Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
944
Views
0
Helpful
7
Replies

Differentiate traffic to internet and LAN between two sites with two L3 links

Go to solution
NOC1
Level 1
Level 1

‎11-09-2017 04:29 PM - edited ‎03-05-2019 09:27 AM

Hi Folks. My scenario is described in the attached diagram. We have 2 sites (A and B) linked by two ISP MPLS links. I've configured core switch in Site B with the following routes: ip route 0.0.0.0/0 10.10.88.2 name ISP1 ip route 10.0.0.0/8 10.10.88.3 name ISP2 I want to configure the core switchs in Site A so the traffic back from internet to Site B flows thru ISP 1, and LAN traffic thru ISP 2. I've tested some PBR configurations with no success. We use static routes only. In Site A we have Nexus 5600, and in Site B a Catalyst 3850 Could you give me a hand to solve this? Thanks!
Labels:
Preview file
20 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to NOC1

‎11-10-2017 04:54 AM

Hi 

 

All you traffic is already passing through a svi or physical L3 interface where your default route is, i mean svi facing your isp1. You can apply it to that svi to reroute the traffic on isp2 lan interface


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎11-09-2017 06:47 PM

Hi

With pbr it should work. Can you share the configuration you've done?
You'll have default route on site A pointing to isp 1 and then make a pbr for all remote sites 10.0.0.0/8 as source to go to site B subnets through isp 2

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
NOC1
Level 1
Level 1
In response to Francesco Molino

‎11-10-2017 05:05 AM

Hi Francesco, thanks for your reply.

 

This is the configuration done:

Core Site A:
ip route 10.10.88.0/21 10.10.0.3 name ISP2 (Send all traffic to SiteB thru ISP2)

ip access-list LAN_to_SiteB (Match with traffic from LAN to SiteB)
10 permit ip 10.0.0.0/8 10.10.88.0/21

ip access-list INET_to_SiteB (Match with traffic from INTERNET to SiteB)
10 permit ip any 10.141.88.0/21

route-map SiteB_DUAL_MPLS permit 20 (Set next hop to ISP1 to traffic matching INET_to_SiteB)
match ip address INET_to_SiteB
set ip next-hop 10.10.0.2

route-map CBA_DUAL_MPLS permit 30
match ip address LAN_to_SiteB

interface Vlan1000 (SVI with Internet ingress traffic)
ip policy route-map SiteB_DUAL_MPLS
interface Vlan20 (SVI with Internet ingress traffic)
ip policy route-map SiteB_DUAL_MPLS


Core Site B:
ip route 0.0.0.0/0 10.10.88.2 name ISP1
ip route 10.0.0.0/8 10.10.88.3 name ISP2

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to NOC1

‎11-11-2017 04:04 PM

Hi

I don't understand your config on site A. You said that everything should go through isp 1 except what's coming from LAN going to site B that must go through isp2.
If that's always the case, you need to add a default route:
Ip route 0.0.0.0 0.0.0.0 ispa-ip

Then you can keep that acl:
ip access-list LAN_to_SiteB (Match with traffic from LAN to SiteB)
10 permit ip 10.0.0.0/8 10.10.88.0/21

Create a route-map to set pbr for that previous all traffic:
route-map SiteB
permit 10
match ip address LAN_to_SiteB
set ip next-hop 10.10.0.2 (Isp2 ip)

Then go the the svi that interconnect your lan, let's assume it's vlan 10:
interface vlan 10
ip policy route-map SiteB

Hope that's clear

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP

‎11-10-2017 01:15 AM

Hello,

 

in addition to Francesco's post, PBR has some peculiar limitations on the Nexus 5600 (as outlined in the link below).

 

Either way, the below is what I have come up with:

 

feature pbr

 

ip access-list LAN_TO__LAN
permit ip 10.0.0.0 0.255.255.255 10.10.88.0 0.0.7.255

 

ip policy route-map LAN_THRU_ISP2
match ip address LAN_TO__LAN
set ip next-hop 10.0.0.3

 

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/unicast/7x/unicast_n5600_config/l3_pbr.html#58316

0 Helpful

Go to solution
NOC1
Level 1
Level 1
In response to Georg Pauwen

‎11-10-2017 04:39 AM - edited ‎11-10-2017 04:39 AM

I forgot to mention that in Site A we have several SVIs with 10.10.0.0/16 subnetted, and if I'm not wrong, the route-map should be linked to the ingress L3 interface, right?

 

So, I should issue this commands on every Interface VLAN in "Core Site A":

interface Vlan1000

  ip policy route-map LAN_THRU_ISP2

interface Vlan20

  ip policy route-map LAN_THRU_ISP2

 

Is there any other way to do this?, Because I already have SVI with other PBR assigned.

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to NOC1

‎11-10-2017 04:54 AM

Hi 

 

All you traffic is already passing through a svi or physical L3 interface where your default route is, i mean svi facing your isp1. You can apply it to that svi to reroute the traffic on isp2 lan interface


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to NOC1

‎11-10-2017 04:54 AM

Hello,

 

before doing anything else, does it work for the SVIs you have applied it to ?

 

interface Vlan1000

  ip policy route-map LAN_THRU_ISP2

interface Vlan20

  ip policy route-map LAN_THRU_ISP2

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card