Route map question

Answered Question
Sep 1st, 2008
User Badges:

I have 1 site on my WAN that is in the process of being de-merged from our company and converting to an independent company. I am looking for a way to only allow this branch Internet access through our data center ASA. Our WAN is MPLS using BGP. I was thinking a route-map was the best option, matching the traffic from the branch and setting its next hop as the ASA. I cannot turn BGP off because of the AT&T design of our WAN.


We have a 7201 that connects to AT&T at the datacenter, which connects to a 6513, and the ASA sits off that. All devices, except ASA run BGP.


So at the branch router I tried a route map setting next hop as the 7201. At the 7201 I tried setting next hop as 6513, and at 6513 to ASA for this subnet.


Does not work. Can this even work with BGP still running and the router having full route tables? Any thoughts are appreciated.


Thanks,


Tom

Correct Answer by Jon Marshall about 8 years 7 months ago

You can have a GRE tunnel without using multicast or IPSEC. Basically you are just creating a tunnel between 2 routers eg.


Router1 -> router2 -> router3 -> router4


The tunnel is configured between router1 and router4. As long as router1 has IP connectivity to router4 and vice-versa it should work. You can then set the next-hop on router1 to be router4 and you would not need PBR on router2 and router3.


Attached is a link to configuring GRE - it is on cable routers but the principle is the same.


Edit - apologies, here is the link


http://www.cisco.com/en/US/tech/tk86/tk89/technologies_configuration_example09186a008011520d.shtml


Jon

Correct Answer by Richard Burts about 8 years 7 months ago

Tom


PBR provides a mechanism to over-ride the normal routing logic. But it depends on every device in the path being configured with PBR. Even with the recursive feature activated, the branch router is attempting to forward to the next hop that you specify but if the physical next hop device does not have your PBR configured then it will not over-ride the normal routing logic and will follow the normal (BGP) routing logic and defeat the PBR attempt on the branch.


If the traffic from the branch would normally arrive on the 7201 then you should concentrate on the logic of the 7201 and PBR on the branch is not necessary. If that is not the case then I believe that you should really look at GRE.


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Richard Burts Mon, 09/01/2008 - 12:11
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tom


There are a couple aspects of your question that are not entirely clear and understanding them would help us to give you better answers.

- when you talk about route maps it is not clear whether you are talking about Policy Based Routing, which uses route maps, or are talking about other functions which use route maps, such as controlling route advertisements. Is this an attempt at PBR?

- would the router at the branch see the 7201 as 1 hop away (directly connected) or does it see it as several hops (MPLS) away? I thinkl that PBR would not be effective if there were several hops in between.


I wonder if an alternative strategy might work. Would it be possible to configure a GRE tunnel from this branch to the 6513 and the PBR on the 6513 to send everying from that branch to the ASA?


If we are talking about PBR that should run just fine even if the routers are running BGP and have full route tables.


HTH


Rick

boshardy1 Mon, 09/01/2008 - 12:45
User Badges:

Thanks Rick,


Yes, I am trying to do PBR by basically trying to control the next hops, so the router doesn't use BGP. The branch and the 7201 are not neighbors as seen through BGP. I tried using the recursive keyword in the PBR, but it still doesn't seem to work the way I want it to. I will look more into GRE (any links or config guides would be appreciated).


Thanks again


Tom

Correct Answer
Richard Burts Mon, 09/01/2008 - 17:40
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Tom


PBR provides a mechanism to over-ride the normal routing logic. But it depends on every device in the path being configured with PBR. Even with the recursive feature activated, the branch router is attempting to forward to the next hop that you specify but if the physical next hop device does not have your PBR configured then it will not over-ride the normal routing logic and will follow the normal (BGP) routing logic and defeat the PBR attempt on the branch.


If the traffic from the branch would normally arrive on the 7201 then you should concentrate on the logic of the 7201 and PBR on the branch is not necessary. If that is not the case then I believe that you should really look at GRE.


HTH


Rick

boshardy1 Mon, 09/01/2008 - 17:53
User Badges:

Thanks, when you mention GRE to you specifically refer to doing an IPSec tunnel? All the documentation I found from Cisco on GRE seems to be for IPSec or multicast. Any reference docs would be helpful.

Correct Answer
Jon Marshall Mon, 09/01/2008 - 18:06
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

You can have a GRE tunnel without using multicast or IPSEC. Basically you are just creating a tunnel between 2 routers eg.


Router1 -> router2 -> router3 -> router4


The tunnel is configured between router1 and router4. As long as router1 has IP connectivity to router4 and vice-versa it should work. You can then set the next-hop on router1 to be router4 and you would not need PBR on router2 and router3.


Attached is a link to configuring GRE - it is on cable routers but the principle is the same.


Edit - apologies, here is the link


http://www.cisco.com/en/US/tech/tk86/tk89/technologies_configuration_example09186a008011520d.shtml


Jon

Actions

This Discussion