If the traffic from the branch would normally arrive on the 7201 then you should concentrate on the logic of the 7201 and PBR on the branch is not necessary. If that is not the case then I believe that you should really look at GRE.