cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
243
Views
0
Helpful
4
Replies

Different gateway for Branch office

we have a 2621 router one branch office connectivity(s0/0) and the other ISP connectivity (s0/1)....the default route for this setup is thru s0/1....for packets landing on s0/0 from branch office we need to have a different default gateway and not s0/1..we need packets from branch office to hit a proxy server in the LAN of the HO and not go out thru's0/1'(default route of the router).. basically we need the branch office guys to be authenticated at the proxy and not go out thru the router.......The router has two ethernet interface one having LAN ip in the same subnet as the proxy and the other ethernet having a wan IP TO WHICH THE the WAN card of the proxy is attached .. how can this be accomplished

Thanx and regards

4 Replies 4

thisisshanky
Level 11
Level 11

I assume the Branch office will have two types of traffic,

1. traffic which is local, accessing servers, email etc residing on the main site for which, i assume there is no need for any authentication via proxy.

2. traffic destined to internet.

You can achieve your requirements using a route-map and policy routing

Define an access list that matches the following criteria

access-list 101 deny ip host x.x.x.x host y.y.y.y

access-list 101 permit ip host x.x.x.x any

route-map Route-to-Proxy permit 10

match ip address 101

match interface s0/0

set ip next-hop

route-map Route-to-Proxy permit 20

int s0/0

ip policy route-map Route-to-Proxy

x.x.x.x is the network address of the branch office

y.y.y.y is the network address of the main office

the first line in access list 101 denys traffic which is local. This is to route those traffic normally.

the second line in Access list 101 permits all those traffic which goes from the branch office and then goes to internet. This traffic is permitted, so that this traffic is policy routed.

Route-map Route-to-Proxy, routes all traffic coming on interface s0/0 matched by access-list 101 (traffic going to internet), towards the proxy server.

You can use a variety of commands such as

set ip next-hop , where you will specify the next hop as the proxy server ethernet address.

or

set interface , where you can specify which interface of the router, the packet should be routed.

Either way you can achive this.

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Hi,

Thanx

You assume correct...

1)what would the routes be in the far end branch office router and s0/0 in this end

im not sure about

set interface , where you can specify which interface of the router, the packet should be routed.

because this ethernet interface is on the same router and the router has a default gateway pointing at s0/1 ???

Can you please explain "route-map Route-to-Proxy permit 20 " Permit 20 ???

Thanks for the effort

regards

route-map Route-to-Proxy permit 20 is an empty route map instance, which will match all those traffic that are not matched by instance route map instance 10. An empty route map instance allows policy routing to route normally, using the routing table the router has. So all traffic which is local is matched by second instance, and will be routed appropriately to the main site lan. Thats the reason why the empty instance has been created.

set interface command can also be used here,because, irrespective of whether there is a default route or not, policy routing overrides normal routing, once a match condition is satisfied.

at the far end branch office, you can just put a default route pointing to that routers serial interface. Also, configure a static route pointing to the lan of the branch office, on this 2600 router via s0/0.

HTH

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

"Also, configure a static route pointing to the lan of the branch office, on this 2600 router via s0/0. "

Wud that be necessary for the directly connected network

Wud the config change if i had another branch office connectivity on say s0/2 (coming up soon) AND which doesnt need to be routed thru the proxy at all

THANX and regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco