11-12-2009 05:07 AM - edited 03-04-2019 06:41 AM
Hello,
Looking at the diagram attached, its a pure IPSEC over GRE Tunnel.
All Branches terminates at HQ and working ok. All Branches access Oracle, Email, JD-Apps, Intranet server from HQ over the tunnel on 8MB link only.
Now struggling to configure PBR between HQ to Branch#8.
At Branch#8 there is a dedicated Internet Link with 2MB for Oracle Traffic from HQ.This link is
terminated as IPSEC over GRE Tunnel to HQ.
From Branch#8 other traffic then Oracle should be send via Tunnel configured for 1MB Link.
At HQ there is a dedicated internet link with 3MB to send return traffic for Oracle to Branch#8
All other branches should access Oracle Server from HQ on Tunnel configured for 8MB.
I got some help earlier on this forum but didnt work.
Solved! Go to Solution.
11-14-2009 02:34 PM
Amin
1) When you apply PBR on vlan 12 if you code the access list correctly so that it identifies only Oracle traffic going to branch8 then applying PBR will not impact other branches access to Oracle at HQ.
2) You do need something at branch8 to send its Oracle traffic over link 2. PBR is an alternative for doing this. But I believe, based on your drawing, that a more simple answer would be to configure a host specific static route for the address of the Oracle server and pointing it to link2.
3) A third Internet link is certainly an option and should work for branches other than branch8. But I would think it would be more cost effective to increase the bandwidth of the second Internet link and use it for redundancy to the branches.
HTH
Rick
11-12-2009 07:22 AM
Any Help
11-12-2009 07:24 AM
Could you perhaps post the config that you currently have ?
It should be doable as long as you can identify the oracle traffic and you would need PBR at both ends.
What help did you get and why did it not work ?
Jon
11-12-2009 08:38 AM
11-12-2009 10:40 AM
Amin
I do not believe that what you are trying to do will work. While it is possible to have 2 GRE tunnels from one host to another host, I do not believe that you can establish 2 IPSec associations from one host to another host. If there were a second router at HQ to terminate one of the tunnels I think it could work. But believe that terminating both tunnels from Branch8 on the same HQ router is problematic.
HTH
Rick
11-12-2009 10:50 AM
Thanks Rick
Do I need 2 Router at Branch#8.
Assuming I get 2 Routers at HQ and terminate one ISP on each Router, how would PBR work.
11-12-2009 11:47 AM
Another alternative to PBR on the head-end would be to use a NAT to the GRE interface from the branch. Translating the traffic to oracle and then the return path would forward out the GRE tunnel beause that is its IP address.
11-12-2009 12:19 PM
Tim,
can you help with config.
11-12-2009 12:44 PM
Amin
You would need 2 routers on one end or the other, but not on both. To me it is more logical to want 2 routers at the HQ than to have 2 routers at the Branch.
HTH
Rick
11-12-2009 01:02 PM
Use PBR
11-12-2009 01:12 PM
Rick,
Should I go ahead with PBR or as tim suggested NAT.
if HQ has 2 Routers, wht config is needed to get Oracle traffic on one link and other traffic on other link from Branch#8
11-12-2009 08:11 PM
Amin
My preference would be to use PBR.
Without knowing some things about your environment it is difficult to say what config is needed. Would both HQ routers be directly connected to each other, or would they pass through some other router to send traffic to each other? Is the Oracle server directly connected to the original HQ router or does traffic from the server go through some other router to get to the HR PBR router?
HTH
Rick
11-13-2009 05:03 AM
11-13-2009 07:22 AM
Amin
The diagram is helpful. Based on the diagram I believe that the configuration for Policy Based Routing should be done on the Core Switch, since it is the common point between the Oracle server and both of the HQ routers.
You would configure PBR on the interface that receives the traffic to be policy routed. So you would configure on interface vlan 12 using the command ip policy and pointing to a route map. In the route map you would configure a match to an access list which would identify the Oracle traffic. Probably the easiest way to identify the traffic is based on the address of the Oracle server as the source and the address of the branch as the destination. After the match, the route map would do set next-hop to direct that traffic to the router with the 3 MB link. The config might look something like this:
interface vlan 12
ip policy route-map oracle_traffic
!
route-map oracle_traffic permit 10
match ip address oracle_addr
set ip next-hop
!
ip access-list extended oracle_addr
permit ip host 10.10.10.100
HTH
Rick
11-13-2009 08:25 AM
Rick Thanks
I still have some question in mind
1> on Applying PBR on vlan 12, will this impact other branches from access Oracle at HQ
2> Do I need any config modification at Branch#8 to send return traffic on Link#2. Do I need to keep the existing PBR at Branch#8.
3> At HQ VPN_Router2 will be only serving Branch#8. To utilize the Router more effeciently I am considering to plug 3rd Internet connection and add tunnels to branches as failover to primary tunnel.
3rd Internet link is option or increase 2nd Internet link bandwidth and configure rate-limit to control bandwidth on tunnels. Does this looks ok.
Please input your advice.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide