Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2298
Views
0
Helpful
8
Replies

Route remote office Internet traffic over WAN to central site?

Go to solution
david
Level 1
Level 1

‎09-11-2013 11:13 AM - edited ‎03-04-2019 09:00 PM

Hi All, having some trouble getting this working.  We have an MPLS (WAN) between our offices, but we typically route to the Internet locally from each location through a Cable or DSL circuit.  The local default route goes to local ASA, which is connected to the Internet.  However, I now have the need to route all traffic including Internet from one of those offices to our central office.  We use OSPF for routing between offices and I've played with the remote office default route statement, but so far no luck.  I'm only having trouble getting Internet traffic to route over the WAN.  Anyone done something like this?  If so, how did you get the remote office Internet traffic to traverse the WAN and egress via another office Internet connection?

Thanks!          

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to david

‎09-11-2013 12:04 PM

Yes, the problem I believe is that you are setting your default route to the provider, but the provider doesn't have a default route pointing to you. The way to get around this would be to advertise the default from your site toward the provider and then the remote site would have a gateway of last resort toward the PE.

You're correct though in that you'd see the change at all of your sites. Depending on how many sites you have, you could advertise it from your central site, and then create a distribute list to deny the default route at all of the other locations.

ip prefix-list Default permit 0.0.0.0/0

route-map Default deny 10

match ip address prefix Default

route-map Default permit 20

router ospf 1

distribute-list route-map Default in

This would block the default route but let all other advertised routes in...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful

Go to solution
mfurnival
Level 4
Level 4
In response to david

‎09-12-2013 07:32 AM

It is a bit of an ugly solution but you could create a GRE tunnel between this site and the head office and send a default route down the tunnel. By doing this you are not sending a default route into the cloud so you would not need to worry about the other sites.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎09-11-2013 11:27 AM

Currently, you have all of your local internet traffic going toward the ASA. Is the default route being advertised by ospf to the remote location or did you try to statically add it? Since you're now traversing the wan toward your asa now, did you take into account these subnets on the ASA for natting? Is the ASA dropping the traffic or does it simply not get there?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
david
Level 1
Level 1
In response to John Blakley

‎09-11-2013 11:45 AM

Hi John, yeah, thought about the ASA issues you mentioned, but I don't think traffic is ever getting to the central site ASA yet.  When I traceroute from a  local machine, it stops at our MPLS providers first hop router with a "Destination Net Unreachable".  I statically set the default route on our router to point to the central site ASA.  So, assuming the internal interface of our central site ASA is 10.10.0.3, I set "IP Route 0.0.0.0 0.0.0.0 10.10.0.3" on the remote office router.  If I traceroute to 10.10.0.3, I get responses all the way to the ASA so the plumbing to him seems fine.  Appears that I need to let the MPLS router know where to forward Internet traffic such as 8.8.8.8.  I'm just not sure how to go about this without affecting any other sites via OSPF.  I only want this single remote office to default route all traffic to the central site.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to david

‎09-11-2013 12:04 PM

Yes, the problem I believe is that you are setting your default route to the provider, but the provider doesn't have a default route pointing to you. The way to get around this would be to advertise the default from your site toward the provider and then the remote site would have a gateway of last resort toward the PE.

You're correct though in that you'd see the change at all of your sites. Depending on how many sites you have, you could advertise it from your central site, and then create a distribute list to deny the default route at all of the other locations.

ip prefix-list Default permit 0.0.0.0/0

route-map Default deny 10

match ip address prefix Default

route-map Default permit 20

router ospf 1

distribute-list route-map Default in

This would block the default route but let all other advertised routes in...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
david
Level 1
Level 1
In response to John Blakley

‎09-12-2013 07:12 AM

Thanks John, If I had all Cisco gear, that would likely be the way to go, but I have some sites that use all Avaya ERS and they were a real bear to get basic OSPF working so the thought of having to mess with them in this scenario makes me cringe. 

I'm checking with our managed MPLS provider to see if they may have some magic they can perform on their end to resolve.  I'll follow up shortly.

0 Helpful

Go to solution
mfurnival
Level 4
Level 4
In response to david

‎09-12-2013 07:32 AM

It is a bit of an ugly solution but you could create a GRE tunnel between this site and the head office and send a default route down the tunnel. By doing this you are not sending a default route into the cloud so you would not need to worry about the other sites.

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to mfurnival

‎09-12-2013 07:57 AM

Actually, that's pretty slick. I labbed it up. The only caveat is that you'd probably want to come up with a different ospf process and run it only on the tunnel interfaces.

I have 4 routers: r1 - 4. I created an ospf process in area 0 for all physical interfaces and then created a gre tunnel between R4 and R2. On R4, I created a separate ospf process and advertised just the two addresses between the tunnel interfaces, and then under that process sent default-information originate. R1 - 3 doesn't get the default route, but R2 did. I created another interface on R4 without advertising it, and tried to ping it from R3 - failed. Then try to ping from R2 and it succeeded.

Rated

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
david
Level 1
Level 1
In response to mfurnival

‎09-12-2013 11:30 AM

mfurnival,  Awesome idea! the GRE tunnel worked perfectly!!  Thank You!!

0 Helpful

Go to solution
mfurnival
Level 4
Level 4
In response to david

‎09-12-2013 12:04 PM

Wow.  I'm smarter than I thought I was :)

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card