Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
665
Views
0
Helpful
5
Replies

Route map question

Go to solution
boshardy1
Level 1
Level 1

‎09-01-2008 11:40 AM - edited ‎03-03-2019 11:21 PM

I have 1 site on my WAN that is in the process of being de-merged from our company and converting to an independent company. I am looking for a way to only allow this branch Internet access through our data center ASA. Our WAN is MPLS using BGP. I was thinking a route-map was the best option, matching the traffic from the branch and setting its next hop as the ASA. I cannot turn BGP off because of the AT&T design of our WAN.

We have a 7201 that connects to AT&T at the datacenter, which connects to a 6513, and the ASA sits off that. All devices, except ASA run BGP.

So at the branch router I tried a route map setting next hop as the 7201. At the 7201 I tried setting next hop as 6513, and at 6513 to ASA for this subnet.

Does not work. Can this even work with BGP still running and the router having full route tables? Any thoughts are appreciated.

Thanks,

Tom

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to boshardy1

‎09-01-2008 05:40 PM

Tom

PBR provides a mechanism to over-ride the normal routing logic. But it depends on every device in the path being configured with PBR. Even with the recursive feature activated, the branch router is attempting to forward to the next hop that you specify but if the physical next hop device does not have your PBR configured then it will not over-ride the normal routing logic and will follow the normal (BGP) routing logic and defeat the PBR attempt on the branch.

If the traffic from the branch would normally arrive on the 7201 then you should concentrate on the logic of the 7201 and PBR on the branch is not necessary. If that is not the case then I believe that you should really look at GRE.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to boshardy1

‎09-01-2008 06:06 PM

You can have a GRE tunnel without using multicast or IPSEC. Basically you are just creating a tunnel between 2 routers eg.

Router1 -> router2 -> router3 -> router4

The tunnel is configured between router1 and router4. As long as router1 has IP connectivity to router4 and vice-versa it should work. You can then set the next-hop on router1 to be router4 and you would not need PBR on router2 and router3.

Attached is a link to configuring GRE - it is on cable routers but the principle is the same.

Edit - apologies, here is the link

http://www.cisco.com/en/US/tech/tk86/tk89/technologies_configuration_example09186a008011520d.shtml

Jon

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎09-01-2008 12:11 PM

Tom

There are a couple aspects of your question that are not entirely clear and understanding them would help us to give you better answers.

- when you talk about route maps it is not clear whether you are talking about Policy Based Routing, which uses route maps, or are talking about other functions which use route maps, such as controlling route advertisements. Is this an attempt at PBR?

- would the router at the branch see the 7201 as 1 hop away (directly connected) or does it see it as several hops (MPLS) away? I thinkl that PBR would not be effective if there were several hops in between.

I wonder if an alternative strategy might work. Would it be possible to configure a GRE tunnel from this branch to the 6513 and the PBR on the 6513 to send everying from that branch to the ASA?

If we are talking about PBR that should run just fine even if the routers are running BGP and have full route tables.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
boshardy1
Level 1
Level 1
In response to Richard Burts

‎09-01-2008 12:45 PM

Thanks Rick,

Yes, I am trying to do PBR by basically trying to control the next hops, so the router doesn't use BGP. The branch and the 7201 are not neighbors as seen through BGP. I tried using the recursive keyword in the PBR, but it still doesn't seem to work the way I want it to. I will look more into GRE (any links or config guides would be appreciated).

Thanks again

Tom

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to boshardy1

‎09-01-2008 05:40 PM

Tom

PBR provides a mechanism to over-ride the normal routing logic. But it depends on every device in the path being configured with PBR. Even with the recursive feature activated, the branch router is attempting to forward to the next hop that you specify but if the physical next hop device does not have your PBR configured then it will not over-ride the normal routing logic and will follow the normal (BGP) routing logic and defeat the PBR attempt on the branch.

If the traffic from the branch would normally arrive on the 7201 then you should concentrate on the logic of the 7201 and PBR on the branch is not necessary. If that is not the case then I believe that you should really look at GRE.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
boshardy1
Level 1
Level 1
In response to Richard Burts

‎09-01-2008 05:53 PM

Thanks, when you mention GRE to you specifically refer to doing an IPSec tunnel? All the documentation I found from Cisco on GRE seems to be for IPSec or multicast. Any reference docs would be helpful.

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to boshardy1

‎09-01-2008 06:06 PM

You can have a GRE tunnel without using multicast or IPSEC. Basically you are just creating a tunnel between 2 routers eg.

Router1 -> router2 -> router3 -> router4

The tunnel is configured between router1 and router4. As long as router1 has IP connectivity to router4 and vice-versa it should work. You can then set the next-hop on router1 to be router4 and you would not need PBR on router2 and router3.

Attached is a link to configuring GRE - it is on cable routers but the principle is the same.

Edit - apologies, here is the link

http://www.cisco.com/en/US/tech/tk86/tk89/technologies_configuration_example09186a008011520d.shtml

Jon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card